SSL SERVER FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 140-2 SUPPORT
APAR Identifier ...... PM10616 Last Changed ........ 11/07/22 SSL SERVER FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 140-2 SUPPORT Symptom ...... NF NEW FUNCTION Status ........... CLOSED UR1 Severity ................... 4 Date Closed ......... 10/10/21 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 610 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 610 : UK61574 available 10/11/02 (1101 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: This APAR adds FIPS 140-2 compliance to the SSL server. See the enclosed documentation updates for details about this capability. To make use of FIPS support, create a new FIPS-compliant database and run the SSL server(s) in FIPS mode. For details on how to create a key database in FIPS mode, see the GSKKYMAN documentation updates provided as part of APAR PM08418. For details on how to enable FIPS mode for an SSL server, see the VMSSL help file (updated by this APAR), as well as the documentation updates that follow. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: Users of the SSL server that need to comply * * to FIPS 140 * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** SSL Server Federal Information Processing Standard (FIPS) 140-2 Support PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: The revised information that follows will be included in any future updates to the following publication(s): ================================================================ SC24-6238-00 z/VM: TCP/IP Level 610 Planning and Customization Chapter 20. "Configuring the SSL Server" Section: "Step 2: Update the DTCPARMS File" Page(s): 610-612 The description of the VMSSL command should read as follows: The syntax diagram and associated explanation of options should list and explain the new option FIPS. Furthermore, a new table detailing the cipher suites used in FIPS mode is added after table 40: VMSSL >>--- ... ---+------+--- ... '-FIPS-' FIPS instructs the SSL server to operate in FIPS (Federal Information Processing Standard) mode. FIPS mode restricts connections to those that employ FIPS approved cipher suites. ---------------------------------------------------------------- Table xx. FIPS Mode V3 Cipher Suite Values Name Strength Key Length V3 Code RSA_AES_256 High 256 35 DH_DSS_AES_256 High 256 36 DH_RSA_AES_256 High 256 37 DHE_DSS_AES_256 High 256 38 DHE_RSA_AES_256 High 256 39 RSA_AES_128 Medium 128 2F DH_DSS_AES_128 Medium 128 30 DH_RSA_AES_128 Medium 128 31 DHE_DSS_AES_128 Medium 128 32 DHE_RSA_AES_128 Medium 128 33 3DES_168_SHA High 168 0A DHE_RSA_3DES High 168 16 DHE_DSS_3DES High 168 13 DH_RSA_3DES High 168 10 DH_DSS_3DES High 168 0D ---------------------------------------------------------------- Chapter 20. "Configuring the SSL Server" Section: "Step 2: Update the DTCPARMS File" Page(s): 614-615 The Usage Notes section for the VMSSL command should add the following note: A key database that is created as a FIPS mode database, can only be updated by GSKKYMAN or by using the CMS APIs executing in FIPS mode. Such a database, however, may be opened as read-only when executing in non-FIPS mode. Key databases created while in non-FIPS mode cannot be opened when executing in FIPS mode. For additional FIPS mode information and considerations, consult SSL Certificate/Key Management and SSL Tracing Information in z/VM: TCP/IP User's Guide. ---------------------------------------------------------------- Chapter 20. "Configuring the SSL Server" Section: "SSLADMIN QUERY Command" Page(s): Not Applicable The SSLADMIN QUERY command, as revised with APAR PK97437, is augmented to include an additional "FIPS Mode" output column, as follows: ssladmin query status summary (ssl all DTCSSL2404I Sending command to server(s): SSL00001 SSL00002 SSL00003 DTCSSL2453I Bypassing inactive server(s): SSL00005 SSL00004 DTCSSL2430I Status summary: Maximum Active Exempt FIPS Server Status Sessions Sessions Tracing Ciphers? Mode? -------- -------- -------- -------- ------- -------- ------ SSL00001 Active 600 600 None N Y SSL00002 Active 600 600 None N Y SSL00003 Active 600 300 Enabled N Y SSL00005 Stopped 600 0 - - - SSL00004 Eligible 600 0 - - -------- Maximum Session System Limit: 3000 SSL Session High-Water Mark: 1500 This new field is described as follows: ... FIPS Mode: Indicates whether the SSL server is configured to operate in FIPS-compliant mode. ... MODULES/MACROS: DTCUME DTCUMEB NETSTAT QUERY SSLADMIN SSLCDEFS SSLGSKCF SSLSERV SSLSTART VMSSL SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: