APAR status
Closed as program error.
Error description
z/OS zERT is not correctly generating SMF 119 subtype 11 records for TLS 1.3 connections after applying LDAP APAR OA65329. This results in missing or incomplete TLS handshake data in the SMF records. ANALYSIS: LDAP incorrectly issues the SIOCSHSNOTIFY ioctl multiple times during the TLS 1.3 handshake. By doing that, LDAP resets zERT's handshake observation state, causing zERT to terminate its monitoring early and resulting in incomplete SMF records. KNOWN IMPACT: zERT fails to correctly observe the TLS 1.3 handshake, leading to incomplete or missing SMF 119 subtype 11 records. VERIFICATION STEPS: 1. Verify if any of the LDAP APAR OA65329's PTFs is applied on the system. 2. Review the SMF 119 subtype 11 records and identify missing or incomplete TLS 1.3 handshake data. USERS AFFECTED: This affects users with LDAP APAR OA65329's PTFs UJ95456 or UJ95457 applied and those who rely on z/OS zERT for monitoring TLS handshake events. The issue occurs during the execution of the TLS handshake routine when LDAP issues multiple SIOCSHSNOTIFY ioctl calls. This disrupts zERT's ability to capture complete handshake data for SMF 119 subtype 11 records. USER IMPACT: APAR OA65329 did not fix the problem it reported. The error causes incomplete or missing TLS handshake data in the SMF records. This affects the integrity of the log information needed for effective monitoring, auditing, and troubleshooting of TLS connections. Users may face challenges in diagnosing issues with secure communications, as the incomplete SMF records leave gaps in the security audit trail.
Local fix
APAR OA65329's PTFs UJ95456 or UJ95457 should not be applied on systems where complete TLS handshake monitoring is critical.
Problem summary
**************************************************************** * USERS AFFECTED: IBM Tivoli Directory Server for z/OS (LDAP * * server) using zERT to monitor TLS * * connections. * **************************************************************** * PROBLEM DESCRIPTION: zERT SMF 119-11 records are missing * * due to the way the z/OS LDAP server * * was calling internally calling * * ioctl() for secure TLS connections. * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The LDAP server was calling SIOCSHSNOTIFY ioctl() multiple times during a TLS handshake. This caused the SMF 119-11 and SMF 119-12 records to be missing. The ioctl() should only be called once so that the SMF records can written correctly for the TLS sessions of interest which uses System SSL.
Problem conclusion
The code has been updated to ensure that the SIOCSHSNOTIFY ioctl() is only called one time during the TLS handshake. This prevents the missing SMF 119-11 and 119-12 records. FMIDs affected: HRSL440 : IBM Tivoli Directory Server for z/OS 2.4/2.5 HRSL510 : IBM Tivoli Directory Server for z/OS 3.1
Temporary fix
Comments
APAR Information
APAR number
OA67282
Reported component name
SECURITY SERVR
Reported component ID
565506803
Reported release
440
Status
CLOSED PER
PE
YesPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-12-02
Closed date
2026-02-20
Last modified date
2026-02-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ99044 UJ99045
Modules/Macros
GLDSRV31 GLDSRV64
Fix information
Fixed component name
SECURITY SERVR
Fixed component ID
565506803
Applicable component levels
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"440"}]
Document Information
Modified date:
21 February 2026