Z/VM TLS/SSL SERVER ELLIPTIC CURVE (ECC) SUPPORT
STAT= CLOSED UR1 FESN0461035- CTID= EN0313 ISEV= 4 SB18/06/14 RC18/06/19 CL18/12/06 PD SEV= 4 PE= SPEC/ATTN/Y TYPE= D RCOMP= 5735FAL00 TCP/IP FOR Z/VM RREL= R710 FCOMP= 5735FAL00 TCP/IP FOR Z/VM PFREL= F TREL= T999 ACTION= SEC/INT= DUP/ USPTF= UI60128 PDPTF= DUPS 0 DW18/06/14 RT18/06/19 SC FT RE PT UP LP PV AP EN FL LC19/03/22 RU19/03/22 OT CT FR TD TYPE OF SOLUTION= PROJECTED CLOSE CODE= CUST INST LVL/SU= FAILING MODULE= SSLSERV FAILING LVL/SU= 710 SYSROUTE OF: RET APAR= PS= STATUS DETAIL= SHIPMENT RELIEF AVAILABLE= COMP OPER ENV= 710 N Y SPEC/ATTN/Y TYPE OF SOLUTION= PROJECTED CLOSE CODE= CUST INST LVL/SU= FAILING MODULE= FAILING LVL/SU= SYSROUTE OF: RET APAR= N PS= STATUS DETAIL= N N N N N RELIEF AVAILABLE= COMP OPER ENV= SYSRES= SYSIN= SYSOUT= CPU= RE-IPL= OPTYPE= SPECIAL ACTIVITY= REGRESSION= PRE-SCREEN NO.= RSCP= RS710 ERROR DESCRIPTION: The z/VM TLS/SSL server will strengthen encryption through the enablement of Elliptic Curve Cryptography (ECC) cipher suites. Elliptic Curve Cryptography provides a faster, more secure mechanism for asymmetric encryption than standard RSA or DSS algorithms. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users interested in using elliptical * * curve ciphers to protect TLS communication. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** z/VM TCP/IP Elliptic Curve Cryptography (ECC) Cipher Suite Support for Transport Layer Security (TLS) Enables support for the new cryptographic algorithms previously added for use by System SSL through the gskkyman interface. These new cryptographic algorithms provide stronger ciphers for the TLS/SSL server, which includes support for ECDH and ECDHE for key agreement. ECC ciphers have been enabled by default for use by TLS/SSL. Table 39 in the z/VM TCPIP Planning and Customization has been updated to indicate the ciphers enabled by protocol and mode. To use this support an ECC certificate must be created in the gskkyman database and specified for use on a secure connection. PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: MODULES/MACROS: CMCOMM CMNETST MSNETSTA NETSTAT QUERY SCEXIT SSLADMIN SSLADMIO SSLADMNP SSLCACHE SSLCIPHS SSLCTLIO SSLDPUMP SSLDSPTC SSLGSKCF SSLMNTOR SSLPARGS SSLREPRT SSLSCBEX SSLSTART SSLTOOLS SSLTRACE SSLTRSIT TCMIB TCPARSE TCPIP TCUTIL TNCOPY TNSTIN TNSTMAS TNTOTCP VMSSL SRLS: GC24629401 SC24630101 SC24633301 SC24633201 SC24633101 RTN CODES: APPLICABLE COMPONENT LEVEL/SU: R710 PSY UI60128 UP18/12/13 P 1901 CIRCUMVENTION: MESSAGE TO SUBMITTER: