SSLADMIN STOP Command Does Not Use CP SIGNAL SHUTDOWN for an
Enabled Server
APAR Identifier ...... PQ82117 Last Changed ........ 04/02/06
SSLADMIN STOP COMMAND DOES NOT USE CP SIGNAL SHUTDOWN FOR AN
ENABLED SERVER
Symptom ...... IN INCORROUT Status ........... CLOSED PER
Severity ................... 2 Date Closed ......... 04/01/30
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 440 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 430 : UQ84575 available 04/02/06 (0402 )
Release 440 : UQ84576 available 04/02/06 (0403 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
The SSL server runs a Linux 2.4.7 kernel that includes a
"s390-quiesce" support patch, which provides automated
shutdown capability for such Linux guests. With this patch
present, the SSL server is no longer effectively shut down
via the SSLADMIN STOP command. When shutdown processing
has completed after receipt of this command, the SSL server is
is left in a state in which a CP READ is pending, as indicated
messages that follow:
Boot logging started on /dev/ttyS0(/dev/console) at ...
Master Resource Control: previous runlevel: 3, switching to
runlevel: 0
INIT: Switching to runlevel: 0
Shutting down vmssl:
Running /etc/init.d/halt.local
Sending all processes the TERM signal...
..done
md: recovery thread got woken up ...
md: recovery thread finished ...
md: stopping all md devices.
HCPGSP2630I The virtual machine is placed in CP mode due to
a SIGP stop and store status from CPU 00.
LOCAL FIX:
None.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All customers who run the SSL server, for *
* which its Linux guest is (or can be) enabled *
* to accept CP shutdown signals (that is, has *
* the "S390-quiesce" kernel patch applied). *
****************************************************************
* PROBLEM DESCRIPTION: The SSL server administrative interface *
* (SSLADMIN) does not make use of CP *
* shutdown signals when the SSL Linux *
* guest is enabled to exploit this *
* capability. For an enabled guest, the *
* existing shutdown process leaves the *
* SSL server in a pending 'CP READ' *
* state. *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
The latest Linux distributions that are applicable for running
the z/VM SSL server now incorporate an "s390-quiesce" kernel
patch, which establishes the SSL server virtual machine as being
enabled to accept CP shutdown signals. When Linux has been
configured to exploit this signal and the signal is received,
Linux initiates shutdown processing in an ordered manner. Upon
completion of this process, a disabled wait PSW is loaded.
When the SSLADMIN STOP command is used to initiate the SSL
server shutdown process for a signal-enabled Linux guest, the
server is left in a state in which a 'CP READ' is pending,
rather than the desired disabled wait state. This result occurs
regardless of whether Linux has been configured to exploit the
CP shutdown signal.
PROBLEM CONCLUSION:
The SSLADMIN command has been updated to determine whether the
SSL server is enabled to accept CP shutdown signals, and will
use this mechanism to stop the SSL server when an SSLDAMIN STOP
command is used. An optional STOP command operand ('userid')
can be specified to direct this signal to a server named
differently than the default of 'SSLSERV'.
Logic to verify the appropriateness of the named server (or the
'SSLSERV' default) has been added as well, with new messages
issued accordingly. For more information about these changes,
see the accompanying documentation updates.
Note:
To make effective use of the changes provided through this APAR,
the SSL Linux guest must be modified to exploit the CP SHUTDOWN
signal. Detailed information about the changes required and
instructions for their implementation are available at the z/VM
TCP/IP Feature home page on the World Wide Web. The URL for
this home page is:
http://www.vm.ibm.com/related/tcpip/
Please consult the "SSL Server Configuration" page content at
this URL for this information.
The revised information that follows will be included in any
future updates to the following publication(s):
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
SC24-6019-02 -- z/VM: TCP/IP Level 440 Planning and
Customization
Chapter 23. Configuring the SSL Server
Page: 445
---------------------------------------------------------------
SSLADMIN STOP
.--SSLSERV--.
>>--SSLadmin--STOP--+-----------+---------------------------><
'--userid---'
Purpose
Use the SSLADMIN STOP command to shut down the SSL server.
Operands
userid
The user ID of the SSL server virtual machine. This operand
is applied only when the SSL server Linux guest is enabled
for CP SHUTDOWN signals. The default is SSLSERV.
Usage Notes
o When possible, the CP SIGNAL SHUTDOWN command is used to
shut down SSL Linux guests that have been enabled to accept
signals. A signal timeout interval of 30 seconds is used
if the system-defined guest signal timeout interval is less
than 30; otherwise, the system-defined interval is applied.
o When a server virtual machine ID is specified, it must
match that of the SSL server that has a listen active for
the SSL administrative port.
o If no listen is active for the SSL administrative port,
confirmation to stop the server via a SIGNAL SHUTDOWN
command is requested.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GC24-6022-03 -- z/VM: TCP/IP Level 440 Messages and Codes
Chapter 19. SSL Messages
Page: 295
---------------------------------------------------------------
New Informational and Response Messages:
(Due to the informational nature of these messages, formal
documentation will not be provided.)
DTCSSL2450I The SSL server (userid) is not logged on
DTCSSL2454I SSL server (userid) signaled for shutdown with
interval 'nn'
* Comment: Presented after use of CP SIGNAL for shutdown
DTCSSL2454I SSL server (userid) shutdown initiated
* Comment: Presented after use of administrative socket
for shutdown
DTCSSL2457R Continue and attempt SIGNAL SHUTDOWN of server
'userid'? Enter 0 (No) 1 (Yes)
---------------------------------------------------------------
New Message:
DTCSSL2451E 'text' is not a valid user ID
Explanation:
The specified user ID value is longer than eight characters,
contains other format errors, or is not recognized by the
system.
System Action:
Command execution stops.
System Programmer Response:
Correct the condition and try the command again.
---------------------------------------------------------------
New Message:
DTCSSL2452E User 'userid' is not authorized to issue
command_text commands
Explanation:
The user ID from which this command was issued does not have
sufficient CP privilege class to use commands cited in the
message.
System Action:
Command execution stops.
System Programmer Response:
Issue the command from a user ID that has the necessary
CP privilege class for the listed commands.
---------------------------------------------------------------
New Message:
DTCSSL2453E SSL server (userid) shutdown status is: status
DTCSSL2453I SSL server (userid) shutdown status is: status
(Issued by: userid)
Explanation:
A SIGNAL SHUTDOWN command was issued to stop the server, which
returned the status indicated in the message. The
informational format of this message reflects the status of a
previously issued SIGNAL SHUTDOWN command.
System Action:
Command execution stops (Error condition only).
System Programmer Response:
For the error format of this message, review the reported
status and address the reported condition, as warranted. For
more information, consult the documentation for the CP QUERY
SIGNALS and CP SIGNAL commands.
---------------------------------------------------------------
New Message:
DTCSSL2455E User ID 'userid1' conflicts with that of the
active SSL server (userid2)
Explanation:
The SSL server user ID (userid1) specified for the command
does not match that of the server (userid2) that has an active
listen posted for the SSL administrative port.
System Action:
Command execution stops.
System Programmer Response:
Ensure the correct SSL server user ID is specified when the
command is issued.
---------------------------------------------------------------
New Message:
DTCSSL2456W SSL server user ID (userid) cannot be confirmed
Explanation:
The user ID cited in the message does not have an active
listen posted for the SSL administrative port. This condition
might arise if a socket or other communication error has been
encountered by the SSL server. However, it may also be that
this user ID is not that of the virtual machine that provides
SSL services for this system.
Because this condition exists, a prompt is presented to
confirm that a CP SIGNAL SHUTDOWN command should be attempted
to stop the SSL server.
System Action:
Command execution continues.
System Programmer Response:
Verify that the indicated user ID is that of the SSL server
defined for your system before you provide an affirmative
response to prompt that has been presented.
---------------------------------------------------------------
New Message:
DTCSSL2458E SSL server (userid) is not enabled for signals
Explanation:
An attempt to shutdown the indicated server by using a CP
shutdown signal failed. This condition might result because
the server implementation does not recognize or exploit these
signals, or because the incorrect user ID has been signaled.
System Action:
Command execution stops.
System Programmer Response:
Review the command that was issued, as well as any additional
messages associated with this error. Ensure the correct
server machine has been identified, then try the command
again.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS: DTCSSL DTCUME DTCUPA DTCUSY SSLADMIN
SRLS: SC24601902 GC24602203
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: