IBM Support

PM60971: RECEIVING DFHSO0139 RETURN CODE 439, DFHWB0732 SOCKET I/O ERROR WHILE RECEIVING CLIENT REQUEST, AND DFHSO0002 X'080C'.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • An automated network security testing tool was used to
    attack a CICS SSL TCPIPSERVICE. The connection attempt
    is not successful, but in one scenario it caused CICS
    to take a system dump.
    .
    The following messages appear in the CICS Log:
    .
    DFHSO0123 REGNNAME Return code 439 received from function
              'gsk_secure_socket_init' of System SSL. Reason:
              Unrecognized return code. Peer: xxx.xx.xxx.xx,
              TCPIPSERVICE: SERVNAME.
    .
    .
    DFHWB0732 REGNNAME CWXN CICS Web attach processing encountered a
              sockets I/O error while receiving a client request.
              Host IP address: xxx.xxx.xx.xx. Client IP address:
              xxx.xx.xxx.xx. TCPIPSERVICE: SERVNAME
    .
    .
    DFHSO0002  REGNNAME A severe error (code X'080C') has occurred
               in module DFHSOSE.
    .
    .
    Need to prevent the DFHSO0002 Dump from being produced and
    and a more useful description of the return code 439.
    

Local fix

  • KIXREVEPH
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Several System SSL response codes are   *
    *                      unhandled by CICS.                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Several System SSL response codes that can be triggered by
    client side errors result in DFHSO0002 messages in CICS,
    followed by a system dump.
    Message DFHSO0123 is issued to report error codes from
    System SSL in both client and server modes. In some unexpected
    scenarios a system dump is also collected to provide additional
    diagnostics. A dump should not be issued for codes that can
    be caused by external network activity.
    
    Additional keywords:
    msgDFHSO0123  msgDFHSO0002  SO0123  SO0002  080C
    

Problem conclusion

  • DFHSOSE has been changed to treat the following System SSL error
    codes as client-side errors. CICS will not take a Dump if any
    of these error codes are encountered:
    
      GSK_ERR_INTERNAL_ERROR_ALERT (code 438)
      GSK_ERR_UNKNOWN_ALERT        (code 439)
      GSK_ERR_INCORRECT_KEY_USAGE  (code 440)
      GSK_ERR_CLIENT_AUTH_ALERT    (code 441)
    
    
    CICS has also been changed to add interpretation to
    message DFHSO0123 for the following System SSL error
    codes:
    
      GSK_ERR_INTERNAL_ERROR_ALERT (code 438)
      GSK_ERR_UNKNOWN_ALERT        (code 439)
      GSK_ERR_INCORRECT_KEY_USAGE  (code 440)
      GSK_ERR_CLIENT_AUTH_ALERT    (code 441)
      GSK_ERR_UNRECOGNIZED_NAME    (code 448)
    
    The CICS Trace formatter has been updated to interpet
    the following System SSL error codes:
    
      GSK_ERR_INCORRECT_KEY_USAGE         (code 440)
      GSK_ERR_CLIENT_AUTH_ALERT           (code 441)
      GSK_ERR_MULTIPLE_LABEL              (code 442)
      GSK_ERR_MULTIPLE_DEFAULT            (code 443)
      GSK_ERR_RNG                         (code 444)
      GSK_ERR_DB_NOT_FIPS                 (code 445)
      GSK_ERR_TLS_EXTENSION_MISMATCH      (code 446)
      GSK_ERR_REQUIRED_TLS_EXTENSION      (code 447)
      GSK_ERR_UNRECOGNIZED_NAME           (code 448)
      GSK_ERR_INVALID_FRAGMENT_LENGTH     (code 449)
      GSK_ERR_BAD_MSG_LEN                 (code 450)
      GSK_ERR_RENEGOTIATION_INDICATION    (code 460)
      GSK_ERR_TASK_MODE_REQUIRED          (code 506)
      GSK_INVALID_FUNCTION                (code 603)
      GSK_ERR_CIPHER_RESET_REQUIRED       (code 604)
      GSK_ATTRIBUTE_INVALID_PARAMETER     (code 706)
      GSK_ATTRIBUTE_INVALID_TLS_EXTENSION (code 707)
      GSK_ATTRIBUTE_INVALID_TLS_EXT_DATA  (code 708)
    
    The CICS Transaction Server for z/OS Version 3 Release 1
    Messages and Codes book, GC34-6442-07, has been altered
    as follows:
    
    In Section 'DFHSOnnnn messages':
    
    DFHSO0123  DATE TIME APPLID  RETURN CODE
               RC  RECEIVED FROM FUNCTION ' {UNKNOWN |
                GSK_ENVIRONMENT_INIT |
                GSK_ENVIRONMENT_OPEN |
                GSK_ENVIRONMENT_CLOSE |
               GSK_SECURE_SOCKET_INIT |
                GSK_SECURE_SOCKET_OPEN |
                GSK_SECURE_SOCKET_CLOSE |
                GSK_SECURE_SOCKET_READ |
                GSK_SECURE_SOCKET_WRITE |
                GSK_ATTRIBUTE_SET_BUFFER |
                GSK_ATTRIBUTE_SET_CALLBACK |
                GSK_ATTRIBUTE_SET_ENUM |
                GSK_ATTRIBUTE_SET_NUMERIC_VALUE} ' OF
              SYSTEM SSL.  REASON:  {UNRECOGNIZED RETURN CODE
              |   KEY DATABASE NOT FOUND |   KEY
              DATABASE ACCESS NOT AUTHORIZED |   INVALID
              PASSWORD FOR KEY DATABASE |   EXPIRED PASSWORD
              FOR KEY DATABASE |   STASHED PASSWORD FILE NOT
              FOUND |   SESSION TIMEOUT VALUE IS INVALID |
                AN I/O ERROR OCCURRED |   AN UNKNOWN
              ERROR OCCURRED |   INVALID DISTINGUISHED NAME
              |   NO COMMON CIPHERS NEGOTIATED |   NO
              CERTIFICATE AVAILABLE | SERVER CERTIFICATE
              REJECTED BY CLIENT |   ROOT CERTIFICATE
              AUTHORITY NOT SUPPORTED |   UNSUPPORTED
              OPERATION |   INVALID CERTIFICATE SIGNATURE
              | SSL PROTOCOL VIOLATION |   NOT
              AUTHORIZED |   SELF-SIGNED CERTIFICATE |
                INVALID SESSION STATE |   HANDLE
              CREATION FAILED |   NO PRIVATE KEY |
                UNTRUSTED CERTIFICATE AUTHORITY |
                CERTIFICATE DATE INVALID |   INVALID
              CIPHER SUITE |   HANDSHAKE ABANDONED BY CLIENT
              |   CANNOT OPEN KEY DATABASE |   HOST
              CERTIFICATE NOT YET VALID |   CERTIFICATE
              PARSING ERROR |   CERTIFICATE IS REVOKED |
                LDAP SERVER IS INACTIVE |   UNKNOWN
              CERTIFICATE AUTHORITY |   INTERNAL ERROR ON
              PARTNER |   UNKNOWN ALERT RECEIVED |
                CLIENT AUTHENTICATION ALERT |
                INCORRECT KEY USAGE |   SERVER NAME NOT
              RECOGNIZED} . CLIENT:  CLIENTADDR ,
              TCPIPSERVICE:  TCPIPSERVICE .
    
    EXPLANATION:  A non-zero return code  rc  was received
    from the specified function of the z/OS System SSL service.
    A brief interpretation of the return code is shown.  The
    service was processing a connection with a partner at IP
    address  clientaddr  to TCPIPSERVICE  tcpipservice .
    
    SYSTEM ACTION:  The secure sockets operation is abandoned.
    A sockets domain severe error message, DFHSO0002, may be
    produced with error code X'080C'.
    
    USER RESPONSE:  If this message is not accompanied by
    message DFHSO0002, the error is probably due to some
    unexpected action by the connected partner, and this message
    is for information only.  If this message is accompanied by
    message DFHSO0002, the error is probably due to some sort of
    configuration error.  Use the description in the message to
    determine what is wrong.  For descriptions of the return
    code  rc , see the  z/OS System SSL Programming ,
    SC24-5901-03.  For further guidance see the  CICS Internet
    Guide .
    
    Note - if the brief interpretation of the return code is
     Certificate date invalid  the certificate may either
    have expired or be not yet valid, and may refer to either
    the local certificate or the remote partner's certificate.
    
    DESTINATION:  CSOO
    
    MODULE:  DFHSOSE
    
    XMEOUT PARAMETERS: date, time, applid,
    rc, {0=unknown, 11=gsk_environment_init,
    12=gsk_environment_open,
    13=gsk_environment_close,
    14=gsk_secure_socket_init,
    15=gsk_secure_socket_open,
    16=gsk_secure_socket_close,
    17=gsk_secure_socket_read,
    18=gsk_secure_socket_write,
    19=gsk_attribute_set_buffer,
    20=gsk_attribute_set_callback,
    21=gsk_attribute_set_enum,
    22=gsk_attribute_set_numeric_value},
    {0=Unrecognized return code, 1=Key database not
    found, 2=Key database access not authorized,
    3=Invalid password for key database, 4=Expired
    password for key database, 5=Stashed password file not
    found, 6=Session timeout value is invalid, 7=An
    I/O error occurred, 8=An unknown error occurred,
    16=Invalid distinguished name, 17=No common
    ciphers negotiated, 18=No certificate available,
    19=Server certificate rejected by client,
    20=Root certificate authority not supported,
    21=Unsupported operation, 22=Invalid certificate
    signature, 23=SSL protocol violation, 24=Not
    authorized, 25=Self-signed certificate,
    26=Invalid session state, 27=Handle creation
    failed, 28=No private key, 29=Untrusted
    Certificate Authority, 30=Certificate date invalid,
    31=Invalid cipher suite, 32=Handshake abandoned
    by client, 33=Cannot open key database, 34=Host
    certificate not yet valid, 35=Certificate parsing
    error, 36=Certificate is revoked, 37=LDAP server
    is inactive, 38=Unknown Certificate Authority,
    39=Internal error on partner, 40=Unknown alert
    received, 41=Client authentication alert,
    42=Incorrect key usage, 43=Server name not
    recognized}, clientaddr, tcpipservice
    
    The same change is made to The CICS Transaction Server for z/OS
    Version 3 Release 2 Messages and Codes book, GC34-6827-04.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PM60971

  • Reported component name

    CICSTS V3 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    400

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-03-22

  • Closed date

    2012-07-09

  • Last modified date

    2012-08-08

  • APAR is sysrouted FROM one or more of the following:

    PM53329

  • APAR is sysrouted TO one or more of the following:

    UK80168 UK80169 UK80170 UK80171

Modules/Macros

  •    DFHMESOC DFHMESOE DFHMESOK DFHSOSE  DFHSOSKO
    DFHSOTRI DFH60971
    

Publications Referenced
GC34644207GC34682704   

Fix information

  • Fixed component name

    CICSTS V3 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R400 PSY UK80168

       UP12/07/14 P F207

  • R500 PSY UK80170

       UP12/07/14 P F207

  • R403 PSN

       UP

  • R503 PSN

       UP

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
08 August 2012