PH43439: RSE LOGIN USING CERTIFICATE MAY ONLY WORK SOMETIMES

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Explorer for z/OS
  
  When attempting to connect to a remote host using certificate
  authentication method, a user might experience authentication
  failures and only succeeds sometimes.
  The authentication failure is due to the server failing to read
  the whole client certificate. In such case, the server's GSK
  trace may show that the calling gsk_socket_secure_read, to get
  the certificate, receives only a partial number of the expected
  bytes sent by the client with an EWOULDBLOCK status.
  

Local fix

• As a workaround, use userid and password as an authentication
  method.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: 01. Users connect using certificate          *
  *                 authentication.                              *
  *                 02. All users for a z/OS host system having  *
  *                 CPU resource constraint.                     *
  *                 03.Users connect using certificate           *
  *                 authentication.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: 01. Customer cert-authentication        *
  *                      succeeds only 1 out of 6 attempts.      *
  *                      02. On a z/OS CPU constraint host       *
  *                      system, ThreadPool may fail to start    *
  *                      up in SSL mode.                         *
  *                      03.When ThreadPool experiences a        *
  *                      leftover user thread locking a file     *
  *                      and a current user of the ThreadPool    *
  *                      attempt to query the lockinfo of the    *
  *                      file, a NullPointerException (NPE)      *
  *                      could occur. Furthermore, the issue     *
  *                      could trigger a repetition of the       *
  *                      query, and could cause exception and    *
  *                      more leftover threads when the current  *
  *                       user logging off.                      *
  ****************************************************************
  01. GSK trace shows EWOULDBLOCK when reading the certificate
  within the gsk_secure_socket_read() (a single read as
  originally implemented for zRSE certificate get).
  02. Due to high CPU consumption of RSE activities during
  startup, especially the ones related to SSL, ThreadPool may not
   be able to compete for the CPU time to complete its startup
   routine under the expected time interval of 10s.
  03.The NPE during the lockowner query is due to the ThreadPool
  could not map the TCB of the info to any of its current
  connection.
  The leftover thread might happen when the command is a
  cancelable command and the client attempt to repeat it due to
  the NPE error when the connection is terminated.
  

Problem conclusion

• 01.       Per gsk documentation:
       https://www.ibm.com/docs/en/zos/2.2.0?topic=
       reference-gsk-secure-socket-read
       gsk_secure_socket_read()
  [GSK_WOULD_BLOCK]  A complete SSL record is not available.
  When a socket is in non-blocking mode and a complete SSL record
   is not available, gsk_secure_socket_read() will return with
   GSK_WOULD_BLOCK. No data will be returned in the application
   buffer when     GSK_WOULD_BLOCK is returned. The application
   should call gsk_secure_socket_read() again when there is data
   available to be read from the socket.
  
  
     The fix is to have the gsk_secure_socket_read() looping
     (wait for data to be ready and reread) if it is under the
     GSK_WOULD_BLOCK status with a max retries of 3 times
     (10 sec timeout each).
  02. On a system with CPU constraint resource, when starting up
  in SSL mode, ThreadPool may be time out with the expired
  interval of around 10 min.
  Moving up the other activities, including Daemon's SSL
  certificate validation and ZOS service startup, before
  starting the ThreadPool (and starting the expired timer)
  helps the ThreadPool make its startup time line.
  03.The fix is to have the lock info discovery to adjust the
  ownerid to jobbname when no current TCB could be matched.
  The cancelable threads should be cleaned up properly to avoid
  exception during logging off.
    Note: this fix does not resolve the issue of leftover user
    threads, some of them still holding file exclusive lock.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI79582

Modules/Macros

• FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
  FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
  FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
  FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
  FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
  FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
  FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
  FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
  FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
  FEKFCORE FEKFDBBF FEKFDBBP FEKFDBG  FEKFDBG6 FEKFDBGM FEKFDIR
  FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI
  FEKFENVP FEKFENVR FEKFENVS FEKFEPL  FEKFICUL FEKFISPF FEKFIVP0
  FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU
  FEKFJVM  FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH
  FEKFMAI6 FEKFMAIN FEKFMINE FEKFMINS FEKFMNTL FEKFNTCE FEKFOMVS
  FEKFPATT FEKFPRDS FEKFPTC  FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV
  FEKFSCMD FEKFSEND FEKFSSL  FEKFSTUP FEKFT000 FEKFT001 FEKFT002
  FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009
  FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016
  FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022 FEKFT023
  FEKFT024 FEKFT025 FEKFT026 FEKFT028 FEKFT029 FEKFT030 FEKFT031
  FEKFT032 FEKFT033 FEKFTIVP FEKFTRKS FEKFTSO  FEKFUTIL FEKFVERS
  FEKFXITA FEKFXITL FEKFZME  FEKFZMF  FEKFZOS  FEKHCONF FEKHCUST
  FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN  FEKHISPF FEKHIVP  FEKHIVPD
  FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1
  FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT  FEKKEYS  FEKLOGR
  FEKLOGS  FEKM00   FEKM01   FEKM02   FEKMKDIR FEKMOUNT FEKMSGC
  FEKMSGS  FEKRACF  FEKRSED  FEKSAPF  FEKSAPPL FEKSBPX  FEKSCLAS
  FEKSCLOG FEKSCMD  FEKSCPYM FEKSCPYU FEKSDSN  FEKSENV  FEKSETUP
  FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA  FEKSPROG FEKSPTKT
  FEKSRSED FEKSSERV FEKSSTC  FEKSSU   FEKSUSER FEKXCFGE FEKXCFGI
  FEKXCFGM FEKXCFGT FEKXMAIN FEKXML   HUHFCOR6 HUHFCORE
  

Fix information

• Fixed component name

  EXP FOR Z/OS HO

• Fixed component ID

  5655EXP23

Applicable component levels

• R310 PSY UI79582

     UP22/03/12 P F203

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.