A fix is available
APAR status
Closed as program error.
Error description
Migrated to z/OS 2.4 and start receiving the following. . DFHSO0002 CICSREGN A severe error (code X'080C') has occurred in module DFHSOSE. . This is associated with the following Trace Entry: . SO 080C SOSE *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE(GSK_UNKNOWN_RETURN_CODE) FUNCTION(SECURE_SOC_INIT) RESPONSE(DISASTER) REASON (GSK_ERROR) GSK_RETURN_CODE(21D) CERTIFICATE_USERID() CIPHER_SELECTED() HANDSHAKE_TYPE() PROTOCOL_USED() . The error code x'21D' is 541 in Decimal. . Which means. . Looking in /usr/lpp/gskssl/include/gskssl.h the 541 appears to be "GSK_ERR_REMOTE_BAD_CERTIFICATE" which is not present in a z/OS 2.3 version of the file. . A bad certificate does not warrant a severe error message and system dump. The behavior should be the same as was observed with z/OS 2.2 and 2.3. . Additional Symptom(s) Search Keyword(s):
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Message DFHSO0002 code(x'080C') and * * a system dump taken after migrating to * * z/OS 2.4. * **************************************************************** A TCPIPSERVICE with SSL(YES) is installed. A client sends a request to this TCPIPSERVICE and an SSL handshake is performed. The client rejects the server certificate, or a certificate in the certificate authority chain. The SSL handshake completes with code GSK_ERR_REMOTE_BAD_CERTIFICATE (541). This is a new return code added at z/OS 2.4. DFHSOSE does not specifically handle this code so a severe error message, DFHSO0002, is issued and a system dump is taken. This severe error message and system dump is unnecessary for a certificate error. The problem should be reported by message DFHSO0123 only. Additional keywords: msgDFHSO0002 SO0002 080C msgDFHSO0123 SO0123 21D
Problem conclusion
DFHSOSE has been updated to only issue message DFHSO0123 when the SSL handshake completes with GSK_ERR_REMOTE_BAD_CERTIFICATE. DFHSOTRI has been updated to interpret the new response in the trace.
Temporary fix
Comments
APAR Information
APAR number
PH23805
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / CST / Xsystem
Submitted date
2020-03-27
Closed date
2020-07-16
Last modified date
2020-08-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI70572 UI70573 UI70574
Modules/Macros
DFHSOSE DFHSOTRI
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R100 PSY UI70572
UP20/07/21 P F007
R200 PSY UI70573
UP20/07/17 P F007
R300 PSY UI70574
UP20/07/17 P F007
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
12 August 2020