INFO APAR FOR Z/VM SSL SERVER DOCUMENTATION UPDATES
APAR Identifier ...... II14790 Last Changed ........ 15/06/12
INFO APAR FOR Z/VM SSL SERVER DOCUMENTATION UPDATES
Symptom ...... IN INCORROUT Status ........... INTRAN
Severity ................... 4 Date Closed .........
Component .......... INFODNLIB Duplicate of ........
Reported Release ......... 001 Fixed Release ............
Component Name DN LIB INFO ITE Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: Not Available
PE PTF List:
PTF List:
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
In light of changing standards and shifts in preferred
encryption usage, IBM is adjusting its policies as to which
cryptographic cipher suites are enabled by default in its
products. Use of these cipher suites, generally regarded as
less cryptographically secure than others, is not recommended
for use by IBM and are available for legacy use only. z/VM
is updating all versions and releases currently under service
to support this change in direction.
.
The z/VM TLS/SSL Server now disables the following cipher
suites by default:
.
V3 Code Name
------- ----
00 NULL
01 NULL_MD5
02 NULL_SHA
03 RC4_40_MD5
04 RC4_128_MD5
05 RC4_128_SHA
06 RC2_40_MD5
3B NULL_SHA256
.
For any system administrator who wishes to use these cipher
suites for purposes of legacy use or application migration
(for example), the cipher suites can be turned on by the use
of a new ENABLE operand on the VMSSL command or DTCPARMS
definition of the TLS/SSL Server. This operand allows the
enablement of any cipher suite which had been disabled by
default.
.
The following text documents use of this operand; the text
will be included in a future edition of the z/VM TCP/IP
Planning and Customization Guide (Chapter 16, "Configuring
the SSL Server").
.
Under 'VMSSL Command:' The new 'ENABLE' keyword shall be
inserted into the usage diagram following EXEMPT and before
GSKTRACE, as shown:
.
.-KEYFILE--/etc/gskadm/Database.kdb-.
>>--VMSSL--+-----------------------------------+------->
'-KEYFile--pathname-----------------'
.
[...]
.
>-.------------------------.-.--------------------------.->
| <--------------------< | | <----------------------< |
|--EXEMPT--cipher_suite--| '---ENABLE--cipher_suite---'
'-EXEMPT--strength_set---'
.
[...]
.
>--------------------><
.
where 'cipher_suite' represents a specific V2, V3 or TLS full
cipher suite name listed in the z/VM TCP/IP Planning and
Customization Guide's Chapter 16 / Table 38.
.
Notes for using the ENABLE operand:
.
(1) ENABLE can only be used when managing cipher suites by
name. ENABLE cannot be used in conjunction with the
'strength' keywords (e.g., "NONE" or "LOW").
.
(2) Like EXEMPT, ENABLE cannot be used if EXEMPT processing is
being handled by strength.
.
(3) EXEMPT processing is handled first, regardless of DTCPARMS
ordering. If the same cipher suite is specified for both
EXEMPT and ENABLE, then the cipher suite is enabled,
regardless of the order of specification.
.
(4) The ENABLE operand cannot enable a cipher suite if that
cipher suite is associated with a protocol which is not
available. For example, an algorithm supporting SHA256
hashing cannot be enabled if TLS 1.2 has not been selected
via the PROTOCOL operand.
LOCAL FIX: