Fixes are available
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
After enabling SSLFIPSEnable, the following message is displayed on server start on z/OS: Failed to configure SSLFIPSEnable, restart with a change in FIPS is not supported (gskrc=53817451) SSL works successfully without FIPS enabled or without the WAS WebServer Plug-in. Changing the relative order of the LoadModule directives for mod_ibm_ssl and mod_was_ap22_http.so resolves the problem
Local fix
Ensure that "LoadModule whatkilledus_module" is at the bottom of the httpd.conf file, and "LoadModule ibm_ssl_module" is placed before "LoadModule mod_ap22_module".
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM HTTP Server on z/OS who are * * considering enabling FIPS support. * **************************************************************** * PROBLEM DESCRIPTION: Configuring "SSLFIPSEnable" on z/OS * * may generate a misleading fatal error * * at startup. * **************************************************************** * RECOMMENDATION: Apply the fix if SSLFIPSEnable is required * * on z/OS. * **************************************************************** Unique to z/OS, FIPS support is enabled per-process, and must be enabled before any z/OS System SSL activity occurs in a given process. Prior to this APAR, the WAS WebServer Plug-in could initialize before mod_ibm_ssl (order is not defined) and setup its own System SSL environment prior to mod_ibm_ssl.
Problem conclusion
mod_ibm_ssl is now hard-wired to initialize before mod_was_ap22_http.so, ensuring the calls in mod_ibm_ssl to enable FIPS will always run before SSL initialization in the AS Plug-in.
Temporary fix
Comments
APAR Information
APAR number
PI14451
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-03-25
Closed date
2014-07-09
Last modified date
2014-07-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510
Applicable component levels
R850 PSY
UP
Document Information
Modified date:
28 April 2022