IBM Support

PH59545: DFHSO0123 RECEIVED FROM GSK_SECURE_SOCKET_INIT OF SYSTEM SSL AFTER INSTALL OF PH53611 24/02/13 PTF PECHANGE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After applying UI92545 (CICS 5.6) or UI92546 (CICS 6.1)
message

DFHSO0002 A severe error (code X'080C') has occurred in module
DFHSOSE may be issued. The accompanying DFHSO0123 message will
contain one of the following return codes:

12  - This is caused by the CICS certificate private key being
      secured in the PKDS using the RSA master key instead of
      the ECC master key.

455 - This is caused by ICSF being unavailable.

466 - This is caused by running on z/OS 2.3 where the
      GSK_TLS_SIG_ALG_PAIRS environment variable doesn't exist.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS Users with APAR PH53611 applied     *
****************************************************************
* PROBLEM DESCRIPTION: DFHSO0123 function                      *
*                      gsk_secure_socket_init error received   *
*                      containing one of the following return  *
*                      codes:                                  *
*                                                              *
*                      12  - CICS certificate private key      *
*                            being secured in the PKDS using   *
*                            the RSA master key instead of     *
*                            the ECC master key.               *
*                                                              *
*                      455 - ICSF is not active                *
*                                                              *
*                      466 - GSK_TLS_SIG_ALG_PAIRS             *
*                            environment variable is not       *
*                            supported in z/OS 2.3             *
****************************************************************
CICS calls a web service to a remote server using the SSL
protocol and attempts to open a connection and establish a
handshake using one of the new algorithms
(0804, 0805, and 0806)

The handshake will fail if you are running with z/OS 2.3, ICSF
is not active or the private key is secured in the PKDS using
RSA instead of ECC master key.

    



Problem conclusion


    

  • UI92545 UI93696

We have removed the code which set the GSK_TLS_SIG_ALG_PAIRS.
If CICS users want to use the additional algorithms
(0804, 0805, and 0806) they will need to manually set the
GSK_TLS_SIG_ALG_PAIRS value.

You can change the default values that are used by CICS in
either of the following ways:

1. Update CELQDOPT in the CEEPRMxx parmlib member to add an
ENVAR statement that sets the required variable. This affects
all 64-bit applications that use System SSL services, not just
CICS applications. For detailed instructions, see "Creating
system-level runtime options and keyword defaults with
CEEPRMxx" in z/OS documentation.


2. Add a CEEOPTS DD statement to the CICS JCL. CEEOPTS needs to
reference a data set or member that contains an ENVAR
statement. This affects System SSL and JVM servers within CICS.

   ENVAR("GSK_TLS_SIG_ALG_PAIRS=06010603050105030401040304
   02030103030302020102030202080608050804")

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH59545
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    300
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    YesPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-02-01
    • 

  • Closed date
    2024-03-27
    • 

  • Last modified date
    2024-05-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PH58916
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI96262
    

    • 



Modules/Macros


    

  • DFHLEPTS DFHMESOC DFHMESOE DFHMESOK DFHSOAD  DFHSOCK  DFHSODM
DFHSODS  DFHSODUF DFHSOGH@ DFHSOHN  DFHSOIS  DFHSOL   DFHSOLI
DFHSOLS  DFHSOLX  DFHSOLX6 DFHSOM01 DFHSOM02 DFHSOM03 DFHSONT
DFHSOPL  DFHSORD  DFHSORL  DFHSORM  DFHSOS00 DFHSOS01 DFHSOS02
DFHSOS03 DFHSOS04 DFHSOS05 DFHSOS06 DFHSOS07 DFHSOS08 DFHSOS09
DFHSOS10 DFHSOS11 DFHSOS12 DFHSOS13 DFHSOS14 DFHSOS15 DFHSOS16
DFHSOS17 DFHSOS18 DFHSOS19 DFHSOS20 DFHSOS21 DFHSOS22 DFHSOS23
DFHSOSE  DFHSOSES DFHSOSK  DFHSOSM  DFHSOST  DFHSOTB  DFHSOTI
DFHSOTRI DFHSOUE  DFHSOXM

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R300  PSY  UI96262
       UP24/05/01  P  F404  {
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.6","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 May 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback