A fix is available
APAR status
Closed as program error.
Error description
Adding client certificate details would make each of the current reasons for issuing message DFHWB0363 unique. This would improve problem resolution time and effort and possibly eliminate the need for capturing SSL trace in some situations. Additional Symptom(s) Search Keyword(s): KIXREVDAM MSGDFHWB0363 cert
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All. * **************************************************************** * PROBLEM DESCRIPTION: * * Message DFHWB0363 is imprecise. * **************************************************************** * RECOMMENDATION: * * . * **************************************************************** Message DFHWB0363 may be issued when a Client has tried to connect to CICS on a TCPIPSERVICE but the request has failed. . Message DFHWB0363 suggests several reasons for the failure: . o The client has not provided any certificate. o The client's certificate is not installed in the external security manager's database. o The client's certificate is not marked as TRUSTED in the external security manager's database. . No Certificate names, Certificate serial numbers and/or a URIMAP NAME ( where applicable ) are provided. . Issuing DFHWB0363 for a number of reasons with insufficient detail makes identification of the underlying error difficult.
Problem conclusion
CICS web domain code has been modified, it will now: . Issue DFHWB0363 when a client certificate has not been supplied. . Issue DFHWB0366 when a client certificate is unknown to the ESM or is UNTRUSTED ( an insert will identify which ), this new message will also provide the certificate name and serial number. . Issue DFHWB0367 when an HTTP request is received and it matches a URIMAP with SCHEME(HTTPS), this new message will also provide the URIMAP name. . . The following changes will be made to the CICS Transaction Server for z/OS 5.3 Messages and Codes manual ( GC34-7419-00 ): . Message DFHWB0363 will now read: DFHWB0363 date time applid tranid A client certificate is required but has not been supplied. Host IP address: hostaddr. Client IP address: clientaddr. TCPIPSERVICE: tcpipservice. . Explanation The client at IP address clientaddr has tried to connect to CICS on a TCPIPSERVICE that has the option AUTHENTICATE(CERTIFICATE), but the client has not provided a client certificate. . System action The connection is rejected with an HTTP 403 (forbidden) response. . User response Ensure that the client has a valid certificate. . Module DFHWBXN . Message inserts 1. date 2. time 3. applid 4. tranid 5. hostaddr 6. clientaddr 7. tcpipservice . Destination CWBO . A new message of DFHWB0366 will be added thus: . DFHWB0366 date time applid tranid A client certificate was supplied but could not be used because it { was not known to the ESM | was marked as UNTRUSTED }. Host IP address: hostaddr. Client IP address: clientaddr. TCPIPSERVICE: tcpipservice. Certificate Serial number: number. Certificate common name: name. . Explanation The client at IP address clientaddr has tried to connect to CICS on a TCPIPSERVICE that requires a client certificate but the supplied certificate is unusable. An explanatory message describes why: . was not known to the ESM The certificate is not know to the external security manager (ESM). . was marked as UNTRUSTED The certificate bas been given the NOTRUST attribute by the security administrator. This indicates that the certificate is not to be used. . System action The connection is rejected with an HTTP 403 (forbidden) response. . User response Ensure that the client has a valid certificate that is installed in the ESM and is marked as trusted. . Module DFHWBXN . Message inserts 1. date 2. time 3. applid 4. tranid 5. Value chosen from the following options: 1=was not known to the ESM 2=was marked as UNTRUSTED 6. hostaddr 7. clientaddr 8. tcpipservice 9. number 10. name . Destination CWBO . A new message of DFHWB0367 will be added thus: . DFHWB0367 date time applid tranid An HTTP request was received and matched URIMAP name. This URIMAP had scheme(HTTPS). The request was rejected. Host IP address: hostaddr. Client IP address: clientaddr. TCPIPSERVICE: tcpipservice. . Explanation The client at IP address clientaddr has sent in an HTTP request but the URIMAP being used has scheme(HTTPS). . System action The connection is rejected with an HTTP 403 (forbidden) response. . User response Change the client to send in an HTTPS request or change the URIMAP to specify scheme(HTTP). . Module DFHWBXM . Message inserts 1. date 2. time 3. applid 4. tranid 5. name 6. hostaddr 7. clientaddr 8. tcpipservice . Destination CWBO
Temporary fix
Comments
APAR Information
APAR number
PI68409
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
000
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-31
Closed date
2016-11-11
Last modified date
2016-12-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI42539
Modules/Macros
DFHMEWBC DFHMEWBE DFHMEWBK DFHWBA1 DFHWBAPF DFHWBAP DFHWBA DFHWBBLI DFHWBDM DFHWBDUF DFHWBENV DFHWBPA DFHWBPW DFHWBSO DFHWBSRT DFHWBSR DFHWBTRI DFHWBTTA DFHWBXM DFHWBXN
GC34741900 |
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R000 PSY UI42539
UP16/11/19 P F611
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 December 2016