BACKFIT OF VARIOUS SSL RAS FUNCTIONS
APAR Identifier ...... PI68533 Last Changed ........ 16/12/02
BACKFIT OF VARIOUS SSL RAS FUNCTIONS
Symptom ...... IN INCORROUT Status ........... CLOSED UR1
Severity ................... 4 Date Closed ......... 16/11/15
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 630 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 540 : UI42771 available 16/12/02 (1000 )
Release 620 : UI42768 available 16/12/02 (1000 )
Release 630 : UI42769 available 16/12/02 (1000 )
Release 640 : UI42770 available 16/12/02 (1000 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
Backfit of various SSL RAS functions documented in PITS
SK01285.
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All users of the z/VM SSL Server and *
* SSLADMIN command *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The following Reliability, Availability and Serviceability (RAS)
issues are known to exist in various TCP/IP for z/VM code
levels:
1. The SSLADMIN command requires that at least one space
precedes the left parenthesis that separates command operands
from command options. It should not require such spacing, in
the same manner as conventional CMS commands.
2. The local socket information, reported by the SSLADMIN QUERY
SESSIONS command for Implicit connections, incorrectly cites
the SSL server socket that is part of a secure session. It
should report the application server socket for these
connections. (This problem exists for the 620 and 630 code
levels.)
3. The SSLADMIN QUERY DETAILS command output incorrectly
includes the text 'CIPHER SUITES INCLUDED:' as part of the
cipher information reported after the 'Cipher details'
heading of message DTCSSL2430I (This problem exists for the
only the 540 code level.)
4. When a certificate key database (.kdb) file name is not
specified correctly for the VMSSL command KEYFILE operand,
the SSL server reports the inability to pen the designated
file with this variant of error message DTCSSL107E:
Internal error: gsk_environment_init: No key
database password supplied
A more accurate message that cites the open error condition
should instead be used.
5. For the 640 level, when the certificate database is
maintained using a PKCS#12 (.p12) file, the SSL server cannot
open the designated file. It reports this error with this
variant of error message DTCSSL107E:
Internal error: Error opening the database <filename>
rc 53817353 (File or keyring not found)
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
This APAR includes the following updates, which address the
previously cited Reliability, Availability and Serviceability
(RAS) issues:
1. SSLADMIN EXEC updates that accommodate the lack of a space
(blank) prior to the left parenthesis that identifies the
start of command options (All affected code levels - 540,
620, 630)
2. SSLADMIN EXEC updates that report an applicable application
server socket, instead of the SSL server socket, in QUERY
SESSIONS output (620 and 630 code levels)
3. SSLADMIN EXEC updates that eliminate the stray 'CIPHER
SUITES INCLUDED:' in the QUERY STATUS DETAILS output (540
code level only)
4. SSL server updates that will better report the inability to
open a designated key database file. For a certificate key
database (.kdb) file that does not exist, this new variant
of message DTCSSL107E will be issued:
Internal error: Error opening the database <filename>
rc <rc> (<reason>)
which stems from use of the function:
gsk_open_database_using_stash_file()
to open the given database file.
(This update applies to all affected code levels - 540, 620
630)
5. SSL server updates that limit use of the previously cited
gsk_open_database_using_stash_file() function to certificate
key database (.kdb) files. This change accommodates use of
the the correct function (gsk_environment_init }) to open
a PKCS#12 (.p12) certificate database file.
This update applies to all affected code levels - 540, 620,
630 and 640.
The new error message that follows will be included in any
future updates to the following publication:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GC24-6237-08 -- z/VM: TCP/IP Level 640 Messages and Codes
Chapter 17. SSL Messages
Section: SSL Server Messages
Page: 440
Internal error: Error opening the database <filename>
rc <rc> (<reason>)
Explanation:
The key database file cited by the VMSSL command
KEYFILE operand can not be opened. For an explanation of the
return code, see the section titled "CMS status codes" in z/OS
Cryptographic Service System Secure Sockets Layer Programming.
System action:
SSL processing is terminated.
System programmer response:
Check the DTCPARMS definitions for the SSL server and verify
that the correct key database file name has been specified for
VMSSL command KEYFILE operand. Also, verify that the key
database file and its corresponding password file are present
in the BFS filespace referenced by the SSL server. Correct any
problems, then restart the server.
MODULES/MACROS:
SSLADMIN SSLGSKCF
SRLS:
GC24623708
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: