A fix is available
APAR status
Closed as program error.
Error description
Dump shows subpool SOGENRAL is has 96725 elements which occupy 594212560 bytes. This averages almost exactly 6K. As part of an SSL handshake, CICS always getmains a 6k SOCERTAT buffer to house a client certificate. This should be freemained at the end of the handshake. However, in this case, the log shows a stream of unusual SSL error messages :- . DFHSO0123 xxxxxxxx Return code 2 received from function gsk_secure_socket_open . The exception trace shows evidence of this also ... SO 080C SOSE *EXC* SYSTEM_SSL_ERROR GSK_API_NOT_AVAILABLE,SECURE_SOC_INIT . This suggests there is some kind of environmental problem with SSL. When CICS receives this error, it bypasses the SSL handshake code and returns - but it fails to free the SOCERTAT buffer leading to a storage leak.
Local fix
Allocate more EDSA. Fix the problem causing the SSL handshake to fail.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: SOCERTAT storage leak if SSL handshake * * failure happened. * **************************************************************** CICS is configured to use SSL. In SSL handshake process, a SOCERTAT block is GETMAINed to hold the certificate information. This block should be FREEMAINed at the end of the SSL handshake. If the handshake process fails with GSK_API_NOT_AVAILABLE when creating the SSL socket handle and opening SSL-connected session, it returns without freeing the SOCERTAT block. It can cause CICS SOS if vast numbers of this error occur in SSL handshake processing.
Problem conclusion
DFHSOSE has been changed to make sure the SOCERTAT block is FREEMAINed if GSK_API_NOT_AVAILABLE error happens.
Temporary fix
Comments
APAR Information
APAR number
PH15115
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-07-31
Closed date
2019-11-08
Last modified date
2019-11-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI66334 UI66335
Modules/Macros
DFHSOSE
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
30 November 2019