ENABLEMENT OF PRE-INITIALIZATION FIPS MODE IN SYSTEM SSL AND SSL
SERVER
APAR Identifier ...... PM95516 Last Changed ........ 14/05/28
ENABLEMENT OF PRE-INITIALIZATION FIPS MODE IN SYSTEM SSL AND SSL
SERVER
Symptom ...... NF NEWFUNCTION Status ........... CLOSED UR1
Severity ................... 3 Date Closed ......... 13/10/10
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 630 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 630 : UI11978 available 13/11/07 (1401 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
In order to comply with recent changes to FIPS 140-2
Implementation Guidance, System SSL requires a mechanism to
allow full initialization of cryptographic operations without
operator intervention.
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: All Users of z/VM TCP/IP and SSL Servers. *
****************************************************************
* PROBLEM DESCRIPTION: FIPS 140-2 mode initialization *
* currently requires an API call by the *
* application using the System SSL *
* libraries. *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
z/VM 6.3 System SSL requires an application using it (such as
the z/VM SSL Server) to initiate FIPS mode through the use of an
internal programming interface. While this has met previous
Implementation Guidance for FIPS 140-2 compliance, recent
changes in the standard require that all Power-On Self-Tests be
conducted during the initialization phase without operator
intervention. As a result, an "Always-On" FIPS setting is
required for System SSL.
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
System SSL for z/VM 6.3 has been updated to recognize an
environment variable GSK_DEFAULT_FIPS_STATE. If this environment
variable is configured in advance of System SSL initialization,
System SSL will initialize in FIPS 140-2 mode automatically.
The z/VM SSL Server has been updated to recognize that
GSK_DEFAULT_FIPS_STATE has been set, and if properly enabled,
will enter FIPS 140-2 compliant mode. This behavior supersedes
DTCPARMS or VMSSL setting of the FIPS operand. Note that all
requisites concerning certificate databases and FIPS 140-2
compliant mode apply when using GSK_DEFAULT_FIPS_STATE.
To use GSK_DEFAULT_FIPS_STATE, set the environment variable to
the value to "GSK_FIPS_STATE_ON" in advance of starting System
SSL. If using the environment variable in conjunction with the
z/VM SSL Server, the environment variable must be instantiated
within the SSL Server virtual machine -- or within each member
of the server pool.
It is suggested that the global profile exit, TCPRUNXT, be used
to set the environment variable for all servers of the SSL
class. See General TCP/IP Server Configuration in the z/VM
TCP/IP Planning and Customization publication for more
information on TCPRUNXT. A sample REXX clause follows:
...
/*------------------------------------------------------------*/
/* For SSL class servers, ensure the GSK_DEFAULT_FIPS_STATE */
/* variable is 'ON' to meet current FIPS 140-2 requirements. */
/*------------------------------------------------------------*/
When (calltype = "BEGIN") & (parms = _ClassSSL) Then
Do
"GLOBALV SELECT CENV" ,
"SETL GSK_DEFAULT_FIPS_STATE GSK_FIPS_STATE_ON"
Say "Environment variable GSK_DEFAULT_FIPS_STATE" ,
"set to: GSK_FIPS_STATE_ON"
End
...
Additional code changes have been made so that z/VM System SSL
will indicate the z/VM APAR level during initialization when
GSKTRACE 8 is specified. This will facilitate debugging and make
level determination easier for system administrators.
**** PE13/10/29 FIX IN ERROR. SEE APAR PI04999 FOR DESCRIPTION
MODULES/MACROS: GSKCMS31 GSKC31F SSLGSKCF
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: