NIST 800-131A MODE SUPPORT FOR Z/VM SSL SERVER
APAR Identifier ...... PM93363 Last Changed ........ 14/05/28 NIST 800-131A MODE SUPPORT FOR Z/VM SSL SERVER Symptom ...... NF NEW FUNCTION Status ........... CLOSED UR1 Severity ................... 4 Date Closed ......... 13/11/13 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 630 : UI12490 available 13/11/13 (1401 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: The z/VM SSL Server does not currently have a mechanism to enforce an asymmetric key size minimum value of 2048. This enforcement is a requisite for compliance to NIST Special Publication 800-131a. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All users of the z/VM TCP/IP feature that * * use the z/VM SSL Server. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** NIST Special Publication 800-131A is a newer standard for key use in cryptographic operations which mandates restrictions on the use of previously permissible key lengths. Specifically, lengths of asymmetric keys are required to be at least 2048 and a hash in the SHA-2 family is recommended by this standard. The z/VM SSL Server currently does not have an internal mechanism or option for restricting asymmetric key usage. The previously available 'FIPS' mode will only restrict keys less than 1024 in length, but this is not sufficient to meet newer standards. PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: The z/VM SSL Server has been updated to accept a new operand 'MODE' as part of its VMSSL or DTCPARMS start-up processing. This option accepts one of two keywords as parameters: 'FIPS-140-2' (which replaces the existing 'FIPS' operand) and 'NIST-800-131A'. This latter mode changes the operational behavior of the SSL Server as follows: 1. All connections must use TLS 1.2. All other protocols are disabled. 2. All asymmetric keys must be 2048 in length and either RSA or Diffie-Hellman. 3. SHA-256 is the minimum required hash for a digital certificate. The SSLADMIN EXEC has been updated to reflect 'Cryptographic Modes' enabled and disabled via the SSLADMIN QUERY STATUS DETAILS command. The z/VM 6.3 TCP/IP Planning and Customization Guide (SC24-6238- 04) will be updated as follows: 1. The 'VMSSL Command' syntax diagram (page 532) will be updated to reflect the 'MODE' operand. On the following pages, the 'Operands' list will be updated to describe the MODE operand in detail, as follows: MODE establishes a baseline of functionality for the entire SSL Server. The values that can be specified are: FIPS-140-2 indicates that the SSL server should operate according to Federal Information Processing Standard (FIPS) 140-2. This mode allows only TLS protocols to be used, and restricts the usage of some cipher suites. Operand MODE FIPS-140-2 is equivalent to setting operand FIPS. NIST-800-131A indicates that the SSL server should operate according to NIST Special Publication 800-131a. This requires the use of TLS 1.2, restricts the usage of certain cipher suites, and mandates the use of RSA or Diffie Hellman keys of 2048 or greater for all secure connections. Note: * MODE can be specified multiple times to enable available standards of operation. In cases where multiple standards are enabled, the maximum common subset of functionality will be enabled. * MODE FIPS-140-2 is the preferred method of enabling FIPS-compliant behavior for the SSL server; it should replace the use of the FIPS operand. * If MODE NIST-800-131A is enabled, all protocols other than TLS 1.2 will be automatically disabled. TLS 1.2 must still be enabled using the PROTOCOL operand. * Specifying MODE FIPS-140-2 requires that the SSL server be associated with a FIPS-compliant certificate database. Tables 36 and 37, regarding SSLV2, SSLV3, and TLS Cipher Suite values, will be updated to indicate whether a cipher suite is associated with either cryptographic mode (or both). This will provide an easier reference for determining whether the setting of the MODE operand is compatible with local security policy. The existing Table 38, which highlighted FIPS-compliant cipher suites specifically, will be deleted. The SSLADMIN QUERY command description on page 554 and 555 will be updated to display the new 'Cryptographic Mode details' field of SSLADMIN QUERY STATUS DETAILS, which will appears as follows: DTCSSL2430I Cryptographic Mode details: Server State: Modes: --------- -------- ----------------------------------------- <*ALL*> Enabled FIPS-140-2 <*ALL*> Disabled NIST-800-131A SSL00005 <*Data Not Available*> SSL00004 <*Data Not Available*> A description of the header fields will follow on page 556, as follows: The fields of the "Cryptographic Mode details" portion of this response supply the following information: Server Identifies an SSL server name, or is the value <*ALL*>, which represents all SSL servers. State Indicates whether listed cryptographic modes are enabled for, or disabled from, use by an SSL server. Modes One or more cryptographic modes of operation, such as FIPS 140-2 or NIST SP 800-131A. In the same section, the SSLADMIN QUERY STATUS SUMMARY example text will be updated to note a changed header field, "Mode(s) Configured", which replaces a FIPS-specific indicator. The z/VM 6.3 TCP/IP Messages and Codes manual (GC24-6237-03) will be updated to provide the following new messages, under 'SSL Server Messages' in Chapter 17: DTCSSL104I Operating in NIST SP 800-131a mode Explanation: The SSL server has been started in NIST SP 800-131a compliant mode. System action: Server operations continue. System programmer response: None. DTCSSL105I Not operating in NIST SP 800-131a mode Explanation: The SSL server has not been started in NIST SP 800-131a compliant mode. System action: Server operations continue. System programmer response: None. DTCSSL506E Key exchange lengths less than 2048 are not supported in NIST 800-131A mode Explanation: For security reasons, RSA or DSA key exchange lengths of less than 2048 bits are not permitted when MODE NIST-800-131A is specified. System action: Server operations continue. The subject secure connection is terminated. System programmer response: Obtain a new certificate from the appropriate Certifying Authority (CA) to use in place of the current certificate. Install the replacement certificate in the key database and make any necessary configuration changes (inclusive of an SSLADMIN REFRESH command, if appropriate). Then, confirm that secure connections can be established with the new certificate in place. In the same section, messages DTCSSL101I and DTCSSL102I will be updated to fix a documentation error, correcting the spelling of "FIPS 104-2" to "FIPS 140-2". The z/VM 6.3 TCP/IP Messages and Codes manual (GC24-6237-03) will be updated to provide the following new messages, under 'SSLADMIN and VMSSL Messages' in Chapter 17: DTCSSL2464W Only TLS V1.2 may be used in NIST SP 800-131A mode. All other protocols have been disabled. Explanation: For security reasons, the SSL Server disables SSLv2, SSLv3, TLS 1.0, and TLS 1.1 when operating in NIST SP 800- 131a mode. This is managed internally by the SSL Server and cannot be overridden. System action: None. System programmer response: None. DTCSSL2465W FIPS operand is deprecated; the MODE operand should be used instead. Explanation: The MODE operand replaces the FIPS operand. This message is issued when the FIPS operand is specified during initialization of the SSL System action: None. System programmer response: Specify MODE FIPS-140-2 instead of FIPS on the VMSSL command or in DTCPARMS. MODULES/MACROS: DTCUME DTCUMEB QUERY SSLADMIN SSLADMIO SSLADMNP SSLCIPHS SSLCTLIO SSLDSPTC SSLGSKCF SSLPARGS SSLREPRT SSLSTART SSLTRSIT VMSSL SRLS: SC24623804 GC24623703 RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: