PEPK97438 - SSLADMIN COMMAND ERROR DTCSSL2421E FOR RACF
ENVIRONMENT
APAR Identifier ...... PM28594 Last Changed ........ 11/11/04
PEPK97438 - SSLADMIN COMMAND ERROR DTCSSL2421E FOR RACF
ENVIRONMENT
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 11/02/10
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 610 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice PE HIPER
Current Target Date .. Flags
SCP ................... FUNCTIONLOSS
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List: UK59536 UK59535
PTF List:
Release 540 : UK65181 available 11/02/24 (1102 )
Release 610 : UK65182 available 11/02/24 (1101 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
The SSLADMIN command cannot be used to communicate with all of
the servers that comprise an SSL server pool in an environment
where RACF support for management of user POSIX data has been
enabled. SSLADMIN commands directed to most of these servers
fail with these messages:
DTCSSL2421E SSLnnnnn: Communication error: Connection not
established
DTCSSL2452W Confirm administrative authority for server SSLnnnnn
However, communication with one pool sever is possible. The
communication errors result when incorrect user ID information
is obtained by a server, when RACF OpenExtensions controls
are in place.
Note that this problem has not been seen to occur on systems
where such RACF controls are not employed.
LOCAL FIX:
None.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Users using SSL pool configured under RACF, *
* or have configured different USERIDs of the *
* pool to share the same POSIX UID number. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The SSLSERV program needs to know the VM USERID under which it
executes to construct the name of a CMS queue to communicate
with SSLADMIN. To determine this user ID, the existing logic
used the cuserid() function, which works by reverse-resolving
the POSIX numeric UID to a symbolic USERID.
However, this approach does not work if multiple, distinct user
IDs share the same numeric UID (as is the case for the reported
problem, with RACF POSIX controls in place). In this case, a
single USERID value is provided (consistently) to all members of
the SSL pool. Because this value matches the VM user ID of only
one such server, only that server can respond to SSLADMIN
requests. Communication by the remaining virtual machines is
rendered impossible, due to their use of that value for
construction of the needed queue name.
The problem is fixed by replacing the cuserid() call with a call
to the getlogin() function. The latter obtains the VM USERID
directly, thus avoiding the potential ambiguity associated with
the cuserid() function and its use of the POSIX UID value.
PROBLEM CONCLUSION:
The code in SSLADMIO C module changed to use the getlogin()
function instead of cuserid().
TEMPORARY FIX:
None
COMMENTS:
MODULES/MACROS: SSLADMIO SSLCDEFS SSLSERV SSLSTART
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
The problem can be circumvented by configuring the system to
use a single SSL server VM.
MESSAGE TO SUBMITTER: