Fixes are available
7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
8.0.0.1: WebSphere Application Server V8.0 Fix Pack 1
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
8.0.0.2: WebSphere Application Server V8.0 Fix Pack 2
8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.
APAR status
Closed as program error.
Error description
When a z/OS thin Client or Application Client invokes sends an RMI request to a Server running on the same system (LPAR), then the server side CSIv2 Inbound Authentication: "Client Certificate Authentication Required" and CSIv2 Inbound Transport: "SSL Required" setting cannot be enforced. Even if the SSL handshake over TCPIP fails the RMI request will execute successfuly by going over LocalCOMM.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V6.1.0 and higher on Z/OS * **************************************************************** * PROBLEM DESCRIPTION: LocalComm used for RMI connections * * when SSL required. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem is that we were not honoring CSIv2 settings where Transport level SSL was atleast supported on client or server side when required on the other. When this is the case, localComm should not be used, and SSL should be used instead.
Problem conclusion
In order to use this APAR you must set the following jvm property to true on the client side of your communication. DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED=true Then on server side set the following: CSIv2 Inbound transport: SSL-supported (client needs to require) or CSIv2 Inbound transport: SSL-required (client needs to support or require) ---------------------------------------------------------- And on client side (in sas.client.props) com.ibm.CORBA.loginSource=none (necessary no matter what) com.ibm.CSI.performTransportAssocSSLTLSRequired=true (server needs to support or require) or com.ibm.CSI.performTransportAssocSSLTLSSupported=true (server needs to require) or in WebSphere server (if server is acting as client): CSIv2 Outbound transport: SSL-supported (receiving server needs to require) or CSIv2 Outbound transport: SSL-required (receiving server needs to support or require) localComm will not be used if client or server atleast supports SSL and other side requires it. If this condition is not met localComm will be used. APAR PM33787 requires changes to documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/library The following changes to the z/OS version of the WebSphere Application Server Version 6.1 Information Center will be made available in November, 2011. The topic "Java virtual machine custom properties" will be updated to include the following description of the new DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED JVM custom property: DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED Specifies whether localComm or SSL should be used when transport level SSL is supported on the client or server side, and is required on the other side. localComm should not be used when transport level SSL is supported on the client or server side, and is required on the other side. In this situation, you should set this custom property to true to ensure that SSL is used instead of localComm. The default value for this property is false, which means that localComm is used. If you decide to use this custom property, you must specify it as an application server JVM custom property. When you specify this property for an application server: - The CSIv2 Inbound transport setting must be set to SSL-supported, or SSL-required. See the topic Configuring inbound transports for more information about these settings. - On the client side, the com.ibm.CORBA.loginSource property in the sas.client.props file must be set to none. - One of the following settings must be inplace on the client side: com.ibm.CSI.performTransportAssocSSLTLSRequired=true com.ibm.CSI.performTransportAssocSSLTLSSupported=true Or, if a WebSphere server is acting as the client, the CSIv2 Inbound transport setting must be set to SSL-supported, or SSL-required on this server. APAR PM33787 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.41 of WebSphere Application Server V6.1. and Fix Pack 8.0.0.2 of WebSphere Application Server V8.0. Sysroute APAR PM43750 will be used to deliver this fix in WebSphere Application Server V7.0. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.
Temporary fix
Comments
APAR Information
APAR number
PM33787
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-02-28
Closed date
2011-07-14
Last modified date
2011-12-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
R610 PSY UK73054
UP11/11/03 P F111
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
Document Information
Modified date:
27 October 2021