BACKFIT OF VARIOUS SSL RAS FUNCTIONS
APAR Identifier ...... PI68533 Last Changed ........ 16/12/02 BACKFIT OF VARIOUS SSL RAS FUNCTIONS Symptom ...... IN INCORROUT Status ........... CLOSED UR1 Severity ................... 4 Date Closed ......... 16/11/15 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 540 : UI42771 available 16/12/02 (1000 ) Release 620 : UI42768 available 16/12/02 (1000 ) Release 630 : UI42769 available 16/12/02 (1000 ) Release 640 : UI42770 available 16/12/02 (1000 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: Backfit of various SSL RAS functions documented in PITS SK01285. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM SSL Server and * * SSLADMIN command * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The following Reliability, Availability and Serviceability (RAS) issues are known to exist in various TCP/IP for z/VM code levels: 1. The SSLADMIN command requires that at least one space precedes the left parenthesis that separates command operands from command options. It should not require such spacing, in the same manner as conventional CMS commands. 2. The local socket information, reported by the SSLADMIN QUERY SESSIONS command for Implicit connections, incorrectly cites the SSL server socket that is part of a secure session. It should report the application server socket for these connections. (This problem exists for the 620 and 630 code levels.) 3. The SSLADMIN QUERY DETAILS command output incorrectly includes the text 'CIPHER SUITES INCLUDED:' as part of the cipher information reported after the 'Cipher details' heading of message DTCSSL2430I (This problem exists for the only the 540 code level.) 4. When a certificate key database (.kdb) file name is not specified correctly for the VMSSL command KEYFILE operand, the SSL server reports the inability to pen the designated file with this variant of error message DTCSSL107E: Internal error: gsk_environment_init: No key database password supplied A more accurate message that cites the open error condition should instead be used. 5. For the 640 level, when the certificate database is maintained using a PKCS#12 (.p12) file, the SSL server cannot open the designated file. It reports this error with this variant of error message DTCSSL107E: Internal error: Error opening the database <filename> rc 53817353 (File or keyring not found) PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: This APAR includes the following updates, which address the previously cited Reliability, Availability and Serviceability (RAS) issues: 1. SSLADMIN EXEC updates that accommodate the lack of a space (blank) prior to the left parenthesis that identifies the start of command options (All affected code levels - 540, 620, 630) 2. SSLADMIN EXEC updates that report an applicable application server socket, instead of the SSL server socket, in QUERY SESSIONS output (620 and 630 code levels) 3. SSLADMIN EXEC updates that eliminate the stray 'CIPHER SUITES INCLUDED:' in the QUERY STATUS DETAILS output (540 code level only) 4. SSL server updates that will better report the inability to open a designated key database file. For a certificate key database (.kdb) file that does not exist, this new variant of message DTCSSL107E will be issued: Internal error: Error opening the database <filename> rc <rc> (<reason>) which stems from use of the function: gsk_open_database_using_stash_file() to open the given database file. (This update applies to all affected code levels - 540, 620 630) 5. SSL server updates that limit use of the previously cited gsk_open_database_using_stash_file() function to certificate key database (.kdb) files. This change accommodates use of the the correct function (gsk_environment_init }) to open a PKCS#12 (.p12) certificate database file. This update applies to all affected code levels - 540, 620, 630 and 640. The new error message that follows will be included in any future updates to the following publication: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- GC24-6237-08 -- z/VM: TCP/IP Level 640 Messages and Codes Chapter 17. SSL Messages Section: SSL Server Messages Page: 440 Internal error: Error opening the database <filename> rc <rc> (<reason>) Explanation: The key database file cited by the VMSSL command KEYFILE operand can not be opened. For an explanation of the return code, see the section titled "CMS status codes" in z/OS Cryptographic Service System Secure Sockets Layer Programming. System action: SSL processing is terminated. System programmer response: Check the DTCPARMS definitions for the SSL server and verify that the correct key database file name has been specified for VMSSL command KEYFILE operand. Also, verify that the key database file and its corresponding password file are present in the BFS filespace referenced by the SSL server. Correct any problems, then restart the server. MODULES/MACROS: SSLADMIN SSLGSKCF SRLS: GC24623708 RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: