IBM Support

IT19224: IBM STERLING B2B INTEGRATOR SUPPORTS SWIFTNET7 WITH OPENSSLL V1.0.2 IN MEFG

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • IBM Sterling B2B Integrator provides support for SWIFT
    messages through the SWIFTNet7
    Adapters and MEFG components. Support for SSL communication
    between IBM Sterling B2B Integrator and MEFG is provided by
    dynamically linked OpenSSL
    libraries. IBM Sterling B2B Integrator and MEFG OpenSSL version
    1.0.2 supportis added to MEFG binaries.
    The MEFG installation jar
    supports the following installation configuations:
    
    MEFG that requires no OpenSSL (Non SSL installation)
    MEFG that requires OpenSSL 1.0.1
    MEFG that requires OpenSSL 1.0.2
    
    The new MEFG binaries continue to dynamically link with
    OpenSSL V1.0.1 and also links with OpenSSL V1.0.2 libraries.
    
    For AIX, a change to the LIBPATH is required on an existing MEFG
    installations, for the new MEFG installations.  The required
    change is to the environment variable, LIBPATH, to use the AIX
    OS patch OpenSSL libraries in the /usr/lib, rather than the
    libraries in /opt/freeware/lib.
    
    With prior versions of MEFG, AIX binaries are linked to
    libraries in /opt/freeware/lib/ directory.  These libraries
    include a specific naming scheme that explicitly identifies the
    minor release in the library archive.  By continuing to use
    these libraries, customers would be required to reinstall MEFG
    when they upgraded from OpenSSL 1.0.1 to 1.0.2.  By utilizing
    the OpenSSL libraries in /usr/lib, which have a consistent
    naming scheme between the minor releases, the same MEFG
    installation can be used with either OpenSSL 1.0.1 or 1.0.2.
    
    
    Some background information:
    
    Openssl is provided as both an OS level patch in AIX, in
    /usr/bin/open, as well as a freeware level patch in
    /opt/freeware/bin
    
    The Openssl in /usr/lib maintains the same shared library naming
    scheme for versions 1.0.1 and 1.0.2.  This is same naming scheme
    as Solaris and Linux:
             /usr/lib/libcrypto.a(libcrypto.so.1.0.0)
             /usr/lib/libssl.a(libssl.so.1.0.0)
    
    The Openssl in /opt/freeware maintains different shared library
    naming scheme for 1.0.1 and 1.0.2:
        OpenSSL 1.0.1
             /opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.1)
             /opt/freeware/lib/libssl.a(libssl.so.1.0.1)
        OpenSSL 1.0.2
             /opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.2)
             /opt/freeware/lib/libssl.a(libssl.so.1.0.2)
    
    
    Currently, with prior 5.2.6 versions, our AIX builds have linked
    the /opt/freeware Openssl libraries:
    
             /opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.1)
             /opt/freeware/lib/libssl.a(libssl.so.1.0.1)
    
    To utilize the System openssl in /usr/lib, the new 5.2.6.x_y
    MEFG SSL binaries will link with the AIX /usr/lib OpenSSL
    libraries:
    
             /usr/lib/libcrypto.a(libcrypto.so)
             /usr/lib/libssl.a(libssl.so)
    
    This change will allow us to continue to ship the MEFG
    installations for OpenSSL 101, which will work with both the
    OpenSSL 1.0.1, 1.0.2, and likely 1.0.x versions, for all
    platforms.
    
    
    The full AIX opensll ldd info is below:
    
    $ /usr/bin/openssl version
    OpenSSL 1.0.2j  26 Sep 2016
    
    $ ldd /usr/bin/openssl
    /usr/bin/openssl needs:
             /usr/lib/libc.a(shr.o)
             /usr/lib/libcrypto.a(libcrypto.so.1.0.0)
             /usr/lib/libssl.a(libssl.so.1.0.0)
             /unix
             /usr/lib/libcrypt.a(shr.o)
    
    
    $ /opt/freeware/bin/openssl version
    OpenSSL 1.0.2h  3 May 2016
    
    $ ldd /opt/freeware/bin/openssl
    /opt/freeware/bin/openssl needs:
             /usr/lib/threads/libc.a(shr.o)
             /usr/lib/libpthreads.a(shr_comm.o)
             /usr/lib/libpthreads.a(shr_xpg5.o)
             /opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.2)
             /opt/freeware/lib/libssl.a(libssl.so.1.0.2)
             /unix
             /usr/lib/libcrypt.a(shr.o)
             /usr/lib/threads/libc.a(shr_64.o)
             /usr/lib/libpthreads.a(shr_xpg5_64.o)
             /usr/lib/libcrypt.a(shr_64.o)
    
    
    Solaris:
    $ openssl version
    OpenSSL 1.0.2j  26 Sep 2016
    
    $ ldd /usr/local/openssl-1.0.2j/bin/openssl
            libssl.so.1.0.0 =>
    /usr/local/openssl-1.0.2j/lib/libssl.so.1.0.0
            libcrypto.so.1.0.0 =>
    /usr/local/openssl-1.0.2j/lib/libcrypto.so.1.0.0
            libsocket.so.1 =>        /lib/libsocket.so.1
            libnsl.so.1 =>   /lib/libnsl.so.1
            libdl.so.1 =>    /lib/libdl.so.1
            libc.so.1 =>     /lib/libc.so.1
            libgcc_s.so.1 =>         (file not found)
            libgcc_s.so.1 =>         (file not found)
            libmp.so.2 =>    /lib/libmp.so.2
            libmd.so.1 =>    /lib/libmd.so.1
            libscf.so.1 =>   /lib/libscf.so.1
            libdoor.so.1 =>  /lib/libdoor.so.1
            libuutil.so.1 =>         /lib/libuutil.so.1
            libgen.so.1 =>   /lib/libgen.so.1
            libm.so.2 =>     /lib/libm.so.2
            /lib/libm/libm_hwcap1.so.2
            /platform/sun4v/lib/libc_psr.so.1
            /platform/sun4v/lib/libmd_psr.so.1
    
    
    Linux:
    Installed OpenSSL 1.0.2j
    
    $ openssl version
    OpenSSL 1.0.2j  26 Sep 2016
    
    $ ldd openssl
            linux-vdso.so.1 =>  (0x00007fff619a9000)
            libssl.so.1.0.0 => ./libssl.so.1.0.0
    (0x00007f9920672000)
            libcrypto.so.1.0.0 => ./libcrypto.so.1.0.0
    (0x00007f992023b000)
            libdl.so.2 => /lib64/libdl.so.2 (0x0000003b22c00000)
            libc.so.6 => /lib64/libc.so.6 (0x0000003b22800000)
            /lib64/ld-linux-x86-64.so.2 (0x0000003b22400000)
    

Local fix

Problem summary

  • Users Affected:
    SI MEFG SWIFTNet7 customers needing to upgrade to OpenSSL 1.0.2
    
    Problem Description:
    OpenSSL V1.0.2 support was not available in prior versions of
    MEFG.
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    SI MEFG binaries now support OpenSSL 1.0.2 runtime libraries
    with the MEFG 1.0.1 installation jar.  Both OpenSSL 1.0.1 and
    1.0.2 runtime libraries supported with the same MEFG binaries.
    The AIX LIBPATH will need to include the OpenSSL libraries from
    /usr/lib for the correct shared library signature.
    
    The AIX Openssl in /usr/lib maintains the same shared library
    naming scheme for versions 1.0.1 and 1.0.2.
             /usr/lib/libcrypto.a(libcrypto.so.1.0.0)
             /usr/lib/libssl.a(libssl.so.1.0.0)
    
    Delivered in:
    5020601_7
    5020602_4
    5020603_2
    

Temporary fix

Comments

  • Published on: 30-Mar-2017
    

APAR Information

  • APAR number

    IT19224

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    526

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-20

  • Closed date

    2017-03-06

  • Last modified date

    2017-06-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

  • R526 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
16 June 2017