IBM Support

PI68409: ENHANCE DFHWB0363 SITUATIONS TO SUPPLY UNIQUE MESSAGES AND IMPROVE PROBLEM RESOLUTION

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Adding client certificate details would make each of the
current reasons for issuing message DFHWB0363 unique. This
would improve problem resolution time and effort and possibly
eliminate the need for capturing SSL trace in some
situations.

Additional Symptom(s) Search Keyword(s): KIXREVDAM
MSGDFHWB0363 cert

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All.                                                         *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Message DFHWB0363 is imprecise.                              *
****************************************************************
* RECOMMENDATION:                                              *
* .                                                            *
****************************************************************
Message DFHWB0363 may be issued when a Client has tried to
connect to CICS on a TCPIPSERVICE but the request has failed.
                                                               .
Message DFHWB0363 suggests several reasons for the failure:
                                                               .
o The client has not provided any certificate.
o The client's certificate is not installed in the external
  security manager's database.
o The client's certificate is not marked as TRUSTED in the
  external security manager's database.
                                                               .
No Certificate names, Certificate serial numbers and/or a
URIMAP NAME ( where applicable ) are provided.
                                                               .
Issuing DFHWB0363 for a number of reasons with insufficient
detail makes identification of the underlying error difficult.

    



Problem conclusion


    

  • CICS web domain code has been modified, it will now:
                                                               .
Issue DFHWB0363 when a client certificate has not been supplied.
                                                               .
Issue DFHWB0366 when a client certificate is unknown to the ESM
or is UNTRUSTED ( an insert will identify which ), this new
message will also provide the certificate name and serial
number.
                                                               .
Issue DFHWB0367 when an HTTP request is received and it matches
a URIMAP with SCHEME(HTTPS), this new message will also provide
the URIMAP name.
                                                               .
                                                               .
The following changes will be made to the CICS Transaction
Server for z/OS 5.3 Messages and Codes manual
( GC34-7419-00 ):
                                                               .
Message DFHWB0363 will now read:
DFHWB0363 date time applid tranid A client certificate is
required but has not been supplied. Host IP address:
hostaddr. Client IP address: clientaddr. TCPIPSERVICE:
tcpipservice.
                                                               .
Explanation
The client at IP address clientaddr has tried to connect to
CICS on a TCPIPSERVICE that has the option
AUTHENTICATE(CERTIFICATE), but the client has not provided a
client certificate.
                                                               .
System action
The connection is rejected with an HTTP 403 (forbidden)
response.
                                                               .
User response
Ensure that the client has a valid certificate.
                                                               .
Module
DFHWBXN
                                                               .
Message inserts
 1. date
 2. time
 3. applid
 4. tranid
 5. hostaddr
 6. clientaddr
 7. tcpipservice
                                                               .
Destination
 CWBO
                                                               .

A new message of DFHWB0366 will be added thus:
                                                               .
DFHWB0366 date time applid tranid  A client certificate was
supplied but could not be used because it { was not known to
the ESM | was marked as UNTRUSTED }.  Host IP address: hostaddr.
Client IP address: clientaddr. TCPIPSERVICE: tcpipservice.
Certificate Serial number: number.  Certificate common name:
name.
                                                               .
Explanation
The client at IP address clientaddr has tried to connect to
CICS on a TCPIPSERVICE that requires a client certificate but
the supplied certificate is unusable.  An explanatory message
describes why:
                                                               .
was not known to the ESM
    The certificate is not know to the external security
    manager (ESM).
                                                               .
was marked as UNTRUSTED
    The certificate bas been given the NOTRUST attribute by the
    security administrator.  This indicates that the certificate
    is not to be used.

                                                               .

System action

The connection is rejected with an HTTP 403 (forbidden)

response.

                                                               .

User response

Ensure that the client has a valid certificate that is installed

in the ESM and is marked as trusted.
                                                               .
Module
DFHWBXN
                                                               .
Message inserts
 1. date
 2. time
 3. applid
 4. tranid
 5. Value chosen from the following options:
    1=was not known to the ESM
    2=was marked as UNTRUSTED
 6. hostaddr
 7. clientaddr
 8. tcpipservice
 9. number
 10. name
                                                               .
Destination
 CWBO
                                                               .
A new message of DFHWB0367 will be added thus:
                                                               .
DFHWB0367 date time applid tranid An HTTP request was received
and matched URIMAP name.  This URIMAP had scheme(HTTPS). The
request was rejected.  Host IP address: hostaddr.  Client IP
address: clientaddr. TCPIPSERVICE: tcpipservice.
                                                               .
Explanation
The client at IP address clientaddr has sent in an HTTP request
but the URIMAP being used has scheme(HTTPS).
                                                               .
System action
The connection is rejected with an HTTP 403 (forbidden)
response.
                                                               .
User response
Change the client to send in an HTTPS request or change the
URIMAP to specify scheme(HTTP).
                                                               .
Module
DFHWBXM
                                                               .
Message inserts
 1. date
 2. time
 3. applid
 4. tranid
 5. name
 6. hostaddr
 7. clientaddr
 8. tcpipservice
                                                               .
Destination
 CWBO

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI68409
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    000
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-08-31
    • 

  • Closed date
    2016-11-11
    • 

  • Last modified date
    2016-12-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PI61532
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI42539
    

    • 



Modules/Macros


    

  • DFHMEWBC DFHMEWBE DFHMEWBK DFHWBA1  DFHWBAPF DFHWBAP  DFHWBA
DFHWBBLI DFHWBDM  DFHWBDUF DFHWBENV DFHWBPA  DFHWBPW  DFHWBSO
DFHWBSRT DFHWBSR  DFHWBTRI DFHWBTTA DFHWBXM  DFHWBXN

    




Publications Referenced


GC34741900    





Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R000  PSY  UI42539
       UP16/11/19  P  F611
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.3","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 December 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback