IBM Support

PI38133: RDZ V9112 INTERNAL DEFECTS AND ENHANCEMENTS - RSE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • RDZ V9112 INTERNAL DEFECTS AND ENHANCEMENTS - RSE
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: 01.all RDz users when using encrypted        *
    *                    communication                             *
    *                 02.All RDz users                             *
    *                 03.All RDz users                             *
    *                 04.All RDz users                             *
    *                 05.All RDz users                             *
    *                 06.All RDz users                             *
    *                 07.All RDz users                             *
    *                 08.All RDz users                             *
    *                 09.All RDz users                             *
    *                 10.All RDz users                             *
    *                 11.RDz administrators                        *
    *                 12.All RDz users                             *
    *                 13.RDz administrators                        *
    *                 14.RDz systems programmer                    *
    *                 15.z/OS system programmer                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: 01.RDz allows usage of insecure ciphers *
    *                      02.RDz server should disable weak       *
    *                         ciphers of System SSL not to be used *
    *                         in SSL connections.                  *
    *                      03.When RDz server calls the            *
    *                         authentication code, an freed memory *
    *                         area is accessed.                    *
    *                      04.RDz receives an abend 213-30 when    *
    *                         saving a member of a PDS.            *
    *                      05.RDz server should have better        *
    *                         serviceability by showing friendly   *
    *                         cipher names and should synchronize  *
    *                         enabled ciphers.                     *
    *                      06.SSL protocols and enabled ciper      *
    *                         suites information are not passed to *
    *                         dstore.                              *
    *                      07.TLSv1.0 is always enabled even if it *
    *                         is disabled in rsed.envvars          *
    *                      08.NPE occurs in rse server when the    *
    *                         communication with a client is not   *
    *                         stable.                              *
    *                      09.RDz server disables the ssl          *
    *                         protocols whose environment variable *
    *                         is not defined in rsed.envvars.      *
    *                      10.Rename or other update operations    *
    *                         sometimes fail when out of log space *
    *                      11.MvsConsole.wto(String,int,int) that  *
    *                         RDz server calls does not look at    *
    *                         file.encoding value and it causes    *
    *                         outputting nothing on the operator   *
    *                         command D P,D when running on java8. *
    *                      12.In RDz v9.x the RDz server modules   *
    *                         have codes that allocate below the   *
    *                         16MB line even though the storage    *
    *                         does not have to be below the line.  *
    *                         This may cause abend 878 due to      *
    *                         insufficient storage available.      *
    *                      13.rsed.envvars variable                *
    *                         _RSE_HOST_CODEPAGE of Rational       *
    *                         Developer for System z is used only  *
    *                         by Java for internal processes, not  *
    *                         for accessing customer data, and     *
    *                         should not be changed. Therefore,    *
    *                         the variable is moved to the         *
    *                         do-not-touch section of rsed.envvars *
    *                      14.Simplify management of encrypted     *
    *                         communication in RDz.                *
    *                      15.RDz does not support Java 8.0        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    01.Rational Developer for System z allows usage of insecure
       ciphers during encrypted communication.
    02.RDz server should disable ciphers that use RC4 or RSA_EXPORT
       not to be used in SSL connections.
    03.When RDz server calls the authentication code, an freed
       memory area is accessed.
    04.When a previous upload request is pending and client sends
       another upload request, abend 213-30 may occur. After the
       abend occurs, it is sometimes required to restart the RDz
       server to free the allocated resources.
    05.RDz server should have better serviceability by showing
       friendly cipher names and should synchronize enabled ciphers.
    06.SSL protocols and enabled ciper suites information are not
       passed to dstore.
    07.TLSv1.0 is always enabled even if it is disabled in
       rsed.envvars
    08.NPE occurs in rse server when a request message is not fully
       received due to communication problems.
       ERROR RseDaemon: java.lang.NullPointerException
       java.lang.NullPointerException
       at java.util.StringTokenizer.<init>(StringTokenizer.java:88)
       at java.util.StringTokenizer.<init>(StringTokenizer.java:66)
       com.ibm.etools.zos.server.RseDaemon.main(RseDaemon.java:453)
    09.RDz server disables the ssl protocols whose environment
       variable (GSK_PROTOCOL_XXXVNN) is not defined in rsed.envvars
    10.Rename or other update operations sometimes fail when out of
       log space, because one thread may try to write trace lines
       with the previous file pointer while another thread closes,
       truncates and reopen the log files
    11.RDz sever calls MvsConsole.wto(String,int,int) to output the
       result of the operator commands to the console. This method
       does not look at file.encoding value and it causes outputting
       nothing on the operator command D P,D when running on java8.
    12.In RDz v9.x the RDz server modules  have codes that allocate
       below the 16MB line even though the storage does not have to
       be below the line. This may cause abend 878 due to
       insufficient storage available.
    13.rsed.envvars variable _RSE_HOST_CODEPAGE of Rational
       Developer for System z is used only by Java for internal
       processes, not for accessing customer data, and should not be
       changed. Therefore, the variable is moved to the do-not-touch
       section of rsed.envvars.
    14.Simplify management of encrypted communication in Rational
       Developer for System z. rsed.envvars now has samples for
       System SSL variables GSK_PROTOCOL_* and GSK_V3_CIPHER_SPECS.
       _RSE_JAVAOPTS variable DSTORE_SSL_ALGORITHM in rsed.envvars
       is removed, as protocol selection is now managed via the
       GSK_PROTOCOL_* variables.
    15.Rational Developer for System z does not support Java 8.0,
       and startup fails if you do try to use it. The problem lies
       in a faulty code-page interpretation by Java 8.0. The
       solution is to use _RSE_HOST_CODEPAGE=cp1047 instead of
       IBM-1047.
    

Problem conclusion

  • 01.Related ciphers are now blocked. Ciphers involved for Logjam
       attack:
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (13 or 0013)
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA (32 or 0033)
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (40 or 0040)
       TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (A4 or 00A4)
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA (38 or 0038)
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (6A or 006A)
       TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (A3 or 00A3)
       TLS_DHE_DSS_WITH_DES_CBC_SHA (12 or 0012)
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (16 or 0016),
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (33 or 0032)
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (67 or 0067)
       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (9E or 009E)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (39 or 0039)
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (6B or 006B)
       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (9F or 009F)
       TLS_DHE_RSA_WITH_DES_CBC_SHA (15 or 0015)
    02.RDz server is updated to disable the ciphers that use RC4 or
       RSA_EXPORT.
    03.RDz server is updated not to access freed memory area while
       calling the authentication code.
    04.The server code is fixed to force the previous pending
       uploading request closed when the next upload request comes,
       and to free all the allocated resources when client
       disconnects.
    05.RDz server is updated to show  friendly cipher names and to
       synchronize enabled ciphers.
    06.Thread pool process calls setEnabledProtocols(),
       setDisabledProtocolPatterns() and setEnabledCipherSuites() to
       synchronize the protocols and cipher suites more precisely.
    07.The hard coded code to enable TLS v1.0 is removed. All
       information will come from rsed.envvars.
    08.RDz server code is updated not to raise NPE even if a request
       message is not fully received.
    09.The ssl protocol, that are used in the established connection
       of in the first rse daemon process, is passed to the thread
       pool process to direct java security system to enable.
    10.RDz server code is updated to serialize the output to the
       trace files not to touch them while they are going to be
       truncated.
    11.RDz server code is updated to call MvsConsole.wto(WtoMessage,
       String) where RDz server can specify System.getProperty("file
       .encoding") as the second argument.
    12.Now, RDz server allocates the storage above the 16MB line
       which does not need 24-bit addressing.
    13.rsed.envvars variable _RSE_HOST_CODEPAGE of Rational
       Developer for System z is used only by Java for internal
       processes, not for accessing customer data, and should not be
       changed. Therefore, the variable is moved to the do-not-touch
       section of rsed.envvars.
    14.Simplify management of encrypted communication in Rational
       Developer for System z. rsed.envvars now has samples for
       System SSL variables GSK_PROTOCOL_* and GSK_V3_CIPHER_SPECS.
       _RSE_JAVAOPTS variable DSTORE_SSL_ALGORITHM in rsed.envvars
       is removed, as protocol selection is now managed via the
       GSK_PROTOCOL_* variables.
    15.sample rsed.envvars is updated to use
       _RSE_HOST_CODEPAGE=cp1047 instead of IBM-1047.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI38133

  • Reported component name

    RD/Z HOST

  • Reported component ID

    5724T0723

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-04-01

  • Closed date

    2015-10-16

  • Last modified date

    2015-10-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • FEKFCIPH FEKFCMSG FEKFCORE FEKFCOR6 FEKFDIR
    FEKFDIR6 FEKFDST0 FEKFENVR FEKFMAIN FEKFMAI6 FEKFMINE FEKFOMVS
    FEKFZOS
    

Fix information

  • Fixed component name

    RD/Z HOST

  • Fixed component ID

    5724T0723

Applicable component levels

  • R910 PSY UI32110

       UP15/10/21 I 1000

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: Rational Developer for System z

Software version: 9.1

Reference #: PI38133

Modified date: 21 October 2015