IBM Support

PH23196: EXTRACT CERTIFICATE COMMAND FAILS IN ATLSAWARE ENVIRONMENT WITH RESPONSE(EXCEPTION) REASON(CERTIFICATE_INVALID)

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Extract Certificate is failing in a ATLSAWARE environment.
An EXTRACT CERTIFICATE gets issued out of program DFH0WBCA
fails with CERTIFICATE_INVALID:
Two EXTRACT CERTIFICATE commands are issued by DFH0WBCA the
first FOR(SUBJECT) completes successfully, the second EXTRACT
CERTIFICATE FOR(ISSUER) fails with RESPONSE(EXCEPTION)
REASON(CERTIFICATE_INVALID)

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All CICS Users.                              *
****************************************************************
* PROBLEM DESCRIPTION: A client certificate is incorrectly     *
*                      rejected as being invalid in an         *
*                      ATTLSAWARE environment.                 *
****************************************************************
A TCPIPSERVICE with SSL(ATTLSAWARE) is installed in CICS and the
AT-TLS policy requires client authentication. The client does
provide a suitable certificate as part of the handshake but an
EXEC CICS EXTRACT CERTIFICATE command issued by the target
application fails because CICS believes the certificate is not
valid. The command returns nulls instead of the requested
information from the X.509 certificate.

    



Problem conclusion


    

  • DFHXSCT has been changed to process the X.509 client certificate
correctly for ATTLSAWARE TCPIPSERVICEs.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH23196
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / CST / Xsystem
    • 

  • Submitted date
    2020-03-11
    • 

  • Closed date
    2020-07-08
    • 

  • Last modified date
    2020-08-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI70439
    

    • 



Modules/Macros


    

  • DFHXSCT

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V5
    • 

  • Fixed component ID
    5655Y0400
    • 



Applicable component levels


    

  • R100  PSY  UI70439
       UP20/07/21  P  F007
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.4","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 August 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback