SSL SERVER FEDERAL INFORMATION PROCESSING STANDARD (FIPS)
140-2 SUPPORT
APAR Identifier ...... PM10616 Last Changed ........ 11/07/22
SSL SERVER FEDERAL INFORMATION PROCESSING STANDARD (FIPS)
140-2 SUPPORT
Symptom ...... NF NEW FUNCTION Status ........... CLOSED UR1
Severity ................... 4 Date Closed ......... 10/10/21
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 610 Fixed Release ............ 999
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: SHIPMENT - Packaged solution is available for
shipment.
PE PTF List:
PTF List:
Release 610 : UK61574 available 10/11/02 (1101 )
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
This APAR adds FIPS 140-2 compliance to the SSL server. See
the enclosed documentation updates for details about this
capability.
To make use of FIPS support, create a new FIPS-compliant
database and run the SSL server(s) in FIPS mode.
For details on how to create a key database in FIPS mode, see
the GSKKYMAN documentation updates provided as part of APAR
PM08418.
For details on how to enable FIPS mode for an SSL server, see
the VMSSL help file (updated by this APAR), as well as the
documentation updates that follow.
LOCAL FIX:
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: Users of the SSL server that need to comply *
* to FIPS 140 *
****************************************************************
* PROBLEM DESCRIPTION: *
****************************************************************
* RECOMMENDATION: APPLY PTF *
****************************************************************
SSL Server Federal Information Processing Standard (FIPS) 140-2
Support
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
The revised information that follows will be included in any
future updates to the following publication(s):
================================================================
SC24-6238-00 z/VM: TCP/IP Level 610 Planning and Customization
Chapter 20. "Configuring the SSL Server"
Section: "Step 2: Update the DTCPARMS File"
Page(s): 610-612
The description of the VMSSL command should read as follows:
The syntax diagram and associated explanation of options should
list and explain the new option FIPS. Furthermore, a new table
detailing the cipher suites used in FIPS mode is added after
table 40:
VMSSL >>--- ... ---+------+--- ...
'-FIPS-'
FIPS
instructs the SSL server to operate in FIPS (Federal
Information Processing Standard) mode. FIPS mode restricts
connections to those that employ FIPS approved cipher
suites.
----------------------------------------------------------------
Table xx. FIPS Mode V3 Cipher Suite Values
Name Strength Key Length V3 Code
RSA_AES_256 High 256 35
DH_DSS_AES_256 High 256 36
DH_RSA_AES_256 High 256 37
DHE_DSS_AES_256 High 256 38
DHE_RSA_AES_256 High 256 39
RSA_AES_128 Medium 128 2F
DH_DSS_AES_128 Medium 128 30
DH_RSA_AES_128 Medium 128 31
DHE_DSS_AES_128 Medium 128 32
DHE_RSA_AES_128 Medium 128 33
3DES_168_SHA High 168 0A
DHE_RSA_3DES High 168 16
DHE_DSS_3DES High 168 13
DH_RSA_3DES High 168 10
DH_DSS_3DES High 168 0D
----------------------------------------------------------------
Chapter 20. "Configuring the SSL Server"
Section: "Step 2: Update the DTCPARMS File"
Page(s): 614-615
The Usage Notes section for the VMSSL command should add the
following note:
A key database that is created as a FIPS mode database, can
only be updated by GSKKYMAN or by using the CMS APIs executing
in FIPS mode. Such a database, however, may be opened as
read-only when executing in non-FIPS mode. Key databases
created while in non-FIPS mode cannot be opened when executing
in FIPS mode. For additional FIPS mode information and
considerations, consult SSL Certificate/Key Management and SSL
Tracing Information in z/VM: TCP/IP User's Guide.
----------------------------------------------------------------
Chapter 20. "Configuring the SSL Server"
Section: "SSLADMIN QUERY Command"
Page(s): Not Applicable
The SSLADMIN QUERY command, as revised with APAR PK97437, is
augmented to include an additional "FIPS Mode" output column,
as follows:
ssladmin query status summary (ssl all
DTCSSL2404I Sending command to server(s): SSL00001 SSL00002
SSL00003
DTCSSL2453I Bypassing inactive server(s): SSL00005 SSL00004
DTCSSL2430I Status summary:
Maximum Active Exempt FIPS
Server Status Sessions Sessions Tracing Ciphers? Mode?
-------- -------- -------- -------- ------- -------- ------
SSL00001 Active 600 600 None N Y
SSL00002 Active 600 600 None N Y
SSL00003 Active 600 300 Enabled N Y
SSL00005 Stopped 600 0 - - -
SSL00004 Eligible 600 0 - -
--------
Maximum Session System Limit: 3000
SSL Session High-Water Mark: 1500
This new field is described as follows:
...
FIPS Mode: Indicates whether the SSL server is configured to
operate in FIPS-compliant mode.
...
MODULES/MACROS: DTCUME DTCUMEB NETSTAT QUERY SSLADMIN
SSLCDEFS SSLGSKCF SSLSERV SSLSTART VMSSL
SRLS: NONE
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: