Oct 31th 2020
                                                                          
Dear Connect:Direct for i5/OS customer,                                   
                                                                          
Enclosed please find a CD containing the latest cumulative maintenance    
for Connect:Direct for i5/OS 3.8.03                                      
                                                                          
Please call IBM for details on IBM APARs.                                 
                                                                          
Cumulative Maintenance Contents:  2104A
----------------------------------------------                            
All the modified objects which are addressed by following issues.         
                                                                          
=======================   D380F1503A  ================================    
APAR 
IT06028  Process is not running using permanent session managers.              
Solution: Put a counter in to allow 15 processes to run, then start a 
           new session manager, working on a more permanent fix.   
Object:  PMGR - PMGR (PGM)  

IT07472  Error CSPA081E-Unable to initialize workspace, after upgrading 
           to 3.8, remote netmap was not in SPADMIN.                    
Solution: Put back in logic to issue a warning                          
Object:   SMMAIN - SMMAIN (PGM)   

IC99154   If the SNODEID JOBD has more then 52 libraries in their
             list we receive an error CPF9999                    
Solution: Increase variables to allow for larger library lists.  
Object:   XRTVUSRL - RMTSYSTEM (PGM)             

IT07616  Long delay on DNS lookup as the DNS server is not responding 
            to a IPv6 request.                 
Solution: Change the getaddrinfo() call to use AI_ADDRCONFIG flag
Object:  SDIP_TCPIP - SMMAIN (PGM)                                                                                               

IT08034  Can not send secure to SI/CDSA 5.2.4.0 getting CSPA203E error.
            CDSA only supports SSL & TLS can not take TLS1.2 handshake.
Solution: Change SPADMIN to allow only one protocol to be entered.
            Changed to toolkit to only turn on one protocol, not higher.
Object:  SPADMIN2 - SPADMIN (PGM) CDSSLGSK - SMMAIN (PGM)     

=======================   D380F1506A  ================================
APAR
IT09661    Added fix from 3.7:
           IC94327  A MBCS transfer using  codepage(284, 1208) is successful
           but there is some garbage in the destination file
Solution:  Clean up the use of some of the internal variables used for
           iconv() that were causing errors on new i5/OS releases.
Object:  SMCOPY - SMMAIN (PGM)                                                

=======================   D380F1507A  ================================  

IT08726   z/OS Sending a binary file to i5 IFS will end with 
           error ACOP009I if source file length greater then 32754
Solution: Remove logic on record length change for IFS files.
Object:   SMFILE - SMMAIN (PGM)   

=======================   D380F1508A  ================================

IT10851   During a Secure+ session a C:D server may create multiple SSL 
          records when encrypting a buffer for transmission. If the     
          remote node cannot handle multiple records, the session fails. 
Solution: Decrypt the data a second time if only 1 byte was decrypted during 
          the first attempt.
Object:   CDSSLGSK - SMMAIN (PGM)

=======================   D380F1510A  ================================

IT11651   CDSMGR hangs - joblog shows The pointer parameter 
          passed to free or realloc is not valid.           
Solution: Removed logic that was causing the error. 
Object:   SMPROC - SMMAIN (PGM)

          
=======================   D380F1511A  ================================

IT12308   >>>> Message "ID" Not found was displaying instead of the
          proper message text.
Solution: Corrected the corrupt message file.
Object:   NDMMESSAGE - (FILE)
          
=======================   D380F1601A  ================================

Internal: Any user can access the SPADMIN (Secure+ Admin Utility) panel.
Solution: Corrected the program to only allow those users with
          administrative authority to access this panel.
Object:   SPADMIN - (PGM)

Internal: C2M3003 - Data was truncated on an input, output or update
          operation was appear in the joblog for each record read when
          running SPADMIN.
Solution: Corrected the program so the messages no longer appear in the
          joblog.
Object:   SPADMIN - (PGM)

=======================   D380F1601B  ================================

IT13286   Ending a 5250 session abnormally makes the interactive job
          generate a huge number of spool files while running SPADMIN.
Solution: End the program with minimal errors when the 5250 session is
          ended abnormally.
Object:   SPADMIN2 - (PGM)
          

=======================   D380F1602A  ================================

IT13235   The Translation table cannot tranlate some traditional Chinese
          characters.
Solution: Opened the rules to include hex value x'FB' through x'FE'
Object:   CRTCDXTC - CRTCDXTC (PGM)

=======================   D380F1602B  ================================

ENHANCEMENT
          *PUBLIC authority needs to be set to *EXCLUDE on all objects
          in the Connect:Direct library.
Solution: A new command can be run that will modify the authority on all
          Connect:Direct objects.  The Connect:Direct Administrator will
          become the owner, *PUBLIC will be set to *EXCLUDE and a specified
          group profile (ibm i user id of choice) will be granted *USE
          access.
Object:   SETCDAUT - (CMD)
          SETCDAUT SETCDAUTV - (CL)
          SETCDAUT - (PNLGRP)

=======================   D380F1603A  ================================

Internal  Some defects from 3.7 were never synched into 3.8
IC91866 CDSND fails with RACF error but retries the connection
           the command should not retry a security failure.
Solution: Corrected logic if error was found not to continue.
Object: SDIP_TCPIP - SMMAIN (PGM)
IC92491 MCH3601 error from module SDIP_TCPIP
            from procedure tcp_read_header.
Solution: Added additional logic checking for readv().
Object: SDIP_TCPIP - SMMAIN (PGM)
IC94325  Using I5OS in netmap with CDRCV gives a message
            'Error detected in prompt override program command string'
Solution: Correct logic checking.
Object:  GETENVIRN - CDRCV (PGM)

=======================   D380F1604A  ================================

ENHANCEMENT
          Full support of Connect Direct in an iASP.
Solution: Two new commands have been created to provide full support of
          Connect Direct in an iASP.  UPDCDIASP will update your Connect
          Direct system when you have manually moved your system to an
          iASP.  SETCDIASP will move your Connect Direct system to an
          iASP.  Review the word documents to determine which command
          should be run to add full support of an iASP to your Connect
          Direct system.
Object:   SETCDIASP UPDCDIASP - (CMD)
          SETCDIASP STRCD UNINSTALLM UPDATECD UPDCDIASP STRCD - (CL)
          PMGR - (PGM)
          SETCDIASP UPDCDIASP - (PNLGRP)

=======================   D380F1604B  ================================

IT14898   Secure Plus Protocol Flags not behaving as expected.
Solution: Made the Secure Plus work more consistently with the new
          versions of C:D Unix and C:D Windows
Object:   SDIP_TCPIP - SMMAIN (PGM) CDSSLGSK - SMMAIN (PGM)

=======================   D380F1605A  ================================

IT15127   Receiving error ASMT015I - Unable to establish the specified
          security environment when a multi-process is submitted with
          2 different user id's.
Solution: Ended the RMTSYSTEM job at the end of each process allowing
          to new process to start with current credentials.
Object:   SMPROC - SMMAIN (PGM)

=======================   D380F1607A  ================================

IT16155   When sending a file from the IFS file system and compression
          was turned on, the file was not being compressed and the
          resulting file was larger than the original file.
Solution: Corrected the compression logic.
Object:   SMCOPY - SMMAIN (PGM)

=======================   D380F1608A  ================================

IT16725   During a Secure+ session a C:D server the snode on occasions
          will hang.  This is because of the combination of the buffer size
          and file size.  When there is only 1 byte left to decrypt, the
          program assumes the beast remediation virus code is in place and
          attempts to decrypt the remaining data when there is none.  This
          causes the snode to hang.
Solution: Verify there is more data to be decrypted before performing the 
          decrypt function again.
Object:   CDSSLGSK - SMMAIN (PGM)

=======================   D380F1612A  ================================

IT18334   Source members were missing from the CDXTSOURCE file.  Also
          corrected some help text for the CDRUNTASK command.
Solution: Added the source members back to the CDXTSOURCE file.
Object:   CDXTSOURCE - (FILE)
          NDMGENERAL - (PNLGRP)

=======================   D380F1701A  ================================

IT18859   When CHGCDPARM was run directly from a command line, some of
          the INITPARMS were removed.
Solution: Force CHGCDPARM to be run from the menu system in Connect:Direct.
Object:   CHGCDPARM  - (COMMAND)

=======================   D380F1703A  ================================

IT19548   Blocking had been removed causing a slow down when large files
          with small record lengths were being transmitted.
Solution: Added blocking back.
Object:   SMFILE - SMMAIN (PGM)   
          SMCOPY - SMMAIN (PGM)                                               

=======================   D380F1704A  ================================

ENHANCEMENT
          Added Max Global Concurrent Session parameter to the
          Connect:Direct Parameters (INITPARMS).
Solution: This new parameters controls the total number of incoming and
          outgoing sessions that you can have running simultaneously as
          defined in your Connect:Direct contract agreement.
          When this fix is loaded, it will populate this new fields with
          the value that resides in the Maximum synchronous sessions
          field.  If this is not the value defined in your contract
          agreement, you will need to modify this new value through
          the Change C:D parms (CHGCDPARM) panel - Option 1 from the
          Connect:Direct Administration menu.
Object:   CNVCDPARM CHGCDPARM - (CMD)
          CHGCDPARM EDITCHG - (CL)
          CNVCDPARM GETCDPARM INITPARMS PMGR WRKSTSC - (PGM)
          CHGCDPARM NDMGENERAL WRKCDSTS - (PNLGRP)

=======================   D380F1706A  ================================

IT21110   When adding a new entry in SPADMIN by using the F6 key, the
          node name was created as blanks.
Solution: Created the new record with the node name entered.
Object:   SPADMIN2 - SPADMIN(PGM)

=======================   D380F1707A  ================================

IT20960   Added a condition on CDCOMP command to check if the input file
          is a save file since compression is not allowed for save files.
Solution: Added condition to check file type.
Object:   EDITCOMP - (PGM)

=======================   D380F1709A  ================================

IT21585   When two PNODES initiated file transfer with same process
          numbers, submitter IDs and similar node names the SNODE reports
          error ACDU001I and ACDU010I.
Solution: Modified creation of process storage name and FMH72 sent from
          the PNODE to carry TDSB bits as well.
Object:   SMPROC - SMMAIN (PGM)

=======================   D380F1712A  ================================

Internal  Secure+ changes done for 3.8 release modified three structures
          corresponding to three statistics events. This was leading to
          truncated values in Control Center reports.
Solution: Modified the size of KQV_MERGE_PROTOC and merge_protoc to 12 byte
          from the existing 8. This is done for SMSTST and SMSTTM events.
Object:   STATEVENT - STATMGR (PGM)

Internal  When the instance of C:D is a GA version, the version
          information is blank. This will produce a version to be displayed
          as Connect:Direct 3.8.00 PTF 0000  The extra space between the
          Direct and with is the empty version.
Solution: Modified the program to insert the GA version information in the
          first portion of the message to replace the ' ' that is currently
          showing up.
Object:   CDVER - (CL)

=======================   D380F1802A  ================================

Internal  On Secure+ Admin screen  Default to local node  does not retain
          its value. When set to 'Y' the LCLNODE ciphers are not copied and
          empty list is duplicated.
Solution: Resolved this problem by using the ciphers of local node to copy
          on the current node. To avoid the duplication of cipher list,
          used the API to delete list after cipher selection is done. We
          used a member in relevant structure to keep 'default to local'
          so the value will persist per node.
Object:   SPADMIN2 - SPADMIN(PGM)

=======================   D380F1804A  ================================

 IT24685    In a secure+ transfer from SI to i5, i5(Snode) sends first
            FMH70 with the max buffer value i.e 65535.The SI side has
            buffer set to 32K(which is too high for i5 in case of secure
            transfer). So i5 gets FMH70 back with 32K as the buffer size
            because it will negotiate down to smaller size. And the
            transfer gets failed as maximum buffer size for i5 in case
            of secure+ is 16K.
 Solution:  Introduced a check to ensure that the RUSZ in first FMH70
            should always be set to 16K when Secure+ is enabled and buffer
            size in netmap is greater than 16K. No change in case of Non
            secure transfer, buffer size will be negotiated as per entry in
            the netmap.
 Object:    SMPROC - SMMAIN (PGM)

=======================   D380F1805A  ================================

 IT24986    After successful completion of a RUNTASK the correct 
            message text was not displayed in the traces. Instead of the
            expected message the traces printed an error message
            "Message "ID" Not found in Message File"
 Solution:  Removed the extra erroneous "INSERT" and "DELETE" lines in the
            text file msgsrc_seq.txt. After building the CD library again
            the corruption in NDMMESSAGE file got resolved.
 Object:    NDMMESSAGE (FILE)

=======================   D380F1809A  ================================

 IT26101    Normal end disposition and abnormal end disposition are not
            applicable for Sterling Connect:Direct for i5/OS.
 Solution:  Hidden these options in From Disposition (FDISP) parameter
            of the CDSND and CDRCV commands. The default value is now
            displayed as NONE. Help panels are updated to display the
            correct information which can be accssed by using F1 key.
 Object:    CDSND - (CMD, CL)
            CDRCV - (CMD, CL)

=======================   D380F1905A  ================================

IT29098     Error observed when trying to add user by ADDCDUSR or
            WRKCDUSR command - "Open of member CDUSER was changed
            to SEQONLY(*NO)"
Solution:   The maximum number of users which can be added in the CDUSER
            file was limited to 4000. However the CDUSER file is capable of
            holding 10000 records. Modified the limit and increased it to
            allow 10000 users.
Object:     WRKUSRC2 - WRKCDUSR (PGM)

=======================   D380F1907A  ================================

IT29717     When CDU server is the Snode doing server authentication
            with a CD i5 Pnode and the CDU server's certificate exceeds
            the 16,000B buffer limit required by CD i5 - It leads
            to failure of SSL handshake because CD i5 truncates the CDU's
            certificate before passing it to the GSKit.
Solution:   The buffer limitation of 16,000B on CD i5 is too small. It has
            been increased to allow for the very largest TLS message plus
            its header.
Object:     RMTSYSTEM - RMTSYSTEM (PGM)

=======================   D380F1910A  ================================

IT30642     Secure+ parameter "Auth. Time Out", can be defined in both the
            *LCLNODE and in a Remote Node. If in the *LCLNODE you have set
            "Override Security:Y" then the value of "Auth. Time Out" should
            come from the Remote Node entry. This is not happening.
Solution:   Secure+ parameter "Auth. Time Out" not being honoured in Remote
            Node. This fix allows remote node time out value in case
            Override Security:Y in LCLNODE.
Object:     SMPROC - SMMAIN (PGM)

=======================   D380F2002A  ================================

IT31998     When sending a file with 287 fields and parameter SNDFFD(*YES)
            set in the FMSYSOPTS then the transfer fails and proper error
            message is not printed.
Solution:   The FFD size in copy block has been raised to 16K from earlier
            12K and an error message AFLH090I has been created to print the
            cause of failure in case FFD exceeds maximum allowed.
Object:     SMCOPY - SMMAIN (PGM)

=======================   D380F2002B  ================================

IT32014     User Space objects not getting deleted in cdcleanup job run.
            Since size of user space to keep the list was small. It was not
            able to keep all the entries returned by QUSLOBJ API.
Solution:   The user space size was 65 kb. This size has been increased
            to maximum size of 16 Mb for user space.
Object:     CDCKPTDAYS - CDCKPTDAYS (PGM)

=======================   D380F2005A  ================================

IT32845    With TLS1.3 available and enabled, a loopback test fails with
           SNODE timing-out.
           CD does not currently support TLS1.3
Solution:  TLS1.3 is disabled in Secure+ until supported.
Object:    CDSSLGSK

=======================   C38022006A  =================================

IT33308    For IFS, CD does not use the SPOE user profile or the SNODEID 
           for receiving the files thus the ownership of the files received
           is always CDADMIN. Also, the permission of the files received 
           is always *RWXRWXRWX irrespective of the its parent directory
           permission. Currently, CD does not use inherited authority on new
           files. 
Solution:  Whenever new file transfer request is received, SMGR would now
           be run under the SPOE user profile or the SNODEID in the received
           process. So that the new files created on Cd i5 has the ownership
           of the SPOE or SNODEID. Also, new parameter "Set Private Authority"
           has been introduced which would enable/disable CD i5 to handle the
           inherited authority on the new files created in directory on IFS. 
           By default, this parameter would be set as "*NO" meaning CD i5 would
           not handle inherited authority. 
Object:    CHGCDPARM EDITCHG - (CL)
           CHGCDPARM - (CMD)
           CHGCDPARM  - (PNLGRP)
           GETCDPARM INITPARMS PMGR WRKSTSC SMPROC STRMIO - (PGM)

IT33274    CDTCPL job gets an EAGAIN errno on socket accept() call and enter in 
           a retry/restart socket mode but fails to bind() on the new created socket.
           After some retries, job terminates with a forced sigterm and is restarted by CDPMGR.
Solution:  Socket accept() call better manages EAGAIN error and does not fail as before.
Object:    CDTCPL

=======================   C38022008A  =================================

IT33861     The size of user space to be created was having wrong value of 
            16,776,704 bytes. 
Solution:   The size of user space is now corrected for optimum alignment with 
            value 16,773,120 bytes.
Object:     CDCKPTDAYS - CDCKPTDAYS (PGM)

=======================   C38022009A  =================================

IT34272     TLS1.0 ciphers are enabled whatever TLS1.0 is selected or not in Secure+.  
            TLS1.0 ciphers are sent on Client Hello in addition to Secure+ selected ciphers.
            A wrong cipher may be selected by server. 
Solution:   TLS1.0 is only enabled when selected. 
Object:     SMMAIN (PGM)

=======================   C38032010A  =================================
	     	Version 3.8.03

			Secure+ Enhancements:
				-	Support for TLS 1.3
				-	Support for ECHDE cipher suites
				-	Support for selecting secure protocols individually
				-	Enhanced Secure+ logging in the CDSMGR CDLOG
				-	The default protocol of a new node is now TLS 1.2
				-	Support for security modes
				
			About TLS1.3 support:
			
			TLS1.3 is available on OS Level 7.3 and up with appropriate OS fixes applied:
			7.3: see https://www.ibm.com/support/pages/node/687743
			7.4: see https://www.ibm.com/support/pages/node/1071614
			
			Without TLS1.3 installed, Secure+ will disable TLS1.3 support.  
					
            Available and configurable Ciphers:
            
            SSL V3 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
                   0005 TLS_RSA_WITH_RC4_128_SHA
                   0004 TLS_RSA_WITH_RC4_128_MD5
                   0009 TLS_RSA_WITH_DES_CBC_SHA
                   0002 TLS_RSA_WITH_NULL_SHA
                   0001 TLS_RSA_WITH_NULL_MD5
                
            TLS1.0 002F TLS_RSA_WITH_AES_128_CBC_SHA
                   0035 TLS_RSA_WITH_AES_256_CBC_SHA
                   000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
                   0002 TLS_RSA_WITH_NULL_SHA
                   
            TLS1.1 002F TLS_RSA_WITH_AES_128_CBC_SHA
                   0035 TLS_RSA_WITH_AES_256_CBC_SHA
                   000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
                   0002 TLS_RSA_WITH_NULL_SHA
                   
            TLS1.2 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                   C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                   CCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
                   CCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
                   C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                   C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
                   009C TLS_RSA_WITH_AES_128_GCM_SHA256
                   009D TLS_RSA_WITH_AES_256_GCM_SHA384
                   003C TLS_RSA_WITH_AES_128_CBC_SHA256
                   003D TLS_RSA_WITH_AES_256_CBC_SHA256
                   002F TLS_RSA_WITH_AES_128_CBC_SHA
                   0035 TLS_RSA_WITH_AES_256_CBC_SHA
                   C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
                   C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
                   C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
                   C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
                   000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
                   C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
                   C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
                   
            TLS1.3 1301 TLS_AES_128_GCM_SHA256
                   1302 TLS_AES_256_GCM_SHA384
                   1303 TLS_CHACHA20_POLY1305_SHA256
                    
            Available Security Modes:
            
            FIPS 140-2: Enables all of the necessary settings to operate in 
						FIPS-compliant mode. This setting tracks relevant standards and may
						change if the relevant standards change.

			SP800 131A: Enables all of the necessary settings to operate in SP800-131a mode.
						This setting tracks relevant standards and may change if the relevant
						standards change.

			SUITEB 128BIT: Enables all of the necessary secure operation settings so SSL/TLS
			 			will operate in the 128-bit security level of TLS Suite B Profile
			 			mode as per RFC 6460.

			SUITEB 192BIT: Enables all of the necessary secure operation settings so SSL/TLS
						will operate in the 192-bit security level of TLS Suite B Profile
						mode as per RFC 6460.
            
            Vaccinate : Enables all of the recommended settings and tracks security
                        vulnerability issues, allowing the application to remain secure.
                        
                        Currently, vaccinate sets the following:
                        
                        SSLV2HELLO_ENABLE				OFF
    					PROTOCOL_SSLV2					OFF
    					PROTOCOL_SSLV3					OFF
    					PROTOCOL_TLSV12					ON
    					PROTOCOL_TLSV13					ON  
    					FIPS_MODE_PROCESSING			ON
    					SSL_EXTN_SIGALG					ECDSA_WITH_SHA512,
              											ECDSA_WITH_SHA384,
              											ECDSA_WITH_SHA256,
              											RSA_WITH_SHA512,
              											RSA_WITH_SHA384,
              											RSA_WITH_SHA256
                        
            When a security mode is enabled it is also mandatory to select the secure
            protocols S+ will enable.
            
            Depending on the selected security mode, some selected secure protocols will
            be disabled by S+ when a secure session is initialized.
            
            The following secure protocols will be forced to disabled if selected:
            
            For FIPS 140-2: 	SSLV3
            For SP800 131A:		SSLV3, TLSV1.0, TLSV1.1
            For SUITEB 128BIT:	all but TLSV1.2
            For SUITEB 192BIT:	all but TLSV1.2
			For Vaccinate:		all but TLSV1.2 & TLSV1.3
			            
            Intersection between selected protocols and available protocols for a particular 
            security mode may result in an empty protocol list. Secure session will fail.
            
            On the other hand, if a security mode is selected and a subset of the allowed 
            protocols are selected, this security protocol will execute with only this subset.
            For example, Vaccinate + TLSV1.3: Vaccinate mode will run with only TLSV1.3 enabled.
            
            Note on CDJOBD: Job description is changed to allow multithreading as CDSMGR requires it.
            CRTCDOBJ, SETCDIASP and UPDATECD commands set CDJOBD with this new required parameter.
            
            Note on SPNTMP file: This file is converted to a new format to handle secure+ additions.
                       
=======================   C38032104A  =================================

IT36603     When handshake process was redesigned to support TLS1.3, one previous fix was lost.  
            APAR IT29717 was not ported back to version 3.8.0.3 PTF C38032010A.
            Some handshake can fail if message size is too small. 
Solution:   Port back APAR IT29717. 
Object:     SMMAIN (PGM)