IBM Mainframe Forum

I need a routine that, given a record, will calculate a unique hash total. Something that works like this: -
CALL 'CHKSUM' USING Recordarea, RecordLength, Checksum.

The returned Checksum would probably be 32 characters representing a 16 byte hex value.

This is needed so that I can pass the checksum to/from a web service client, and then use it to check whether the record to be updated has been changed (e.g. by another user) since it was originally read.

When you're programming an update in a classical CICS program you need to ensure that the record doesn't change from the time you read it to the time that the user responds to the update screen with the new values, yet you don't want to hold a lock for all this time as excessive locking can bring the CICS system to a halt. The standard approach is to save a copy of the original record in COMMAREA, and then when the update is received this saved copy is compared with the recently read (with lock) copy. In the rare situation where it has changed the update is abandoned with a message asking the user to re-apply the changes.

Web services are completely stateless and you can't use COMMAREA in this way. Instead you have to pass any "State variables" in the messages being sent between the mainframe and the client. Since this makes such data potentially visible to the client, you need either an encrypted copy of the record or an encrypted hash of some kind. One wouldn't want to program such a hash calculation in COBOL, but such a routine must already exist within ZOS as it is a key requirement to allow web services to update VSAM (etc) records, so I'd be very grateful if somebody would point me at the documentation showing me how to use it.

The Redbook Implementing CICS Web Services, SG24-7206, has a chapter on security and a section on hashes. I didn't look at the details but if you haven't read it, I'd start there. If the Redbook doesn't have what you need, you may have to code your own (or get DFHCOMMAREA out of the picture by using a TS queue or a container if applicable).

I'd been through several Redbooks including the one that you referenced, and I'd also investigated using a TS queue, before I posted to this forum.

If you use a TS queue then the web service is no longer stateless, and even when I tried a test in which I had a fixed TS Queue name (obviously not viable for a real situation) I couldn't make it work because the 2nd request/response didn't pick up the TS Q from the first. So any state information has to be passed through a container, which can only be passed to the right part of the conversation through a round trip to the client. Hence one needs something encrypted that can be transmitted directly to/from the client, but can't be changed by the client without invalidating the transaction. Checksum hashes are ideal for this.

Redbook SG24-7207 gives good explanations of how hashing, message digests, and RSA encryption work, and the mention of "numbers assigned to the cipher suites supported by Cryptographic
Services System SSL or Cryptographic Services Security Level 3, or both, in z/OS V1.4." clearly tells me that the facilities that I want exist somewhere in z/OS. However there is no mention of how I can access these from a COBOL program. If not in SG24-7207, then perhaps Redbook "Application Development for CICS Web Services, SG24-7126-01 could help? There is no mention of 'Encryption" or "Hash" or "Checksum" or "Message digest" in its index, so I guess not. In general, while the Redbooks are adequate on web service requesting they are very weak on web service providers and I can't find a single example of a web service provider that updates a record.