PH60212: URIMAPS WITH A BLANK CIPHERS ATTRIBUTE WILL BE INSTALLED AS IF THEY HAD CIPHERS(DEFAULTCIPHERS.XML).

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• URIMAP definitions carried over after an upgrade may retain a
  blank CIPHERS attribute despite being defined for a secure
  connection. CICS will be updated to install these definitions
  with the name of the default cipher suite specification file.
  Additional symptoms / search keywords:  KIXREVPAD
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: URIMAPs with USAGE(CLIENT)              *
  *                      SCHEME(HTTPS) and CIPHERS() always use  *
  *                      a default set of 2-digit ciphers        *
  ****************************************************************
  A URIMAP has been defined using DFHCSDUP with USAGE(CLIENT)
  SCHEME(HTTPS) and CIPHERS().  When the URIMAP is installed it
  always uses a default set of 2-digit ciphers (3538392F3233)
  even if feature toggle com.ibm.cics.web.defaultcipherfile=true
  or SIT parameter MAXTLSLEVEL=TLS13 are set.
  
  This can lead to TLS handshake failures due to no common
  ciphers or not having a valid TLS 1.3 cipher.
  

Problem conclusion

• This APAR changes the behaviour of URIMAP install.
  
  Any URIMAP with USAGE(CLIENT) SCHEME(HTTPS) and CIPHERS() will
  now have the CIPHERS attribute explicitly set when the URIMAP is
  installed.
  
  If feature toggle com.ibm.cics.web.defaultcipherfile=true is set
  and defaultciphers.xml is usable or SIT parameter
  MAXTLSLEVEL=TLS13 is set then the CIPHERS attribute will be
  installed as CIPHERS(defaultciphers.xml).  If neither are set
  then the CIPHERS attribute will be installed as
  CIPHERS(3538392F3233) to retain the behaviour from previous
  releases.
  
  New message DFHWB1561 will be issued to say what the CIPHERS
  attribute was set to.
  
  This does NOT change the URIMAP resource definition on the CSD.
  It is recommended that the URIMAP definition on the CSD is
  updated to explicitly specify a cipher file in the CIPHERS
  attribute.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI96487

Modules/Macros

• DFHMEWBC DFHMEWBE DFHMEWBK DFHWBUR
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UI96487

     UP24/04/12 P F404

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.