PEPK97438 - SSLADMIN COMMAND ERROR DTCSSL2421E FOR RACF ENVIRONMENT
APAR Identifier ...... PM28594 Last Changed ........ 11/11/04 PEPK97438 - SSLADMIN COMMAND ERROR DTCSSL2421E FOR RACF ENVIRONMENT Symptom ...... IN INCORROUT Status ........... CLOSED PER Severity ................... 2 Date Closed ......... 11/02/10 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 610 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice PE HIPER Current Target Date .. Flags SCP ................... FUNCTIONLOSS Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: UK59536 UK59535 PTF List: Release 540 : UK65181 available 11/02/24 (1102 ) Release 610 : UK65182 available 11/02/24 (1101 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: The SSLADMIN command cannot be used to communicate with all of the servers that comprise an SSL server pool in an environment where RACF support for management of user POSIX data has been enabled. SSLADMIN commands directed to most of these servers fail with these messages: DTCSSL2421E SSLnnnnn: Communication error: Connection not established DTCSSL2452W Confirm administrative authority for server SSLnnnnn However, communication with one pool sever is possible. The communication errors result when incorrect user ID information is obtained by a server, when RACF OpenExtensions controls are in place. Note that this problem has not been seen to occur on systems where such RACF controls are not employed. LOCAL FIX: None. PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Users using SSL pool configured under RACF, * * or have configured different USERIDs of the * * pool to share the same POSIX UID number. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The SSLSERV program needs to know the VM USERID under which it executes to construct the name of a CMS queue to communicate with SSLADMIN. To determine this user ID, the existing logic used the cuserid() function, which works by reverse-resolving the POSIX numeric UID to a symbolic USERID. However, this approach does not work if multiple, distinct user IDs share the same numeric UID (as is the case for the reported problem, with RACF POSIX controls in place). In this case, a single USERID value is provided (consistently) to all members of the SSL pool. Because this value matches the VM user ID of only one such server, only that server can respond to SSLADMIN requests. Communication by the remaining virtual machines is rendered impossible, due to their use of that value for construction of the needed queue name. The problem is fixed by replacing the cuserid() call with a call to the getlogin() function. The latter obtains the VM USERID directly, thus avoiding the potential ambiguity associated with the cuserid() function and its use of the POSIX UID value. PROBLEM CONCLUSION: The code in SSLADMIO C module changed to use the getlogin() function instead of cuserid(). TEMPORARY FIX: None COMMENTS: MODULES/MACROS: SSLADMIO SSLCDEFS SSLSERV SSLSTART SRLS: NONE RTN CODES: CIRCUMVENTION: The problem can be circumvented by configuring the system to use a single SSL server VM. MESSAGE TO SUBMITTER: