OA42965: PKI VSAM2DB2 CONVERSION IKYD003I DSNT408I SQLCODE -302 FIELD 12 OBFUS_PW VARCHAR(32) HANDLED INCORRECTLY

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• In z/OS 1.13, PKI was enhanced to allow its OST and ICL to be
  in DB2 tables instead of VSAM datasets.  PKI supplied a
  conversion utility - VSAM2DB2 - along with a sample job to
  define the tables - IKYCDB2.
  The utility generates the following failure when an ICL record
  has a full 32-char passphrase:
  DSNT408I SQLCODE = -302, ERROR:  THE VALUE OF INPUT VARIABLE OR
        PARAMETER NUMBER 12 IS INVALID OR TOO LARGE FOR THE TARGET
        COLUMN
  DSNT418I SQLSTATE   = 22001 SQLSTATE RETURN CODE
  DSNT415I SQLERRP    = DSNXRIHB SQL PROCEDURE DETECTING ERROR
  DSNT416I SQLERRD    = -340  0  0  33  0  0 SQL DIAGNOSTIC
        INFORMATION
  DSNT416I SQLERRD    = X'FFFFFEAC'  X'00000000'  X'00000000'
        X'00000021' X'00000000'  X'00000000' SQL DIAGNOSTIC
        INFORMATION
  
  IKYD003I DB2 SQL failure: Instruction INSERT INTO ICL 69(0x45)
   failed with SQLCODE -302, SQLSTA...
  IKYC010I Error 464453637 returned from store ICL data to
   database: Record not found
  IKYU018I Conversion from VSAM to DB2 failed at record 69 in
   VSAM file 'pki.vsam.icl.dsn' R...
  
  Additional Symptoms:
  msgIKYD003I msgIKYD003 IKYD003I IKYD003
  msgIKYC010I msgIKYC010 IKYC010I IKYC010
  msgIKYU018I msgIKYU018 IKYU018I IKYU018
  msgDSNT408I msgDSNT408 DSNT408I DSNT408
  

Local fix

• PKI can be restarted with the VSAM datasets; the conversion has
  to wait.
  Changing the sample job to VARCHAR(33) is not enough, though the
  tables will need to be recreated.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: PKI Services installations are affected      *
  *                 when DB2 is used as the backing storage for  *
  *                 the Issued Certificate list (ICL), or when   *
  *                 an ICL backed by VSAM storage is migrated    *
  *                 to DB2 backing storage.                      *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When the backing storage for the PKI Services Issued
  Certificate List (ICL) is converted from VSAM to DB2 through
  the vsam2db2 utility, the conversion process fails to convert
  issued certificates where the requestor provided a maximum
  length passphrase (32 characters), causing the vsam2db2
  utility to stop the ICL converstion process at that point and
  not process any further certificates.  The conversion process
  can also inadvertently truncate passphrases that contain
  certain character sequences, which can prevent PKI end users
  from recovering certificates when PKI Services generated the
  keys for these certificates.
  
  When DB2 is used as the backing storage for the PKI Services
  ICL, certificate generation will fail if the PKI Services end
  user provided a maximum length passphrase (32 characters) in
  in the certificate request.  The failure is indicated by a
  failure message that is recorded to the PKI Services trace
  log:
    DSNT408I SQLCODE = -302, ERROR:  THE VALUE OF INPUT VARIABLE
    OR PARAMETER NUMBER 12 IS INVALID OR TOO LARGE FOR THE TARGET
    COLUMN
    DSNT418I SQLSTATE   = 22001 SQLSTATE RETURN CODE
    DSNT415I SQLERRP    = DSNXRIHB SQL PROCEDURE DETECTING ERROR
    DSNT416I SQLERRD    = -340  0  0  33  0  0 SQL DIAGNOSTIC
                          INFORMATION
    DSNT416I SQLERRD    = X'FFFFFEAC'  X'00000000'  X'00000000'
                          X'00000021'
    DB IKYD003I DB2 SQL failure: Instruction INSERT INTO ICL
    <digital_number>(<hex_value>) failed with SQLCODE -302,
    SQLSTATE 22001
  
  When DB2 is used as the backing storage for the PKI Services
  ICL, passphrases containing certain character sequences can be
  inadvertently truncated when the certificate is issued and
  stored in the ICL. Certificate requests using a maximum length
  passphrase may also not store the passphrase information
  properly in the ICL.  This can prevent PKI end users from
  recovering certificates when PKI Services generated the keys
  for these certificates.
  

Problem conclusion

• The DB2 implementation of the PKI Services Issued Certificate
  List (ICL) is repaired to permit storage of the maximum
  allowable passphrase length (32 characters).  The DB2
  implementation of the ICL is also repaired to prevent
  unintentional truncation of the passphrase.
  
  Cryptographic Services PKI Services Guide and Reference
  (SA22-7693-13) is updated as follows:
  -
  Chapter 9: Creating the object store and ICL, Table 26, a
  correction is made to the following entry in the table:
      OBFUS_PW      VARCHAR(32)     Obfuscated passphrase
  This entry should now read:
      OBFUS_PW      VARBINARY(33)   Obfuscated passphrase
  -
  Chapter 29: Other code samples, IKCDB2 subsection, a correction
  is made to the following line of the example script:
      OBFUS_PW               VARCHAR(32)             ,
  This line should now read:
      OBFUS_PW               VARBINARY(33)           ,
  
  Cryptographic Services PKI Services Guide and Reference
  (SA23-2286-00) is updated as follows:
  -
  Chapter 9: Creating the object store and ICL, Table 29, a
  correction is made to the following entry in the table:
      OBFUS_PW      VARCHAR(32)     Obfuscated passphrase
  This entry should now read:
      OBFUS_PW      VARBINARY(33)   Obfuscated passphrase
  -
  Chapter 29: Other code samples, IKCDB2 subsection, a correction
  is made to the following line of the example script:
      OBFUS_PW               VARCHAR(32)             ,
  This line should now read:
      OBFUS_PW               VARBINARY(33)           ,
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA71014 UA71015

Modules/Macros

• IKYCDB2  IKYHL001 IKYPDBRM
  

Fix information

• Fixed component name

  PKI SERVICES

• Fixed component ID

  5752XXPKI

Applicable component levels

• R780 PSY UA71014

     UP13/10/23 P F310

• R790 PSY UA71015

     UP13/10/23 P F310

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.