Oct 31th 2020
Dear Connect:Direct for i5/OS customer,
Enclosed please find a CD containing the latest cumulative maintenance
for Connect:Direct for i5/OS 3.8.03
Please call IBM for details on IBM APARs.
Cumulative Maintenance Contents: 2104A
----------------------------------------------
All the modified objects which are addressed by following issues.
======================= D380F1503A ================================
APAR
IT06028 Process is not running using permanent session managers.
Solution: Put a counter in to allow 15 processes to run, then start a
new session manager, working on a more permanent fix.
Object: PMGR - PMGR (PGM)
IT07472 Error CSPA081E-Unable to initialize workspace, after upgrading
to 3.8, remote netmap was not in SPADMIN.
Solution: Put back in logic to issue a warning
Object: SMMAIN - SMMAIN (PGM)
IC99154 If the SNODEID JOBD has more then 52 libraries in their
list we receive an error CPF9999
Solution: Increase variables to allow for larger library lists.
Object: XRTVUSRL - RMTSYSTEM (PGM)
IT07616 Long delay on DNS lookup as the DNS server is not responding
to a IPv6 request.
Solution: Change the getaddrinfo() call to use AI_ADDRCONFIG flag
Object: SDIP_TCPIP - SMMAIN (PGM)
IT08034 Can not send secure to SI/CDSA 5.2.4.0 getting CSPA203E error.
CDSA only supports SSL & TLS can not take TLS1.2 handshake.
Solution: Change SPADMIN to allow only one protocol to be entered.
Changed to toolkit to only turn on one protocol, not higher.
Object: SPADMIN2 - SPADMIN (PGM) CDSSLGSK - SMMAIN (PGM)
======================= D380F1506A ================================
APAR
IT09661 Added fix from 3.7:
IC94327 A MBCS transfer using codepage(284, 1208) is successful
but there is some garbage in the destination file
Solution: Clean up the use of some of the internal variables used for
iconv() that were causing errors on new i5/OS releases.
Object: SMCOPY - SMMAIN (PGM)
======================= D380F1507A ================================
IT08726 z/OS Sending a binary file to i5 IFS will end with
error ACOP009I if source file length greater then 32754
Solution: Remove logic on record length change for IFS files.
Object: SMFILE - SMMAIN (PGM)
======================= D380F1508A ================================
IT10851 During a Secure+ session a C:D server may create multiple SSL
records when encrypting a buffer for transmission. If the
remote node cannot handle multiple records, the session fails.
Solution: Decrypt the data a second time if only 1 byte was decrypted during
the first attempt.
Object: CDSSLGSK - SMMAIN (PGM)
======================= D380F1510A ================================
IT11651 CDSMGR hangs - joblog shows The pointer parameter
passed to free or realloc is not valid.
Solution: Removed logic that was causing the error.
Object: SMPROC - SMMAIN (PGM)
======================= D380F1511A ================================
IT12308 >>>> Message "ID" Not found was displaying instead of the
proper message text.
Solution: Corrected the corrupt message file.
Object: NDMMESSAGE - (FILE)
======================= D380F1601A ================================
Internal: Any user can access the SPADMIN (Secure+ Admin Utility) panel.
Solution: Corrected the program to only allow those users with
administrative authority to access this panel.
Object: SPADMIN - (PGM)
Internal: C2M3003 - Data was truncated on an input, output or update
operation was appear in the joblog for each record read when
running SPADMIN.
Solution: Corrected the program so the messages no longer appear in the
joblog.
Object: SPADMIN - (PGM)
======================= D380F1601B ================================
IT13286 Ending a 5250 session abnormally makes the interactive job
generate a huge number of spool files while running SPADMIN.
Solution: End the program with minimal errors when the 5250 session is
ended abnormally.
Object: SPADMIN2 - (PGM)
======================= D380F1602A ================================
IT13235 The Translation table cannot tranlate some traditional Chinese
characters.
Solution: Opened the rules to include hex value x'FB' through x'FE'
Object: CRTCDXTC - CRTCDXTC (PGM)
======================= D380F1602B ================================
ENHANCEMENT
*PUBLIC authority needs to be set to *EXCLUDE on all objects
in the Connect:Direct library.
Solution: A new command can be run that will modify the authority on all
Connect:Direct objects. The Connect:Direct Administrator will
become the owner, *PUBLIC will be set to *EXCLUDE and a specified
group profile (ibm i user id of choice) will be granted *USE
access.
Object: SETCDAUT - (CMD)
SETCDAUT SETCDAUTV - (CL)
SETCDAUT - (PNLGRP)
======================= D380F1603A ================================
Internal Some defects from 3.7 were never synched into 3.8
IC91866 CDSND fails with RACF error but retries the connection
the command should not retry a security failure.
Solution: Corrected logic if error was found not to continue.
Object: SDIP_TCPIP - SMMAIN (PGM)
IC92491 MCH3601 error from module SDIP_TCPIP
from procedure tcp_read_header.
Solution: Added additional logic checking for readv().
Object: SDIP_TCPIP - SMMAIN (PGM)
IC94325 Using I5OS in netmap with CDRCV gives a message
'Error detected in prompt override program command string'
Solution: Correct logic checking.
Object: GETENVIRN - CDRCV (PGM)
======================= D380F1604A ================================
ENHANCEMENT
Full support of Connect Direct in an iASP.
Solution: Two new commands have been created to provide full support of
Connect Direct in an iASP. UPDCDIASP will update your Connect
Direct system when you have manually moved your system to an
iASP. SETCDIASP will move your Connect Direct system to an
iASP. Review the word documents to determine which command
should be run to add full support of an iASP to your Connect
Direct system.
Object: SETCDIASP UPDCDIASP - (CMD)
SETCDIASP STRCD UNINSTALLM UPDATECD UPDCDIASP STRCD - (CL)
PMGR - (PGM)
SETCDIASP UPDCDIASP - (PNLGRP)
======================= D380F1604B ================================
IT14898 Secure Plus Protocol Flags not behaving as expected.
Solution: Made the Secure Plus work more consistently with the new
versions of C:D Unix and C:D Windows
Object: SDIP_TCPIP - SMMAIN (PGM) CDSSLGSK - SMMAIN (PGM)
======================= D380F1605A ================================
IT15127 Receiving error ASMT015I - Unable to establish the specified
security environment when a multi-process is submitted with
2 different user id's.
Solution: Ended the RMTSYSTEM job at the end of each process allowing
to new process to start with current credentials.
Object: SMPROC - SMMAIN (PGM)
======================= D380F1607A ================================
IT16155 When sending a file from the IFS file system and compression
was turned on, the file was not being compressed and the
resulting file was larger than the original file.
Solution: Corrected the compression logic.
Object: SMCOPY - SMMAIN (PGM)
======================= D380F1608A ================================
IT16725 During a Secure+ session a C:D server the snode on occasions
will hang. This is because of the combination of the buffer size
and file size. When there is only 1 byte left to decrypt, the
program assumes the beast remediation virus code is in place and
attempts to decrypt the remaining data when there is none. This
causes the snode to hang.
Solution: Verify there is more data to be decrypted before performing the
decrypt function again.
Object: CDSSLGSK - SMMAIN (PGM)
======================= D380F1612A ================================
IT18334 Source members were missing from the CDXTSOURCE file. Also
corrected some help text for the CDRUNTASK command.
Solution: Added the source members back to the CDXTSOURCE file.
Object: CDXTSOURCE - (FILE)
NDMGENERAL - (PNLGRP)
======================= D380F1701A ================================
IT18859 When CHGCDPARM was run directly from a command line, some of
the INITPARMS were removed.
Solution: Force CHGCDPARM to be run from the menu system in Connect:Direct.
Object: CHGCDPARM - (COMMAND)
======================= D380F1703A ================================
IT19548 Blocking had been removed causing a slow down when large files
with small record lengths were being transmitted.
Solution: Added blocking back.
Object: SMFILE - SMMAIN (PGM)
SMCOPY - SMMAIN (PGM)
======================= D380F1704A ================================
ENHANCEMENT
Added Max Global Concurrent Session parameter to the
Connect:Direct Parameters (INITPARMS).
Solution: This new parameters controls the total number of incoming and
outgoing sessions that you can have running simultaneously as
defined in your Connect:Direct contract agreement.
When this fix is loaded, it will populate this new fields with
the value that resides in the Maximum synchronous sessions
field. If this is not the value defined in your contract
agreement, you will need to modify this new value through
the Change C:D parms (CHGCDPARM) panel - Option 1 from the
Connect:Direct Administration menu.
Object: CNVCDPARM CHGCDPARM - (CMD)
CHGCDPARM EDITCHG - (CL)
CNVCDPARM GETCDPARM INITPARMS PMGR WRKSTSC - (PGM)
CHGCDPARM NDMGENERAL WRKCDSTS - (PNLGRP)
======================= D380F1706A ================================
IT21110 When adding a new entry in SPADMIN by using the F6 key, the
node name was created as blanks.
Solution: Created the new record with the node name entered.
Object: SPADMIN2 - SPADMIN(PGM)
======================= D380F1707A ================================
IT20960 Added a condition on CDCOMP command to check if the input file
is a save file since compression is not allowed for save files.
Solution: Added condition to check file type.
Object: EDITCOMP - (PGM)
======================= D380F1709A ================================
IT21585 When two PNODES initiated file transfer with same process
numbers, submitter IDs and similar node names the SNODE reports
error ACDU001I and ACDU010I.
Solution: Modified creation of process storage name and FMH72 sent from
the PNODE to carry TDSB bits as well.
Object: SMPROC - SMMAIN (PGM)
======================= D380F1712A ================================
Internal Secure+ changes done for 3.8 release modified three structures
corresponding to three statistics events. This was leading to
truncated values in Control Center reports.
Solution: Modified the size of KQV_MERGE_PROTOC and merge_protoc to 12 byte
from the existing 8. This is done for SMSTST and SMSTTM events.
Object: STATEVENT - STATMGR (PGM)
Internal When the instance of C:D is a GA version, the version
information is blank. This will produce a version to be displayed
as Connect:Direct 3.8.00 PTF 0000 The extra space between the
Direct and with is the empty version.
Solution: Modified the program to insert the GA version information in the
first portion of the message to replace the ' ' that is currently
showing up.
Object: CDVER - (CL)
======================= D380F1802A ================================
Internal On Secure+ Admin screen Default to local node does not retain
its value. When set to 'Y' the LCLNODE ciphers are not copied and
empty list is duplicated.
Solution: Resolved this problem by using the ciphers of local node to copy
on the current node. To avoid the duplication of cipher list,
used the API to delete list after cipher selection is done. We
used a member in relevant structure to keep 'default to local'
so the value will persist per node.
Object: SPADMIN2 - SPADMIN(PGM)
======================= D380F1804A ================================
IT24685 In a secure+ transfer from SI to i5, i5(Snode) sends first
FMH70 with the max buffer value i.e 65535.The SI side has
buffer set to 32K(which is too high for i5 in case of secure
transfer). So i5 gets FMH70 back with 32K as the buffer size
because it will negotiate down to smaller size. And the
transfer gets failed as maximum buffer size for i5 in case
of secure+ is 16K.
Solution: Introduced a check to ensure that the RUSZ in first FMH70
should always be set to 16K when Secure+ is enabled and buffer
size in netmap is greater than 16K. No change in case of Non
secure transfer, buffer size will be negotiated as per entry in
the netmap.
Object: SMPROC - SMMAIN (PGM)
======================= D380F1805A ================================
IT24986 After successful completion of a RUNTASK the correct
message text was not displayed in the traces. Instead of the
expected message the traces printed an error message
"Message "ID" Not found in Message File"
Solution: Removed the extra erroneous "INSERT" and "DELETE" lines in the
text file msgsrc_seq.txt. After building the CD library again
the corruption in NDMMESSAGE file got resolved.
Object: NDMMESSAGE (FILE)
======================= D380F1809A ================================
IT26101 Normal end disposition and abnormal end disposition are not
applicable for Sterling Connect:Direct for i5/OS.
Solution: Hidden these options in From Disposition (FDISP) parameter
of the CDSND and CDRCV commands. The default value is now
displayed as NONE. Help panels are updated to display the
correct information which can be accssed by using F1 key.
Object: CDSND - (CMD, CL)
CDRCV - (CMD, CL)
======================= D380F1905A ================================
IT29098 Error observed when trying to add user by ADDCDUSR or
WRKCDUSR command - "Open of member CDUSER was changed
to SEQONLY(*NO)"
Solution: The maximum number of users which can be added in the CDUSER
file was limited to 4000. However the CDUSER file is capable of
holding 10000 records. Modified the limit and increased it to
allow 10000 users.
Object: WRKUSRC2 - WRKCDUSR (PGM)
======================= D380F1907A ================================
IT29717 When CDU server is the Snode doing server authentication
with a CD i5 Pnode and the CDU server's certificate exceeds
the 16,000B buffer limit required by CD i5 - It leads
to failure of SSL handshake because CD i5 truncates the CDU's
certificate before passing it to the GSKit.
Solution: The buffer limitation of 16,000B on CD i5 is too small. It has
been increased to allow for the very largest TLS message plus
its header.
Object: RMTSYSTEM - RMTSYSTEM (PGM)
======================= D380F1910A ================================
IT30642 Secure+ parameter "Auth. Time Out", can be defined in both the
*LCLNODE and in a Remote Node. If in the *LCLNODE you have set
"Override Security:Y" then the value of "Auth. Time Out" should
come from the Remote Node entry. This is not happening.
Solution: Secure+ parameter "Auth. Time Out" not being honoured in Remote
Node. This fix allows remote node time out value in case
Override Security:Y in LCLNODE.
Object: SMPROC - SMMAIN (PGM)
======================= D380F2002A ================================
IT31998 When sending a file with 287 fields and parameter SNDFFD(*YES)
set in the FMSYSOPTS then the transfer fails and proper error
message is not printed.
Solution: The FFD size in copy block has been raised to 16K from earlier
12K and an error message AFLH090I has been created to print the
cause of failure in case FFD exceeds maximum allowed.
Object: SMCOPY - SMMAIN (PGM)
======================= D380F2002B ================================
IT32014 User Space objects not getting deleted in cdcleanup job run.
Since size of user space to keep the list was small. It was not
able to keep all the entries returned by QUSLOBJ API.
Solution: The user space size was 65 kb. This size has been increased
to maximum size of 16 Mb for user space.
Object: CDCKPTDAYS - CDCKPTDAYS (PGM)
======================= D380F2005A ================================
IT32845 With TLS1.3 available and enabled, a loopback test fails with
SNODE timing-out.
CD does not currently support TLS1.3
Solution: TLS1.3 is disabled in Secure+ until supported.
Object: CDSSLGSK
======================= C38022006A =================================
IT33308 For IFS, CD does not use the SPOE user profile or the SNODEID
for receiving the files thus the ownership of the files received
is always CDADMIN. Also, the permission of the files received
is always *RWXRWXRWX irrespective of the its parent directory
permission. Currently, CD does not use inherited authority on new
files.
Solution: Whenever new file transfer request is received, SMGR would now
be run under the SPOE user profile or the SNODEID in the received
process. So that the new files created on Cd i5 has the ownership
of the SPOE or SNODEID. Also, new parameter "Set Private Authority"
has been introduced which would enable/disable CD i5 to handle the
inherited authority on the new files created in directory on IFS.
By default, this parameter would be set as "*NO" meaning CD i5 would
not handle inherited authority.
Object: CHGCDPARM EDITCHG - (CL)
CHGCDPARM - (CMD)
CHGCDPARM - (PNLGRP)
GETCDPARM INITPARMS PMGR WRKSTSC SMPROC STRMIO - (PGM)
IT33274 CDTCPL job gets an EAGAIN errno on socket accept() call and enter in
a retry/restart socket mode but fails to bind() on the new created socket.
After some retries, job terminates with a forced sigterm and is restarted by CDPMGR.
Solution: Socket accept() call better manages EAGAIN error and does not fail as before.
Object: CDTCPL
======================= C38022008A =================================
IT33861 The size of user space to be created was having wrong value of
16,776,704 bytes.
Solution: The size of user space is now corrected for optimum alignment with
value 16,773,120 bytes.
Object: CDCKPTDAYS - CDCKPTDAYS (PGM)
======================= C38022009A =================================
IT34272 TLS1.0 ciphers are enabled whatever TLS1.0 is selected or not in Secure+.
TLS1.0 ciphers are sent on Client Hello in addition to Secure+ selected ciphers.
A wrong cipher may be selected by server.
Solution: TLS1.0 is only enabled when selected.
Object: SMMAIN (PGM)
======================= C38032010A =================================
Version 3.8.03
Secure+ Enhancements:
- Support for TLS 1.3
- Support for ECHDE cipher suites
- Support for selecting secure protocols individually
- Enhanced Secure+ logging in the CDSMGR CDLOG
- The default protocol of a new node is now TLS 1.2
- Support for security modes
About TLS1.3 support:
TLS1.3 is available on OS Level 7.3 and up with appropriate OS fixes applied:
7.3: see https://www.ibm.com/support/pages/node/687743
7.4: see https://www.ibm.com/support/pages/node/1071614
Without TLS1.3 installed, Secure+ will disable TLS1.3 support.
Available and configurable Ciphers:
SSL V3 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
0005 TLS_RSA_WITH_RC4_128_SHA
0004 TLS_RSA_WITH_RC4_128_MD5
0009 TLS_RSA_WITH_DES_CBC_SHA
0002 TLS_RSA_WITH_NULL_SHA
0001 TLS_RSA_WITH_NULL_MD5
TLS1.0 002F TLS_RSA_WITH_AES_128_CBC_SHA
0035 TLS_RSA_WITH_AES_256_CBC_SHA
000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
0002 TLS_RSA_WITH_NULL_SHA
TLS1.1 002F TLS_RSA_WITH_AES_128_CBC_SHA
0035 TLS_RSA_WITH_AES_256_CBC_SHA
000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
0002 TLS_RSA_WITH_NULL_SHA
TLS1.2 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
CCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
CCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
009C TLS_RSA_WITH_AES_128_GCM_SHA256
009D TLS_RSA_WITH_AES_256_GCM_SHA384
003C TLS_RSA_WITH_AES_128_CBC_SHA256
003D TLS_RSA_WITH_AES_256_CBC_SHA256
002F TLS_RSA_WITH_AES_128_CBC_SHA
0035 TLS_RSA_WITH_AES_256_CBC_SHA
C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
C023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
C024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
000A TLS_RSA_WITH_3DES_EDE_CBC_SHA
C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS1.3 1301 TLS_AES_128_GCM_SHA256
1302 TLS_AES_256_GCM_SHA384
1303 TLS_CHACHA20_POLY1305_SHA256
Available Security Modes:
FIPS 140-2: Enables all of the necessary settings to operate in
FIPS-compliant mode. This setting tracks relevant standards and may
change if the relevant standards change.
SP800 131A: Enables all of the necessary settings to operate in SP800-131a mode.
This setting tracks relevant standards and may change if the relevant
standards change.
SUITEB 128BIT: Enables all of the necessary secure operation settings so SSL/TLS
will operate in the 128-bit security level of TLS Suite B Profile
mode as per RFC 6460.
SUITEB 192BIT: Enables all of the necessary secure operation settings so SSL/TLS
will operate in the 192-bit security level of TLS Suite B Profile
mode as per RFC 6460.
Vaccinate : Enables all of the recommended settings and tracks security
vulnerability issues, allowing the application to remain secure.
Currently, vaccinate sets the following:
SSLV2HELLO_ENABLE OFF
PROTOCOL_SSLV2 OFF
PROTOCOL_SSLV3 OFF
PROTOCOL_TLSV12 ON
PROTOCOL_TLSV13 ON
FIPS_MODE_PROCESSING ON
SSL_EXTN_SIGALG ECDSA_WITH_SHA512,
ECDSA_WITH_SHA384,
ECDSA_WITH_SHA256,
RSA_WITH_SHA512,
RSA_WITH_SHA384,
RSA_WITH_SHA256
When a security mode is enabled it is also mandatory to select the secure
protocols S+ will enable.
Depending on the selected security mode, some selected secure protocols will
be disabled by S+ when a secure session is initialized.
The following secure protocols will be forced to disabled if selected:
For FIPS 140-2: SSLV3
For SP800 131A: SSLV3, TLSV1.0, TLSV1.1
For SUITEB 128BIT: all but TLSV1.2
For SUITEB 192BIT: all but TLSV1.2
For Vaccinate: all but TLSV1.2 & TLSV1.3
Intersection between selected protocols and available protocols for a particular
security mode may result in an empty protocol list. Secure session will fail.
On the other hand, if a security mode is selected and a subset of the allowed
protocols are selected, this security protocol will execute with only this subset.
For example, Vaccinate + TLSV1.3: Vaccinate mode will run with only TLSV1.3 enabled.
Note on CDJOBD: Job description is changed to allow multithreading as CDSMGR requires it.
CRTCDOBJ, SETCDIASP and UPDATECD commands set CDJOBD with this new required parameter.
Note on SPNTMP file: This file is converted to a new format to handle secure+ additions.
======================= C38032104A =================================
IT36603 When handshake process was redesigned to support TLS1.3, one previous fix was lost.
APAR IT29717 was not ported back to version 3.8.0.3 PTF C38032010A.
Some handshake can fail if message size is too small.
Solution: Port back APAR IT29717.
Object: SMMAIN (PGM)