Skip to Main Content
IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Categories Runtime
Created by Guest
Created on Feb 3, 2014

CEDA allows installation of a TCPIPService or URIMap with an invalid certificate

Under CICS 670 and 680, if a certificate is added to the CICS keyring and the region using that keyring is NOT cycled nor issues the SSL REBUILD (available in 680 and later) command, CEDA allows for successful installation of a TCPIPService or URIMap (client role) with that new certificate. CEDA does not complain and the TCPIPService is open, ready for traffic. The URIMap is available for use in the region. When a unit of work attempts to use the said TCPIPService or URIMap, CICS issues a DFHSO0123 message with a return code of 6, "No valid certificate is available". CEDA should not be allowed to successfully install these resources until after a recycle or SSL REBUILD, if available, has been issued.

Idea priority Low
  • Guest
    Reply
    |
    Feb 10, 2022

    This requirement has been re-assessed. It is not now likely that this will be implemented in the near future and so it is being declined at this point. The requirement will be kept in the RFE system and might be reassessed in the future. You also have an opportunity to resubmit in twelve months time if you wish it to be reconsidered then.

  • Guest
    Reply
    |
    Oct 5, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Transaction Processing
    Product - CICS Transaction Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Transaction Processing
    Product - CICS Transaction Server

  • Guest
    Reply
    |
    Oct 27, 2014

    I agree with your decision that the perforn ssl rebuild function should remain under operator control.However, I have verified that UI16182 is installed and I was still able to recreate the original issue.

    I had a new certificate added to the keyring, I did NOT issue the rebuild, and used CEDA to install the resource. Upon use of the resource, it failed.

    DFHSO0133 10/27/2014 15:09:44 CICSSXA2 TCPIPSERVICE TESTARSH has been installed.
    DFHSO0107 10/27/2014 15:09:44 CICSSXA2 TCPIPSERVICE TESTARSH has been opened on port 01312 at IP address ANY.
    DFHSO0123 10/27/2014 15:09:56 CICSSXA2 Return code 6 received from function 'gsk_secure_socket_init' of System SSL. Reason: No
    certificate available. Peer: 114.2.82.156, TCPIPSERVICE: TESTARSH.


    In our shop, to mitigate potential impact for this, we have created a CICS Event that calls an in-house written program that will close/disable the offending resource and email our team asking for investigation and someone to issue a REBUILD if necessary.
    DFHPG0209 10/27/2014 15:09:57 CICSSXA2 CITEVNT WWEV Resource definition for WWEVTPGM has been autoinstalled using model WWPGAINP.
    DFHPG0209 10/27/2014 15:09:57 CICSSXA2 CITEVNT WWEV Resource definition for WWEMAIL has been autoinstalled using model WWPGAINP.
    DFHPG0209 10/27/2014 15:09:57 CICSSXA2 CITEVNT WWEV Resource definition for WWSYSTEM has been autoinstalled using model WWPGAINP.
    DFHSO0108 10/27/2014 15:09:57 CICSSXA2 TCPIPSERVICE TESTARSH on port 01312 at IP address ANY has been closed.


    My original RFE still stands. Since the TCPIPService has a status of Open, CEDA should return an installation failure rather than "INSTALL SUCCESSFUL". Or, the validation could be done by CICS and the port fail to open (like when experiencing a SAF failure to not be authorized to bind to the port). EIther way, the port should not be opened to take customer workloads while the certificate is invalid.

  • Guest
    Reply
    |
    Sep 9, 2014

    Arshia,
    CICS obtains its information about the certificates on the keyring on SSL initialisation.
    This is separate from the checking on the install process.
    We have looked at automating the perform ssl rebuild function to reinitialise the SSL environment when a mismatch is detected.
    However this could cause problems if a site is updating a number of certificates over a short period of time.
    It was felt that it would be better therefore for the refresh to be under operator control after the last update had been made.
    The message DFHSO0123 will be updated to clarify this.
    I believe that PTF UI16182 solves your basic problem, so is this OK to close the RFE as fixed?

  • Guest
    Reply
    |
    Jun 3, 2014

    Colin, the APAR you mentioned connects to PTF UI16182. That PTF only released at the end of April, AFTER I submitted my SR about this issue and subsequently opened this RFE. Based on the description here: http://www-01.ibm.com/support/docview.wss?uid=swg1PI06257 , UI16182 ** may ** satisfy my RFE.

    With UI16182 applied, a URIMAP installation would call for an INQUIRE_CERTIFICATE to validate it is completely valid (including it's private key). In SR 09720,379,000, it was indicated that CEDA would validate a certificate label was valid, but would not validate if the certificate itself was indeed valid for use. So the dumps I submitted then, the certificate label was valid, but no SSL REBUILD was performed and thus, the private key was not yet available. As such, use of the certifcate failed with an error along the lines of "certificate not available." The testing I did was with a TCPIPService.

    Here is a snippet from the SR:
    ---
    If we attempt to install a TCPIPService where a certificate is not on the CICS keyring, we get the message "Install of TCPIPSERVICE XYZ failed because CERTIFICATE ABC is invalid." This behavior is consistent between CICS 4.2 and CICS 5.1. However, if the certificate is loaded to the CICS keyring AND the CEMT PERFORM SSL REBUILD command is NOT issued, CEDA will allow for installation of this certifcate under CICS 5.1. We simply get "INSTALL SUCCESSFUL". However, if a user then tries to connect to this port, CICS spits the following out to MSGUSR:
    DFHSO0123 01/30/2014 10:51:24 APPLID Return code 6 received from function 'gsk_secure_socket_init' of System SSL. Reason: No
    certificate available.
    ---

    Since I do not yet have this applied, I cannot see if I get a similar Certificate is invalid message as you do upon trying to do an install. However, the Change Team at the time indicated that this is the desired behavior. Their snippet is included below.
    ---
    CEDA has no idea when the named certificate was added to the KEYRING.
    The assumption is that the certificate was always on the KEYRING.
    ---

    This makes it sound like a "deep inspection" of the certificate is not done, and simply an inspection to check if the certificate is on the keyring is done. The error message you get sounds like the error message I got without this PTF applied that only occurred if the certificate was not yet on the keyring.

    Could you please clarify Colin?

  • Guest
    Reply
    |
    May 15, 2014

    Arshia,

    Apologies for taking so long to get back to you about this RFE.
    I believe this problem is fixed in APAR PI06257 on 680.

    I've tried this on my system and get the message
    S install of URIMAP HTTPS-S failed because CERTIFICATE My-Certificate is invalid.

    Does this fix the problem that you are seeing?

    Colin Penfold