A fix is available
APAR status
Closed as program error.
Error description
Explorer for z/OS When attempting to connect to a remote host using certificate authentication method, a user might experience authentication failures and only succeeds sometimes. The authentication failure is due to the server failing to read the whole client certificate. In such case, the server's GSK trace may show that the calling gsk_socket_secure_read, to get the certificate, receives only a partial number of the expected bytes sent by the client with an EWOULDBLOCK status.
Local fix
As a workaround, use userid and password as an authentication method.
Problem summary
**************************************************************** * USERS AFFECTED: 01. Users connect using certificate * * authentication. * * 02. All users for a z/OS host system having * * CPU resource constraint. * * 03.Users connect using certificate * * authentication. * **************************************************************** * PROBLEM DESCRIPTION: 01. Customer cert-authentication * * succeeds only 1 out of 6 attempts. * * 02. On a z/OS CPU constraint host * * system, ThreadPool may fail to start * * up in SSL mode. * * 03.When ThreadPool experiences a * * leftover user thread locking a file * * and a current user of the ThreadPool * * attempt to query the lockinfo of the * * file, a NullPointerException (NPE) * * could occur. Furthermore, the issue * * could trigger a repetition of the * * query, and could cause exception and * * more leftover threads when the current * * user logging off. * **************************************************************** 01. GSK trace shows EWOULDBLOCK when reading the certificate within the gsk_secure_socket_read() (a single read as originally implemented for zRSE certificate get). 02. Due to high CPU consumption of RSE activities during startup, especially the ones related to SSL, ThreadPool may not be able to compete for the CPU time to complete its startup routine under the expected time interval of 10s. 03.The NPE during the lockowner query is due to the ThreadPool could not map the TCB of the info to any of its current connection. The leftover thread might happen when the command is a cancelable command and the client attempt to repeat it due to the NPE error when the connection is terminated.
Problem conclusion
01. Per gsk documentation: https://www.ibm.com/docs/en/zos/2.2.0?topic= reference-gsk-secure-socket-read gsk_secure_socket_read() [GSK_WOULD_BLOCK] A complete SSL record is not available. When a socket is in non-blocking mode and a complete SSL record is not available, gsk_secure_socket_read() will return with GSK_WOULD_BLOCK. No data will be returned in the application buffer when GSK_WOULD_BLOCK is returned. The application should call gsk_secure_socket_read() again when there is data available to be read from the socket. The fix is to have the gsk_secure_socket_read() looping (wait for data to be ready and reread) if it is under the GSK_WOULD_BLOCK status with a max retries of 3 times (10 sec timeout each). 02. On a system with CPU constraint resource, when starting up in SSL mode, ThreadPool may be time out with the expired interval of around 10 min. Moving up the other activities, including Daemon's SSL certificate validation and ZOS service startup, before starting the ThreadPool (and starting the expired timer) helps the ThreadPool make its startup time line. 03.The fix is to have the lock info discovery to adjust the ownerid to jobbname when no current TCB could be matched. The cancelable threads should be cleaned up properly to avoid exception during logging off. Note: this fix does not resolve the issue of leftover user threads, some of them still holding file exclusive lock.
Temporary fix
Comments
APAR Information
APAR number
PH43439
Reported component name
EXP FOR Z/OS HO
Reported component ID
5655EXP23
Reported release
310
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-01-18
Closed date
2022-03-07
Last modified date
2022-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI79582
Modules/Macros
FEJENF70 FEJJCNFG FEJJJCL FEJJMON FEJTSO FEK1SMPE FEK2RCVE FEK3ALOC FEK4ZFS FEK5MKD FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR FEK@CONE FEK@CONF FEK@CUST FEK@DEB FEK@DESC FEK@FLOW FEK@GEN FEK@GENW FEK@ISPF FEK@IVP FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1 FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX FEKATTR FEKDSI FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD FEKFCIPH FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6 FEKFCORE FEKFDBBF FEKFDBBP FEKFDBG FEKFDBG6 FEKFDBGM FEKFDIR FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1 FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ FEKFIVPT FEKFJESM FEKFJESU FEKFJVM FEKFLATR FEKFLDSI FEKFLDSL FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMINS FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPRDS FEKFPTC FEKFRIVP FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL FEKFSTUP FEKFT000 FEKFT001 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006 FEKFT007 FEKFT008 FEKFT009 FEKFT010 FEKFT011 FEKFT012 FEKFT013 FEKFT014 FEKFT015 FEKFT016 FEKFT017 FEKFT018 FEKFT019 FEKFT020 FEKFT021 FEKFT022 FEKFT023 FEKFT024 FEKFT025 FEKFT026 FEKFT028 FEKFT029 FEKFT030 FEKFT031 FEKFT032 FEKFT033 FEKFTIVP FEKFTRKS FEKFTSO FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZME FEKFZMF FEKFZOS FEKHCONF FEKHCUST FEKHDEB FEKHDESC FEKHFLOW FEKHGEN FEKHISPF FEKHIVP FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2 FEKINIT FEKKEYS FEKLOGR FEKLOGS FEKM00 FEKM01 FEKM02 FEKMKDIR FEKMOUNT FEKMSGC FEKMSGS FEKRACF FEKRSED FEKSAPF FEKSAPPL FEKSBPX FEKSCLAS FEKSCLOG FEKSCMD FEKSCPYM FEKSCPYU FEKSDSN FEKSENV FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON FEKSLPA FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC FEKSSU FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML HUHFCOR6 HUHFCORE
Fix information
Fixed component name
EXP FOR Z/OS HO
Fixed component ID
5655EXP23
Applicable component levels
R310 PSY UI79582
UP22/03/12 P F203
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"310"}]
Document Information
Modified date:
02 April 2022