PH37816: INCREASE BUFFER SIZE FOR CERTIFICATE WHEN USING WS-SECURITY

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When introducing a new Web Service that uses WS-Security, you
  are having issues with SSL certificate for this service.
  
  The CICS auxtrace contains SAF return codes indicating a
  failure when attempting to resolvePrivateKey.
  
  PI 1204 WSSE EVENT - DATA
  DATA(XSECKeyInfoResolverZos::resolvePrivateKey - IRRSDL00 SAF
  return code = 8)
  
  
  PI 1204 WSSE EVENT - DATA
  DATA(XSECKeyInfoResolverZos::resolvePrivateKey - IRRSDL00 RACF
  return code = 8)
  
  PI 1204 WSSE EVENT - DATA
  DATA(XSECKeyInfoResolverZos::resolvePrivateKey - IRRSDL00 RACF
  reason code = 48)
  
  The External Security Manager (ESM) log shows the failure
  occurs R_datalib call fails indicating "An output area was not
  long enough" .  The return codes  8/8/48 means that a buffer
  supplied on the call is not big enough.  In this case the
  certificate buffer size was 2056 but the production certificate
  is 2157 bytes long so does not fit.
  
  This APAR will increase the buffer size.
  
  Additional Symptom(s) Search Keyword(s):
  KIXREVSCB
  This was opened for case TS005735867
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS Users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: CICS Web Service exploiting WS-Security *
  *                      fails when making an IRRSDL00 call to   *
  *                      RACF.                                   *
  ****************************************************************
  In the reported problem, CICS was acting as a Web Service
  Client.  The Web Service was configured to use WS-Security
  to reference the messages.  To achieve this, CICS attempted
  to obtain the Certificate and Private Key from the ESM using
  an IRRSDL00 call.  This call failed because the buffers
  provided by CICS on the call were of insufficient size.
  This presented in CICS as IRRSDL00 SAF return code = 8 with
  reason code = 48.  This error percolated back as a:
  DFHWSSE1: soapFault , Internal Server Error and is eventually
  presented as an abend AEIP caused by an un-handled INVREQ.
  

Problem conclusion

• The buffers passed on the IRRSDL00 call have been increased
  in size.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI76914 UI76915

Modules/Macros

• DFHWS002 DFHWS003 DFHWS004 DFHWS005 DFHWS006 DFHWS007 DFHWS008
  DFHWS009 DFHWS010 DFHWS011 DFHWS012 DFHWS013 DFHWS014 DFHWS015
  DFHWS016 DFHWS017 DFHWS018 DFHWS019 DFHWS020 DFHWS021 DFHWS022
  DFHWS023 DFHWS024 DFHWS025 DFHWS026 DFHWS027 DFHWS028 DFHWS029
  DFHWS030 DFHWS031 DFHWS032 DFHWS033 DFHWS034 DFHWS035 DFHWS036
  DFHWS037 DFHWS038 DFHWS039 DFHWS040 DFHWS041 DFHWS042 DFHWS043
  DFHWS044 DFHWS045 DFHWS046 DFHWS047 DFHWS048 DFHWS049 DFHWS050
  DFHWS051 DFHWS052 DFHWS053 DFHWS054 DFHWS055 DFHWS056 DFHWS057
  DFHWS058 DFHWS059 DFHWS060 DFHWS061 DFHWS062 DFHWS064 DFHWS065
  DFHWS066 DFHWS068 DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073
  DFHWS074 DFHWS075 DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS081
  DFHWS082 DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088
  DFHWS089 DFHWS090 DFHWS091 DFHWS092 DFHWS122 DFHWS123
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R20W PSY UI76915

     UP21/08/27 P F108

• R30W PSY UI76914

     UP21/08/27 P F108

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.