A fix is available
APAR status
Closed as program error.
Error description
URIMAP definitions carried over after an upgrade may retain a blank CIPHERS attribute despite being defined for a secure connection. CICS will be updated to install these definitions with the name of the default cipher suite specification file. Additional symptoms / search keywords: KIXREVPAD
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: URIMAPs with USAGE(CLIENT) * * SCHEME(HTTPS) and CIPHERS() always use * * a default set of 2-digit ciphers * **************************************************************** A URIMAP has been defined using DFHCSDUP with USAGE(CLIENT) SCHEME(HTTPS) and CIPHERS(). When the URIMAP is installed it always uses a default set of 2-digit ciphers (3538392F3233) even if feature toggle com.ibm.cics.web.defaultcipherfile=true or SIT parameter MAXTLSLEVEL=TLS13 are set. This can lead to TLS handshake failures due to no common ciphers or not having a valid TLS 1.3 cipher.
Problem conclusion
This APAR changes the behaviour of URIMAP install. Any URIMAP with USAGE(CLIENT) SCHEME(HTTPS) and CIPHERS() will now have the CIPHERS attribute explicitly set when the URIMAP is installed. If feature toggle com.ibm.cics.web.defaultcipherfile=true is set and defaultciphers.xml is usable or SIT parameter MAXTLSLEVEL=TLS13 is set then the CIPHERS attribute will be installed as CIPHERS(defaultciphers.xml). If neither are set then the CIPHERS attribute will be installed as CIPHERS(3538392F3233) to retain the behaviour from previous releases. New message DFHWB1561 will be issued to say what the CIPHERS attribute was set to. This does NOT change the URIMAP resource definition on the CSD. It is recommended that the URIMAP definition on the CSD is updated to explicitly specify a cipher file in the CIPHERS attribute.
Temporary fix
Comments
APAR Information
APAR number
PH60212
Reported component name
CICS TS Z/OS V6
Reported component ID
5655YA100
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-03-07
Closed date
2024-04-11
Last modified date
2024-05-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI96487
Modules/Macros
DFHMEWBC DFHMEWBE DFHMEWBK DFHWBUR
Fix information
Fixed component name
CICS TS Z/OS V6
Fixed component ID
5655YA100
Applicable component levels
R400 PSY UI96487
UP24/04/12 P F404
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB70","label":"Z TPS"}}]
Document Information
Modified date:
02 May 2024