A fix is available
APAR status
Closed as program error.
Error description
Problem description 1. Key database has a certificate about to expire 2. Use gskkyman to request new certificate 3. Use gskkyman to receive requested certificate 4. Use gskkyman to change label of certificate 5. Use gskkyman to make new label default key 6. When we exit we cannot open the key database anymore. Receive: unable to open /etc/SSYSkey.kdb Status 0x03353016 - The password is not correct. 7. We did NOT change the password. To hit this problem, the gskkyman key database must have been created in FIPS mode.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: System SSL users storing certificates in a * * FIPS key database file. * **************************************************************** * PROBLEM DESCRIPTION: When attempting to open a FIPS key * * database file after the default key * * has been changed to another key * * within the database, the following * * error was encountered by gskkyman: * * * * Unable to open ./fipskey.kdb * * Status 0x03353016 - The password is * * not correct. * * * * If another System SSL application * * attempts to open the same FIPS key * * database file, the following errors * * may occur: * * 408 GSK_ERR_BAD_KEYFILE_PASSWORD * * 4 GSK_KEYFILE_BAD_PASSWORD * * 03353016 CMSERR_PW_INCORRECT * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** The problem occurs when the FIPS key database already has a default key (certificate) and the default is changed to another key (certificate) in the key database. In this situation, the key database hashes are computed incorrectly, resulting in a password error when the database hashes are used during the open processing.
Problem conclusion
System SSL has been modified so that it correctly calculates the hash records when the default key is changed to another key in the FIPS key database. This APAR support has been provided through internal defect 4430.
Temporary fix
********* * HIPER * *********
Comments
APAR Information
APAR number
OA40338
Reported component name
SYSTEM SSL
Reported component ID
565506805
Reported release
3C0
Status
CLOSED PER
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2012-09-13
Closed date
2012-10-26
Last modified date
2016-12-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA67049 UA67050 UA67051 UA67052
Modules/Macros
GSKCMS31 GSKCMS64 GSKC31 GSKC31F GSKC64 GSKC64F
Fix information
Fixed component name
SYSTEM SSL
Fixed component ID
565506805
Applicable component levels
R3C0 PSY UA67049
UP12/10/31 P F210 Ž
R3C1 PSY UA67050
UP12/11/01 P F210 Ž
R3D0 PSY UA67051
UP12/10/31 P F210 Ž
R3D1 PSY UA67052
UP12/10/31 P F210 Ž
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3C0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3C0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
08 December 2016