INFO APAR FOR Z/VM SSL SERVER DOCUMENTATION UPDATES
APAR Identifier ...... II14790 Last Changed ........ 15/06/12 INFO APAR FOR Z/VM SSL SERVER DOCUMENTATION UPDATES Symptom ...... IN INCORROUT Status ........... INTRAN Severity ................... 4 Date Closed ......... Component .......... INFODNLIB Duplicate of ........ Reported Release ......... 001 Fixed Release ............ Component Name DN LIB INFO ITE Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: Not Available PE PTF List: PTF List: Parent APAR: Child APAR list: ERROR DESCRIPTION: In light of changing standards and shifts in preferred encryption usage, IBM is adjusting its policies as to which cryptographic cipher suites are enabled by default in its products. Use of these cipher suites, generally regarded as less cryptographically secure than others, is not recommended for use by IBM and are available for legacy use only. z/VM is updating all versions and releases currently under service to support this change in direction. . The z/VM TLS/SSL Server now disables the following cipher suites by default: . V3 Code Name ------- ---- 00 NULL 01 NULL_MD5 02 NULL_SHA 03 RC4_40_MD5 04 RC4_128_MD5 05 RC4_128_SHA 06 RC2_40_MD5 3B NULL_SHA256 . For any system administrator who wishes to use these cipher suites for purposes of legacy use or application migration (for example), the cipher suites can be turned on by the use of a new ENABLE operand on the VMSSL command or DTCPARMS definition of the TLS/SSL Server. This operand allows the enablement of any cipher suite which had been disabled by default. . The following text documents use of this operand; the text will be included in a future edition of the z/VM TCP/IP Planning and Customization Guide (Chapter 16, "Configuring the SSL Server"). . Under 'VMSSL Command:' The new 'ENABLE' keyword shall be inserted into the usage diagram following EXEMPT and before GSKTRACE, as shown: . .-KEYFILE--/etc/gskadm/Database.kdb-. >>--VMSSL--+-----------------------------------+-------> '-KEYFile--pathname-----------------' . [...] . >-.------------------------.-.--------------------------.-> | <--------------------< | | <----------------------< | |--EXEMPT--cipher_suite--| '---ENABLE--cipher_suite---' '-EXEMPT--strength_set---' . [...] . >-------------------->< . where 'cipher_suite' represents a specific V2, V3 or TLS full cipher suite name listed in the z/VM TCP/IP Planning and Customization Guide's Chapter 16 / Table 38. . Notes for using the ENABLE operand: . (1) ENABLE can only be used when managing cipher suites by name. ENABLE cannot be used in conjunction with the 'strength' keywords (e.g., "NONE" or "LOW"). . (2) Like EXEMPT, ENABLE cannot be used if EXEMPT processing is being handled by strength. . (3) EXEMPT processing is handled first, regardless of DTCPARMS ordering. If the same cipher suite is specified for both EXEMPT and ENABLE, then the cipher suite is enabled, regardless of the order of specification. . (4) The ENABLE operand cannot enable a cipher suite if that cipher suite is associated with a protocol which is not available. For example, an algorithm supporting SHA256 hashing cannot be enabled if TLS 1.2 has not been selected via the PROTOCOL operand. LOCAL FIX: