OA65236: HWTHCONN WITH X'106' ERROR DUE TO SSL CERTIFICATE MIS-CONFIGURATION.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• After Application of OA64456, existing GDKUTIL or other users of
  DFSMSdfp CDA APIs will receive a failure for HWTHCONN with
  x'106' return code when the SSL certificate of the target Cloud
  Object Storage server is misconfigured such that the dnsName in
  the certificate does not match the name of the connection.
  Current data movement jobs fail.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Users of z/OS V2R4 and above, who have                       *
  * applied APAR OA64456 and exploit DFSMSdfp                    *
  * Cloud Data Access I/O APIs, which are,                       *
  * GDKGET, GDKWRITE, GDKLIST, GDKDEL, GDKGEN.                   *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * After Application of OA64456, existing                       *
  * GDKUTIL or other users of DFSMSdfp                           *
  * CDA APIs will receive a failure for                          *
  * HWTHCONN with x'106' return code when                        *
  * the SSL certificate of the target                            *
  * Cloud Object Storage server is                               *
  * misconfigured such that the dnsName in                       *
  * the certificate does not match the                           *
  * name of the connection. Current data                         *
  * movement jobs fail.                                          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  After application of OA64456, the URI of target host will be
  verified that it matches the server identity in the server's
  SSL certificate. If the SSL certificate is misconfigured,
  DFSMSdfp Cloud Data Access APIs will receive a failure for
  HWTHCONN with x'106' return code.
  

Problem conclusion

• DFSMSdfp CDA has been modified such that when sslCertCheckWarn
  is set to true in the provider file, CDA will log a WARNING
  message for HWTHCONN and HWTHRQST when the z/OS Client for Web
  Enablement Toolkit detects that the URI of the target host does
  not match the server identity in the SSL certificate and
  continue with the HTTP request.
  Documentation updates is made to the following manual:
  SA23-1377 - z/OS MVS Programming: Callable Services for High
  Level Languages
  
  Chapter 25. Cloud Data Access files is updated to modify the
  Provider file section as follows:
  
  Add a new description for sslCertCheckWarn before
  sslVersion:
  sslCertCheckWarn
      Optional: If "true", will log WARNING with corresponding
      diagnostic area reason code in case the URI of target host
      doesn't match the server identity in the SSL certificate.
  
      Recommendation: Add this key value pair to your provider
      file if you encounter a situation where your SSL
      certificate is misconfigured and you need to use this SSL
      certificate temporarily.
   KEYWORDS: DFSMSCS/K
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ95219 UJ95220 UJ95221

Modules/Macros

• GDKCDA   GDKHTTPU
  

Fix information

• Fixed component name

  CLOUD DATA ACCE

• Fixed component ID

  5695DF124

Applicable component levels

• R310 PSY UJ95219

     UP24/06/14 P F406

• R250 PSY UJ95221

     UP24/06/14 P F406

• R240 PSY UJ95220

     UP24/06/14 P F406

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.