February 27th 2020 Dear Connect:Direct for i5/OS customer, Enclosed please find a CD containing the latest cumulative maintenance for Connect:Direct for i5/OS 3.8.0 Please call IBM for details on IBM APARs. Cumulative Maintenance Contents: 2002B ---------------------------------------------- All the modified objects which are addressed by following issues. ======================= D380F1503A ================================ APAR IT06028 Process is not running using permanent session managers. Solution: Put a counter in to allow 15 processes to run, then start a new session manager, working on a more permanent fix. Object: PMGR - PMGR (PGM) IT07472 Error CSPA081E-Unable to initialize workspace, after upgrading to 3.8, remote netmap was not in SPADMIN. Solution: Put back in logic to issue a warning Object: SMMAIN - SMMAIN (PGM) IC99154 If the SNODEID JOBD has more then 52 libraries in their list we receive an error CPF9999 Solution: Increase variables to allow for larger library lists. Object: XRTVUSRL - RMTSYSTEM (PGM) IT07616 Long delay on DNS lookup as the DNS server is not responding to a IPv6 request. Solution: Change the getaddrinfo() call to use AI_ADDRCONFIG flag Object: SDIP_TCPIP - SMMAIN (PGM) IT08034 Can not send secure to SI/CDSA 5.2.4.0 getting CSPA203E error. CDSA only supports SSL & TLS can not take TLS1.2 handshake. Solution: Change SPADMIN to allow only one protocol to be entered. Changed to toolkit to only turn on one protocol, not higher. Object: SPADMIN2 - SPADMIN (PGM) CDSSLGSK - SMMAIN (PGM) ======================= D380F1506A ================================ APAR IT09661 Added fix from 3.7: IC94327 A MBCS transfer using codepage(284, 1208) is successful but there is some garbage in the destination file Solution: Clean up the use of some of the internal variables used for iconv() that were causing errors on new i5/OS releases. Object: SMCOPY - SMMAIN (PGM) ======================= D380F1507A ================================ IT08726 z/OS Sending a binary file to i5 IFS will end with error ACOP009I if source file length greater then 32754 Solution: Remove logic on record length change for IFS files. Object: SMFILE - SMMAIN (PGM) ======================= D380F1508A ================================ IT10851 During a Secure+ session a C:D server may create multiple SSL records when encrypting a buffer for transmission. If the remote node cannot handle multiple records, the session fails. Solution: Decrypt the data a second time if only 1 byte was decrypted during the first attempt. Object: CDSSLGSK - SMMAIN (PGM) ======================= D380F1510A ================================ IT11651 CDSMGR hangs - joblog shows The pointer parameter passed to free or realloc is not valid. Solution: Removed logic that was causing the error. Object: SMPROC - SMMAIN (PGM) ======================= D380F1511A ================================ IT12308 >>>> Message "ID" Not found was displaying instead of the proper message text. Solution: Corrected the corrupt message file. Object: NDMMESSAGE - (FILE) ======================= D380F1601A ================================ Internal: Any user can access the SPADMIN (Secure+ Admin Utility) panel. Solution: Corrected the program to only allow those users with administrative authority to access this panel. Object: SPADMIN - (PGM) Internal: C2M3003 - Data was truncated on an input, output or update operation was appear in the joblog for each record read when running SPADMIN. Solution: Corrected the program so the messages no longer appear in the joblog. Object: SPADMIN - (PGM) ======================= D380F1601B ================================ IT13286 Ending a 5250 session abnormally makes the interactive job generate a huge number of spool files while running SPADMIN. Solution: End the program with minimal errors when the 5250 session is ended abnormally. Object: SPADMIN2 - (PGM) ======================= D380F1602A ================================ IT13235 The Translation table cannot tranlate some traditional Chinese characters. Solution: Opened the rules to include hex value x'FB' through x'FE' Object: CRTCDXTC - CRTCDXTC (PGM) ======================= D380F1602B ================================ ENHANCEMENT *PUBLIC authority needs to be set to *EXCLUDE on all objects in the Connect:Direct library. Solution: A new command can be run that will modify the authority on all Connect:Direct objects. The Connect:Direct Administrator will become the owner, *PUBLIC will be set to *EXCLUDE and a specified group profile (ibm i user id of choice) will be granted *USE access. Object: SETCDAUT - (CMD) SETCDAUT SETCDAUTV - (CL) SETCDAUT - (PNLGRP) ======================= D380F1603A ================================ Internal Some defects from 3.7 were never synched into 3.8 IC91866 CDSND fails with RACF error but retries the connection the command should not retry a security failure. Solution: Corrected logic if error was found not to continue. Object: SDIP_TCPIP - SMMAIN (PGM) IC92491 MCH3601 error from module SDIP_TCPIP from procedure tcp_read_header. Solution: Added additional logic checking for readv(). Object: SDIP_TCPIP - SMMAIN (PGM) IC94325 Using I5OS in netmap with CDRCV gives a message 'Error detected in prompt override program command string' Solution: Correct logic checking. Object: GETENVIRN - CDRCV (PGM) ======================= D380F1604A ================================ ENHANCEMENT Full support of Connect Direct in an iASP. Solution: Two new commands have been created to provide full support of Connect Direct in an iASP. UPDCDIASP will update your Connect Direct system when you have manually moved your system to an iASP. SETCDIASP will move your Connect Direct system to an iASP. Review the word documents to determine which command should be run to add full support of an iASP to your Connect Direct system. Object: SETCDIASP UPDCDIASP - (CMD) SETCDIASP STRCD UNINSTALLM UPDATECD UPDCDIASP STRCD - (CL) PMGR - (PGM) SETCDIASP UPDCDIASP - (PNLGRP) ======================= D380F1604B ================================ IT14898 Secure Plus Protocol Flags not behaving as expected. Solution: Made the Secure Plus work more consistently with the new versions of C:D Unix and C:D Windows Object: SDIP_TCPIP - SMMAIN (PGM) CDSSLGSK - SMMAIN (PGM) ======================= D380F1605A ================================ IT15127 Receiving error ASMT015I - Unable to establish the specified security environment when a multi-process is submitted with 2 different user id's. Solution: Ended the RMTSYSTEM job at the end of each process allowing to new process to start with current credentials. Object: SMPROC - SMMAIN (PGM) ======================= D380F1607A ================================ IT16155 When sending a file from the IFS file system and compression was turned on, the file was not being compressed and the resulting file was larger than the original file. Solution: Corrected the compression logic. Object: SMCOPY - SMMAIN (PGM) ======================= D380F1608A ================================ IT16725 During a Secure+ session a C:D server the snode on occasions will hang. This is because of the combination of the buffer size and file size. When there is only 1 byte left to decrypt, the program assumes the beast remediation virus code is in place and attempts to decrypt the remaining data when there is none. This causes the snode to hang. Solution: Verify there is more data to be decrypted before performing the decrypt function again. Object: CDSSLGSK - SMMAIN (PGM) ======================= D380F1612A ================================ IT18334 Source members were missing from the CDXTSOURCE file. Also corrected some help text for the CDRUNTASK command. Solution: Added the source members back to the CDXTSOURCE file. Object: CDXTSOURCE - (FILE) NDMGENERAL - (PNLGRP) ======================= D380F1701A ================================ IT18859 When CHGCDPARM was run directly from a command line, some of the INITPARMS were removed. Solution: Force CHGCDPARM to be run from the menu system in Connect:Direct. Object: CHGCDPARM - (COMMAND) ======================= D380F1703A ================================ IT19548 Blocking had been removed causing a slow down when large files with small record lengths were being transmitted. Solution: Added blocking back. Object: SMFILE - SMMAIN (PGM) SMCOPY - SMMAIN (PGM) ======================= D380F1704A ================================ ENHANCEMENT Added Max Global Concurrent Session parameter to the Connect:Direct Parameters (INITPARMS). Solution: This new parameters controls the total number of incoming and outgoing sessions that you can have running simultaneously as defined in your Connect:Direct contract agreement. When this fix is loaded, it will populate this new fields with the value that resides in the Maximum synchronous sessions field. If this is not the value defined in your contract agreement, you will need to modify this new value through the Change C:D parms (CHGCDPARM) panel - Option 1 from the Connect:Direct Administration menu. Object: CNVCDPARM CHGCDPARM - (CMD) CHGCDPARM EDITCHG - (CL) CNVCDPARM GETCDPARM INITPARMS PMGR WRKSTSC - (PGM) CHGCDPARM NDMGENERAL WRKCDSTS - (PNLGRP) ======================= D380F1706A ================================ IT21110 When adding a new entry in SPADMIN by using the F6 key, the node name was created as blanks. Solution: Created the new record with the node name entered. Object: SPADMIN2 - SPADMIN(PGM) ======================= D380F1707A ================================ IT20960 Added a condition on CDCOMP command to check if the input file is a save file since compression is not allowed for save files. Solution: Added condition to check file type. Object: EDITCOMP - (PGM) ======================= D380F1709A ================================ IT21585 When two PNODES initiated file transfer with same process numbers, submitter IDs and similar node names the SNODE reports error ACDU001I and ACDU010I. Solution: Modified creation of process storage name and FMH72 sent from the PNODE to carry TDSB bits as well. Object: SMPROC - SMMAIN (PGM) ======================= D380F1712A ================================ Internal Secure+ changes done for 3.8 release modified three structures corresponding to three statistics events. This was leading to truncated values in Control Center reports. Solution: Modified the size of KQV_MERGE_PROTOC and merge_protoc to 12 byte from the existing 8. This is done for SMSTST and SMSTTM events. Object: STATEVENT - STATMGR (PGM) Internal When the instance of C:D is a GA version, the version information is blank. This will produce a version to be displayed as Connect:Direct 3.8.00 PTF 0000 The extra space between the Direct and with is the empty version. Solution: Modified the program to insert the GA version information in the first portion of the message to replace the ' ' that is currently showing up. Object: CDVER - (CL) ======================= D380F1802A ================================ Internal On Secure+ Admin screen Default to local node does not retain its value. When set to 'Y' the LCLNODE ciphers are not copied and empty list is duplicated. Solution: Resolved this problem by using the ciphers of local node to copy on the current node. To avoid the duplication of cipher list, used the API to delete list after cipher selection is done. We used a member in relevant structure to keep 'default to local' so the value will persist per node. Object: SPADMIN2 - SPADMIN(PGM) ======================= D380F1804A ================================ IT24685 In a secure+ transfer from SI to i5, i5(Snode) sends first FMH70 with the max buffer value i.e 65535.The SI side has buffer set to 32K(which is too high for i5 in case of secure transfer). So i5 gets FMH70 back with 32K as the buffer size because it will negotiate down to smaller size. And the transfer gets failed as maximum buffer size for i5 in case of secure+ is 16K. Solution: Introduced a check to ensure that the RUSZ in first FMH70 should always be set to 16K when Secure+ is enabled and buffer size in netmap is greater than 16K. No change in case of Non secure transfer, buffer size will be negotiated as per entry in the netmap. Object: SMPROC - SMMAIN (PGM) ======================= D380F1805A ================================ IT24986 After successful completion of a RUNTASK the correct message text was not displayed in the traces. Instead of the expected message the traces printed an error message "Message "ID" Not found in Message File" Solution: Removed the extra erroneous "INSERT" and "DELETE" lines in the text file msgsrc_seq.txt. After building the CD library again the corruption in NDMMESSAGE file got resolved. Object: NDMMESSAGE (FILE) ======================= D380F1809A ================================ IT26101 Normal end disposition and abnormal end disposition are not applicable for Sterling Connect:Direct for i5/OS. Solution: Hidden these options in From Disposition (FDISP) parameter of the CDSND and CDRCV commands. The default value is now displayed as NONE. Help panels are updated to display the correct information which can be accssed by using F1 key. Object: CDSND - (CMD, CL) CDRCV - (CMD, CL) ======================= D380F1905A ================================ IT29098 Error observed when trying to add user by ADDCDUSR or WRKCDUSR command - "Open of member CDUSER was changed to SEQONLY(*NO)" Solution: The maximum number of users which can be added in the CDUSER file was limited to 4000. However the CDUSER file is capable of holding 10000 records. Modified the limit and increased it to allow 10000 users. Object: WRKUSRC2 - WRKCDUSR (PGM) ======================= D380F1907A ================================ IT29717 When CDU server is the Snode doing server authentication with a CD i5 Pnode and the CDU server's certificate exceeds the 16,000B buffer limit required by CD i5 - It leads to failure of SSL handshake because CD i5 truncates the CDU's certificate before passing it to the GSKit. Solution: The buffer limitation of 16,000B on CD i5 is too small. It has been increased to allow for the very largest TLS message plus its header. Object: RMTSYSTEM - RMTSYSTEM (PGM) ======================= D380F1910A ================================ IT30642 Secure+ parameter "Auth. Time Out", can be defined in both the *LCLNODE and in a Remote Node. If in the *LCLNODE you have set "Override Security:Y" then the value of "Auth. Time Out" should come from the Remote Node entry. This is not happening. Solution: Secure+ parameter "Auth. Time Out" not being honoured in Remote Node. This fix allows remote node time out value in case Override Security:Y in LCLNODE. Object: SMPROC - SMMAIN (PGM) ======================= D380F2002A ================================ IT31998 When sending a file with 287 fields and parameter SNDFFD(*YES) set in the FMSYSOPTS then the transfer fails and proper error message is not printed. Solution: The FFD size in copy block has been raised to 16K from earlier 12K and an error message AFLH090I has been created to print the cause of failure in case FFD exceeds maximum allowed. Object: SMCOPY - SMMAIN (PGM) ======================= D380F2002B ================================ IT32014 User Space objects not getting deleted in cdcleanup job run. Since size of user space to keep the list was small. It was not able to keep all the entries returned by QUSLOBJ API. Solution: The user space size was 65 kb. This size has been increased to maximum size of 16 Mb for user space. Object: CDCKPTDAYS - CDCKPTDAYS (PGM) ======================= D380F2005A ================================ IT32845 With TLS1.3 available and enabled, a loopback test fails with SNODE timing-out. CD does not currently support TLS1.3 Solution: TLS1.3 is disabled in Secure+ until supported. Object: CDSSLGSK ======================= C38022006A ================================= IT33308 For IFS, CD does not use the SPOE user profile or the SNODEID for receiving the files thus the ownership of the files received is always CDADMIN. Also, the permission of the files received is always *RWXRWXRWX irrespective of the its parent directory permission. Currently, CD does not use inherited authority on new files. Solution: Whenever new file transfer request is received, SMGR would now be run under the SPOE user profile or the SNODEID in the received process. So that the new files created on Cd i5 has the ownership of the SPOE or SNODEID. Also, new parameter "Set Private Authority" has been introduced which would enable/disable CD i5 to handle the inherited authority on the new files created in directory on IFS. By default, this parameter would be set as "*NO" meaning CD i5 would not handle inherited authority. Object: CHGCDPARM EDITCHG - (CL) CHGCDPARM - (CMD) CHGCDPARM - (PNLGRP) GETCDPARM INITPARMS PMGR WRKSTSC SMPROC STRMIO - (PGM) IT33274 CDTCPL job gets an EAGAIN errno on socket accept() call and enter in a retry/restart socket mode but fails to bind() on the new created socket. After some retries, job terminates with a forced sigterm and is restarted by CDPMGR. Solution: Socket accept() call better manages EAGAIN error and does not fail as before. Object: CDTCPL