PH35742: ABEND 4038 IN DFHWSSE1 INVOKING A WEBSERVICE WITH WSSE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Client is invoking a Webservice with WSSE and CICS shows the
  following message:
  
  DFHPI0500 PRBW The CICS Pipeline Manager DFHPIPM encountered an
   error while trying to link to program DFHWSSE1. The program
   abended. PIPELINE: ISSWSPRV.
  
  CICS Dump shows DFHWSSE1 is finishing with an ABEND 4038
  
  CICS trace shows an event with a security exception:
  
  XSECException::XSECException(.06. <.>,
  "SecurityContext::processSignature - Signature Invalid"
  
  There is an issue with CICS validating the hash values within
  the signature.
  

Local fix

• No Local Fix.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: ABEND 4038 in DFHWSSE1 while invoking a *
  *                      web service using WS-Security signed    *
  *                      messages.                               *
  ****************************************************************
  CICS is using web services with WS-Security and signed messages.
  Part of the signing process involves canonicalisation of the
  XML element that is to be signed.  In CICS this is performed
  by DFHXUCAN.
  
  Due to an error in the compilation of DFHXUCAN, the module is
  always returning an empty, zero length string instead of the
  correct canonicalised XML data.  This means that all WS-Security
  signature generation and validation in CICS 5.6 will either fail
  or produce incorrect results.
  
  If CICS is acting as a web service requester then the outbound
  SOAP message will contain an invalid signature that will be
  rejected by the provider.
  
  If CICS is acting as a web service provider then it will not be
  able to validate any signature present in the inbound SOAP
  message.  An LE 4038 abend a DFHPI0500 message may also be seen.
  

Problem conclusion

• DFHXUCAN has been changed so that it correctly canonicalises the
  supplied XML element.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI77121

Modules/Macros

• DFHWS002 DFHWS003 DFHWS004 DFHWS005 DFHWS006 DFHWS007 DFHWS008
  DFHWS009 DFHWS010 DFHWS011 DFHWS012 DFHWS013 DFHWS014 DFHWS015
  DFHWS016 DFHWS017 DFHWS018 DFHWS019 DFHWS020 DFHWS021 DFHWS022
  DFHWS023 DFHWS024 DFHWS025 DFHWS026 DFHWS027 DFHWS028 DFHWS029
  DFHWS030 DFHWS031 DFHWS032 DFHWS033 DFHWS034 DFHWS035 DFHWS036
  DFHWS037 DFHWS038 DFHWS039 DFHWS040 DFHWS041 DFHWS042 DFHWS043
  DFHWS044 DFHWS045 DFHWS046 DFHWS047 DFHWS048 DFHWS049 DFHWS050
  DFHWS051 DFHWS052 DFHWS053 DFHWS054 DFHWS055 DFHWS056 DFHWS057
  DFHWS058 DFHWS059 DFHWS060 DFHWS061 DFHWS062 DFHWS064 DFHWS065
  DFHWS066 DFHWS068 DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073
  DFHWS074 DFHWS075 DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS081
  DFHWS082 DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088
  DFHWS089 DFHWS090 DFHWS091 DFHWS092 DFHWS122 DFHWS123 DFHXUCAN
  DFHXUSUB
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R30W PSY UI77121

     UP21/09/15 P F109 ¢

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.