A fix is available
APAR status
Closed as program error.
Error description
There are different types of CICS regions all are using the same USSCONFIG directory, some of them are defined for webservice calls using defaultciphers.xml, but a lot others dont't make webservice calls. All these other CICS regions get the informational messages DFHSO0145 and DFHSO0146 at startup.
Local fix
The correct way to resolve the problem is to define the regions correctly and only use a USSCONFIG with the feature toggle set for those web enabled regions that require it. If a separate USSCONFIG is not required then you need to add the KEYRING parameter to all the other CICS regions. This will cause the SSL environment in CICS to be initialised. This will allow the ciphers to be validated and not reported as invalid. The problematic messages will no longer appear.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Unwanted DFHSO0145 and DFHSO0146 * * messages during CICS initialisation. * **************************************************************** CICS is started with the com.ibm.cics.web.defaultcipherfile feature toggle set to true. A defaultciphers.xml file has been created in the USSCONFIG/security/ciphers directory. The KEYRING SIT parameter is not set, so the region is not capable of making outbound HTTPS requests. During CICS initialisation DFHWBDM detects that the feature toggle is set so it calls DFHSOPA to process the defaultciphers.xml file. DFHSOPA reads in the file and then removes any ciphers that are not available in the region. In this case there are no ciphers available because the TLS environment was not created. Messages DFHSO0145 and DFHSO0146 are issued to say that the ciphers have been removed. DFHWB0112 is then issued to report that the defaultciphers.xml file was unable to be used because it contained invalid ciphers. The DFHSO0145 and DFHSO0146 messages are potentially confusing because the problem is with the configuration of the region rather than with the content of the cipher file.
Problem conclusion
CICS has been changed to no longer attempt to use the defaultciphers.xml file when CICS was started without a KEYRING specified. Message DFHWB0112 has been updated to add a new message insert to indicate why the file was not used.
Temporary fix
Comments
APAR Information
APAR number
PH41033
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
300
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-10-01
Closed date
2021-10-21
Last modified date
2021-11-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI77737 010PC2 010PC2
Modules/Macros
DFHMEWBC DFHMEWBE DFHMEWBK DFHWBDM
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R300 PSY UI77737
UP21/10/22 P F110
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.6"}]
Document Information
Modified date:
02 November 2021