SSL SERVER CONNECTION LIMIT RELIEF
APAR Identifier ...... PK52298 Last Changed ........ 09/02/24
SSL SERVER CONNECTION LIMIT RELIEF
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 08/10/01
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 530 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 530 : UK40400 available 08/10/02 (0901 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
The current SSL server implementation can accommodate a maximum
of 128 concurrent connections. This is the case regardless of
whether the VMSSL MAXUSERS operand is used to specify that a
greater number of such connections should be supported. This
restriction is not imposed by virtual storage available for use
by the SSL server machine, but by the means through which the
vmssl daemon exploits the Linux guest environment.
This APAR, and its associated PTF will serve as a mechanism to
provide a modified SSL server implementation which can
accommodate more than 128 concurrent sessions.
Note:
Due to Linux platform limitations and considerations, the
aforementioned connection limit relief is being provided for
only z/VM level 530, and for only the 64-bit Linux
distributions on which the z/VM SSL server is currently
supported.
LOCAL FIX:
None.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All customers running the z/VM SSL server. *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The z/VM SSL Server is being updated via this APAR to remove
constraints that prevent establishment and handling of more than
128 concurrent secured connections. Various updates have been
incorporated within the vmssldss, vmssl, and vmsock components
to facilitate handling greater than 128 concurrent connections.
With the application of this APAR, IBM testing has confirmed
that the SSL server should accommodate approximately 2000
concurrent secure connections, when its virtual storage has been
defined at a 2G maximum. For handling a large number of such
connections, the adoption of a RELATIVE SHARE setting equivalent
to that defined for the TCP/IP server should be considered.
Due to limitations associated with establishing Linux guest
parameters for accommodating the aforementioned logic changes,
this support is being provided only for the 64-bit SUSE and
Redhat distributions on which the z/VM SSL server is supported.
With this APAR, the following VMSSL command operands are
introduced:
* LOGMODE
- allows one to direct the SSL server to log message and
trace information to either the log file or to the sever
console
* GSKTRACE Trace operand
- activates GSKit tracing of SSL connection processing
* DEBUG Trace operand
- activates detailed diagnostic tracing
PROBLEM CONCLUSION:
The revised information that follows will be included in any
future updates to the following publication(s):
================================================================
SC24-6125-03 -- z/VM: TCP/IP Level 530 Planning and
Customization
Chapter 22. "Configuring the SSL Server"
Section: "VMSSL Command"
Page(s): 623-626
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Descriptions for the VMSSL command operands that follow are
added.
---------------------------------------------------------------
The VMSSL command LOGMODE operand is introduced:
.--LOGMOde--FILE-----------.
>>--VMSSL--...--+--------------------------+--....----------><
'--LOGMOde--+--FILE-----+--'
'--CONSOLE--'
LOGMOde location
specifies the location to which server message and trace
information should be directed.
FILE
Specifies that messages and server trace information should
be directed to and maintained using a file. FILE is the
default.
CONSole
specifies that messages and server trace information should
be directed to the server console.
Usage Notes:
1. CONSOLE is the preferred LOGMODE setting for normal server
operations, and especially when server tracing is performed
during problem diagnosis. This mode allows for simplified
management and retention of all server messages. Console
information can readily be captured by using the CP FOR
command; for example:
CP FOR SSLSERV CMD CP SPOOL CONSOLE CLOSE
---------------------------------------------------------------
The VMSSL command TRACE GSKTRACE and DEBUG operands are
introduced:
.-NORMal--------------. .-ALL-----------------.
>-.-TRACE-+---------------------+-+-------------------+-.-.-><
| | .-...-. | |-ip_address--------| | |
| |-CONNections-+-----+-| |-:--port-----------| | |
| | +-...-' | |-ip_address-:-port-| | |
| |-FLOW----------------' '-conn_number-------' | |
| |-GSKtrace------------------------------------| |
| '-DEBug---------------------------------------' |
'-NOTRACE-----------------------------------------------'
GSKtrace
specifies that GSKit tracing of SSL connection processing is
to be initiated.
Note: When GSKit tracing is active, data for all SSL server
connections is acquired and stored in a file that is
separate from other SSL server trace data. The
GSKTRACE operand is intended for use in consultation
with the IBM Support Center.
DEBug
Specifies that detailed diagnostic tracing is to be
initiated. The DEBUG operand is intended for use in
consultation with the IBM Support Center.
================================================================
Documentation for these new messages will be included in any
future updates to the following publication:
GC24-6124-02 -- z/VM: TCP/IP Level 530 Messages and Codes
Chapter 19. SSL Messages
Page(s): 378-385
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New Message and Text:
---------------------
DTCSSL095I errno detail: <text>
Explanation:
This message provides textual information defined by the
system for an error number (errno) that has been reported as
part of a previously encountered error.
System Action:
SSL processing continues.
System Programmer Response:
None.
New Message and Text:
---------------------
DTCSSL096E fileCopy() error encountered; rc: <rc>
Explanation:
An error was encountered while attempting to copy a server
(Linux) file, likely in response to an SSLADMIN GETFILE
request. For such a case, this message is returned and
stored in the CMS file SSLADMIN $ERRDATA. No CMS file is
created with the content of the requested file.
System Action:
SSL processing continues.
System Programmer Response:
Verify that the correct Linux file name was specified with the
SSLADMIN GETFILE request, and adjust the file name or specify
a different one when the command is next issued.
New Message and Text:
---------------------
DTCSSL097I Commencing RESET of server to again accept
connections
Explanation:
This message acknowledges receipt of an SSLADMIN RESET command
that instructs the server to resume acceptance and processing
of new connection requests.
System Action:
SSL processing continues.
System Programmer Response:
None.
New Message and Text:
---------------------
DTCSSL113I Log mode set: <setting>
Explanation:
This message acknowledges receipt of an SSLADMIN LOGMODE
command and confirms the requested setting, as reported in the
message.
System Action:
SSL processing continues.
System Programmer Response:
None.
New Message and Text:
---------------------
DTCSSL115W <command> command declined; LOGMODE CONSOLE is in
effect
Explanation:
An SSLADMIN LOG or LOGSIZE command has been received, but the
given command cannot be processed because all message output
is currently being directed to the server console. For an
SSLADMIN LOG or LOGSIZE command to be processed, file logging
(LOGMODE FILE) must be in effect.
System Action:
SSL processing continues.
System Programmer Response:
To obtain the current server console log information while
LOGMODE CONSOLE is in effect, use the CP FOR command, issued
from a user ID that has appropriate CP command privilege to
use this command. For example:
CP FOR SSLSERV CMD CP SPOOL CONSOLE CLOSE
New Message and Text:
---------------------
DTCSSL120W Acceptance of new connections has been suspended
Explanation:
The server has identified a problem with the socket connection
used to handle new secure connection requests. Because this
problem exists, new secure connections cannot be established.
System Action:
SSL processing continues. Existing secure connections
continue to be processed.
System Programmer Response:
Examine the TCP/IP and SSL server log information for messages
indicative of a problem associated with the sockets maintained
between these two servers. If the problem appears to be
transient, instruct the SSL server to resume the acceptance of
new connections via this command: SSLADMIN = RESET
For a non-transient problem, ensure that any existing secure
connections have been closed, then shutdown and restart the
SSL server.
New Message and Text:
---------------------
DTCSSL122I Log size maximum reached; prior data has been
discarded
Explanation:
When LOGMODE FILE is in effect, the server logs information
to one of two Linux files -- /var/spool/ssllog1 or
/var/spool/ssllog2. Information being logged by the server to
one of these files (perhaps /var/spool/ssllog1) has exceeded
the maximum amount that should be maintained within such a
file. Thus, the server has begun to log information in its
alternate log file (/var/spool/ssllog2 in this instance) after
having discarded any data previously maintained in the
alternate file.
System Action:
SSL processing continues.
System Programmer Response:
If appropriate, use the SSLADMIN LOGSIZE command to increase
the size of the server log files. If this message is reported
frequently (especially when tracing), consider changing the
logging mode from FILE to CONSOLE so that all logged
information can be retained.
New Message and Text:
---------------------
DTCSSL123W <command> command declined; GSKit tracing is active
Explanation:
An SSLADMIN GSKCLEAR command has been received, which
instructs the server to erase an existing GSKit trace file.
This command cannot be processed because GSKit tracing is
currently being performed (which presumably is causing data to
be written to the designated trace file).
System Action:
SSL processing continues.
System Programmer Response:
When appropriate, stop the GSKit tracing (and, any other
active SSL server traces) via an SSLADMIN NOTRACE command.
The GSKit trace file then can be either retrieved (via an
SSLADMIN GETFILE command) or deleted (via a new SSLADMIN
GSKCLEAR command).
New Message and Text:
---------------------
DTCSSL124I GSK trace file cleared
Explanation:
This message acknowledges receipt of an SSLADMIN GSKCLEAR
command and confirms that the subject file has been erased.
System Action:
SSL processing continues.
System Programmer Response:
None.
New Message and Text:
---------------------
DTCSSL125I <command> command completed; rc=<rc>
Explanation:
The command cited in the message has been processed by
the SSL server and completed with the indicated return code.
System Action:
SSL processing continues.
System Programmer Response:
If the command did not complete as expected, review
the server console for additional messages associated
with the processing of this command. Correct any
problems, then try the command again.
New Message and Text:
---------------------
DTCSSL126E <command> command declined; no parameter string
specified
Explanation:
An SSLADMIN command has been received by the server for
which a parameter string is expected, but for which no
such string was provided.
System Action:
Command processing continues.
System Programmer Response:
None.
New Message and Text:
---------------------
DTCSSL425E TCP/IP service is not available; confirm that the
TCP/IP server (<userid>) is running
Explanation:
The TCP/IP stack server, with which the SSL server is
associated, is either not logged on or is not running.
System Action:
SSL processing stops.
System Programmer Response:
Start the indicated virtual machine or ensure it is
in a working state (for example, not in a CP READ).
Changed Message and Text:
-------------------------
DTCSSL073E Broken pipe condition encountered
(The message text has been augmented for clarity outside of a
debugging context. The 'Explanation', 'System Action' and
'System Programmer Response' for this message remain
unchanged.)
Changed Message and Text:
-------------------------
DTCSSL202E Internal error <location>; VMSSLGSK error <code>
Explanation:
An error occurred at the source code location cited in the
message while using functions that handle specific aspects of
the SSL protocol. For the meaning of the error code, see
<Table 3. SSL Server Return Codes>.
(The 'System Action' and 'System Programmer Response' for this
message remain unchanged.)
Changed Message and Text:
-------------------------
DTCSSL206E SSLADMIN peer closed connection
'SSLADMIN' has been added to the message text for clarity
outside of a debugging context.
(The 'Explanation', 'System Action' and 'System Programmer
Response' for this message remain unchanged.)
Changed Message and Text:
-------------------------
DTCSSL501E No SERVER certificate was found with this label
<label>
Explanation:
A server certificate with the label cited in the message
cannot be located within the SSL key database. The label in
question has been specified either to secure a specific port
or port range, or for securing connections using TLS.
System Action:
The attempted connection is terminated.
System Programmer Response:
Review the TCP/IP server configuration file and verify that
all server certificate labels that have been specified as part
of the PORT statement are correct. For connections that are
to be secured using TLS, confirm that all server certificate
labels (specified for the TLSLABEL statements of pertinent
protocol severs) are correct. If necessary, use the SSLADMIN
QUERY CERT * command to review the labels associated with
the server certificates that have been stored in the SSL key
database. Correct any problems, then retry the connection.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: VMSR4X VMSR4XS VMSS9X VMSS9XS
SRLS: SC24612503 GC24612402
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER:
|
