PQ89967: GSK_DECRYPT_V3_RECORD(): SHA-1 DIGEST INCORRECT FOR MESSAGE BBOU0639E FUNCTION READ() FAILED WITH RV=-12, RC=0, RSN=00000000

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer had an application in which one ejb in one server made
a call to another ejb in another server using RMI-IIOP.  When
the RMI-IIOP is secured using SSL the calling server fails with:
.
Trace: 2004/06/04 15:12:13.155 01 t=9CE9D8 c=UNK key=S2
(0000000A)
  Description: Log Boss/390 Error
  from filename: ./bbocsses.cpp
  at line: 2513
error message: BBOU0639E Function read() failed with RV=-12,
RC=0,RSN=00000000,
.
Enabling an SSL trace for the calling server will show the
ERROR gsk_decrypt_v3_record(): SHA-1 digest incorrect for
message
ASCII gsk_decrypt_v3_record(): Failing message
22445af3 a207435a d4b031d2 5587b1e8  *"DZ...CZ..1.U...*
fd6d2133 8e069e53 44eae7d9 382961b0  *.m!3...SD...8)a.*
ddb4613e 01fb9366                    *..a>...f        *
.
The decrypted message will not be readable.
.
To diagnose the problem enable a TRACEDETAIL=(3,4,E), and
obtain an SSL trace for both the calling server and server
being called.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: IIOP requests over an SSL encrypted     *
*                      socket may encounter COMM_FAILURE       *
*                      exceptions with minor codes C9C20CAE,   *
*                      C9C21149, or C9C20C5E.  These           *
*                      exceptions will be accompanied by the   *
*                      message:                                *
*                      BBOU0639E: Function read() failed with  *
*                      RV=-12, RC=xxx, RSN=xxxxxxxx            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When WebSphere performed asynchronous reads from an SSL
encrypted socket, the read request was made for the maximum size
of an SSL record.  While this generally resulted in the
consumption of a single SSL record, it was possible to receive
multiple records.

After consuming the expected SSL record, the remainder of the
data received from the socket was abandoned.  The loss of the
additional data was detected by System SSL when the Message
Authentication Code check failed.  This failure caused System
SSL to return GSK_ERR_BAD_MAC (-12) from gsk_secure_socket_read.
In response to this return code, a COMM_FAILURE exception was
raised.
These are some of the failures seen in the server:
BBOU0639E Function read() failed with RV=-12, RC=XXX,
RSN=XXXXXXX,  EDC5113I Bad file descriptor.

BBOU0051E Internal communications error: REASON=C9C2XXXX
Problem conclusion
The the amount of data requested on the asynchronous reads from
SSL encrypted sockets has changed from the maximum SSL record
size to the size of the SSL record header.  This change ensures
that no more than one SSL record will ever be consumed for
processing by a single socket read.

APAR PQ89967 is associated with SERVICE LEVEL W502013 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PQ89967
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-06-10
Closed date 2004-07-20
Last modified date 2004-08-04

APAR is sysrouted FROM one or more of the following:
PQ89906

APAR is sysrouted TO one or more of the following:
PQ89968

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UQ90831    UP04/07/27 P F407

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PQ89967.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PQ89967
IBM Group: Software Group
Modified date: Aug 4, 2004