ENABLEMENT OF PRE-INITIALIZATION FIPS MODE IN SYSTEM SSL AND SSL SERVER
APAR Identifier ...... PM95516 Last Changed ........ 14/05/28 ENABLEMENT OF PRE-INITIALIZATION FIPS MODE IN SYSTEM SSL AND SSL SERVER Symptom ...... NF NEWFUNCTION Status ........... CLOSED UR1 Severity ................... 3 Date Closed ......... 13/10/10 Component .......... 5735FAL00 Duplicate of ........ Reported Release ......... 630 Fixed Release ............ 999 Component Name TCP/IP V2 FOR V Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: SHIPMENT - Packaged solution is available for shipment. PE PTF List: PTF List: Release 630 : UI11978 available 13/11/07 (1401 ) Parent APAR: Child APAR list: ERROR DESCRIPTION: In order to comply with recent changes to FIPS 140-2 Implementation Guidance, System SSL requires a mechanism to allow full initialization of cryptographic operations without operator intervention. LOCAL FIX: PROBLEM SUMMARY: **************************************************************** * USERS AFFECTED: All Users of z/VM TCP/IP and SSL Servers. * **************************************************************** * PROBLEM DESCRIPTION: FIPS 140-2 mode initialization * * currently requires an API call by the * * application using the System SSL * * libraries. * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** z/VM 6.3 System SSL requires an application using it (such as the z/VM SSL Server) to initiate FIPS mode through the use of an internal programming interface. While this has met previous Implementation Guidance for FIPS 140-2 compliance, recent changes in the standard require that all Power-On Self-Tests be conducted during the initialization phase without operator intervention. As a result, an "Always-On" FIPS setting is required for System SSL. PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: System SSL for z/VM 6.3 has been updated to recognize an environment variable GSK_DEFAULT_FIPS_STATE. If this environment variable is configured in advance of System SSL initialization, System SSL will initialize in FIPS 140-2 mode automatically. The z/VM SSL Server has been updated to recognize that GSK_DEFAULT_FIPS_STATE has been set, and if properly enabled, will enter FIPS 140-2 compliant mode. This behavior supersedes DTCPARMS or VMSSL setting of the FIPS operand. Note that all requisites concerning certificate databases and FIPS 140-2 compliant mode apply when using GSK_DEFAULT_FIPS_STATE. To use GSK_DEFAULT_FIPS_STATE, set the environment variable to the value to "GSK_FIPS_STATE_ON" in advance of starting System SSL. If using the environment variable in conjunction with the z/VM SSL Server, the environment variable must be instantiated within the SSL Server virtual machine -- or within each member of the server pool. It is suggested that the global profile exit, TCPRUNXT, be used to set the environment variable for all servers of the SSL class. See General TCP/IP Server Configuration in the z/VM TCP/IP Planning and Customization publication for more information on TCPRUNXT. A sample REXX clause follows: ... /*------------------------------------------------------------*/ /* For SSL class servers, ensure the GSK_DEFAULT_FIPS_STATE */ /* variable is 'ON' to meet current FIPS 140-2 requirements. */ /*------------------------------------------------------------*/ When (calltype = "BEGIN") & (parms = _ClassSSL) Then Do "GLOBALV SELECT CENV" , "SETL GSK_DEFAULT_FIPS_STATE GSK_FIPS_STATE_ON" Say "Environment variable GSK_DEFAULT_FIPS_STATE" , "set to: GSK_FIPS_STATE_ON" End ... Additional code changes have been made so that z/VM System SSL will indicate the z/VM APAR level during initialization when GSKTRACE 8 is specified. This will facilitate debugging and make level determination easier for system administrators. **** PE13/10/29 FIX IN ERROR. SEE APAR PI04999 FOR DESCRIPTION MODULES/MACROS: GSKCMS31 GSKC31F SSLGSKCF SRLS: NONE RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: