TCP/IP for z/VM
NIST 800-131A MODE Support for the z/VM SSL Server
Planning and Installation Information
Important Service Application and Installation Notice
The information and instructions that follow describe system definition and configuration changes that must be implemented when the PTF for the following APAR is applied to a z/VM 630 system:
- PM93363: SSLSERV Module Updates
This PTF does not change the default behavior associated with the SSL Server virtual machine (SSLSERV, by default). However, use of this new functionality requires planning with regards to digital certificate key sizes and cryptographic algorithm support for clients connecting to the SSL server.
| Requisite APAR | ||
In addition to the PTF for the aforementioned "NIST 800-131A MODE Support for the z/VM SSL Server" APAR, the PTFs for the following APARs also must be applied:
| Rationale and Overview | ||
As part of on-going revisions to regulations concerning the governance of cryptographic key sizes, the National Institute for Science and Technology (NIST) released Special Publication 800-131a. This document outlines a transition plan from weaker key sizes and cryptographic algorithms to ones more in line with modern security challenges. While the z/VM SSL Server could support the key sizes and algorithms required for NIST SP 800-131a compliance, there was no mechanism internal to the server which enforced those key sizes as minimums.
To that end, the aforementioned "NIST 800-131a MODE Support for the z/VM SSL Server" PTF is provided to address this concern, and to provide the following:
-
A new operational keyword, MODE, which can be used to configure an SSL
Server (or pool thereof) to meet particular cryptographic guidelines.
-
Support for FIPS mode via the new MODE keyword
- A new cryptographic mechanism of support, NIST-800-131A, which restricts key sizes, TLS protocol levels, ciphers and certificate types in accordance with the standard mentioned above.
As with the previously defined FIPS mechanism, MODE support must be part of a common security configuration for a single TCP/IP stack, whether your installation uses one SSLSERV virtual machine or a pool of SSL Servers, as described in SSL Server Performance and Scalability Enhancements.
No cryptographic MODE is enabled by default. Enablement of a cryptographic MODE is initiated via the VMSSL command, or using an associated DTCPARMS statement. Note also that cryptographic modes are not mutually exclusive (that is, more than one can be enabled).
| SSL Server Configuration Changes | ||
Placing the SSL Server into MODE FIPS-140-2 enables the following functional changes, requirements, and restrictions for the z/VM SSL Server:
-
A minimum asymmetric key length of 1024 is enforced, regardless of
algorithm (e.g., RSA, DSA)
-
A minimum TLS protocol level of TLS 1.0 is enforced for all connections.
SSLV2 and SSLV3 cannot be used in this mode of operation.
- A FIPS-mode certificate database must be made available to the z/ VM SSL Server. A FIPS-mode database can be created via the gskkyman interface made available on the GSKADMIN virtual machine. This certificate database is subject to enhanced integrity checking and Known Answer Tests to preclude tampering before being read by the SSL Server.
Placing the SSL Server into MODE NIST-800-131A enables the following functional changes, requirements, and restrictions for the z/VM SSL Server:
-
A minimum asymmetric key length of 2048 for RSA or Diffie-Hellman
transport algorithms.
The z/VM SSL Server supports a maximum DSA key size of 1024; therefore, DSA certificates cannot be used with MODE NIST-800-131A.
-
A minimum certificate hash algorithm in the SHA-2 family (e.g., SHA-256
or SHA-512). Certificates using SHA-1 or MD5 hashes will be rejected in
this mode.
- A minimum TLS protocol level of TLS 1.2 is enforced for all connections. TLS 1.2 must be enabled via the PROTOCOL operand; all other levels of TLS or SSL will be disabled automatically.
Enabling both modes of cryptographic compliance will result in a security which meets the "maximal common subset" of requirements and restrictions.
Enabling either (or both) of the these cryptographic modes can have an impact on:
-
An existing certificate database in use at your installation. If FIPS
140-2 compliance is required, migration to a FIPS-mode database will be
necessary.
-
Certificates in use at your installation. If existing certificates have
an RSA public key of 1024, or are hashed with any algorithm weaker than
the SHA-2 family, then they must be replaced before they can be used in
conjunction with MODE NIST-800-131A. Additionally, if certificates use
the DSA key exchange algorithm, then they cannot be used with MODE
NIST-800-131A at all.
- Clients that use secure connections to the hypervisor, via the z/VM TCP/IP stack. If external clients do not support TLS 1.2, they cannot be used in conjunction with MODE NIST-800-131A.
Thus, planning and consideration is advised before migrating to the use of these cryptographic modes.
| Reference Information | ||
Documentation updates that pertain to the "NIST 800-131A MODE Support for the z/VM SSL Server" function are described in the sections that follow.
| VMSSL Command Updates | ||
The changes cited herein affect: z/VM: TCP/IP Planning and Customization (SC24-6238-04).
The VMSSL command is updated to support the new MODE operand and its corresponding parameters, which have this syntax and descriptions:
Syntax (Additions)
>>--VMSSL--...---.--------------------.---...-----------------------><
| <----------------< |
|---MODE--standard---|
'-FIPS---------------'
Operands
- FIPS
-
instructs the SSL server to operate in accordance with a particular FIPS
(Federal Information Processing Standard) cryptographic standard
configuration. This restricts the behavior of the SSL server to approved
protocols and cipher suites.
Operand FIPS is equivalent to setting MODE FIPS-140-2.
- MODE standard
-
establishes a baseline of functionality for the entire SSL Server. The
values that can be specified are:
FIPS-140-2
indicates that the SSL server should operate according to Federal Information Processing Standard (FIPS) 140-2. This mode allows only TLS protocols to be used, and restricts the usage of some cipher suites. Operand MODE FIPS-140-2 is equivalent to setting operand FIPS.NIST-800-131A
indicates that the SSL server should operate according to NIST Special Publication 800-131a. This requires the use of TLS 1.2, restricts the usage of certain cipher suites, and mandates the use of RSA or Diffie Hellman keys of 2048 or greater for all secure connections.Note:
-
MODE can be specified multiple times to enable available standards of
operation. In cases where multiple standards are enabled, the maximum
common subset of functionality will be enabled.
-
MODE FIPS-140-2 is the preferred method of enabling FIPS-compliant
behavior for the SSL server; it should replace the use of the FIPS
operand.
-
If MODE NIST-800-131A is enabled, all protocols other than TLS 1.2 will
be automatically disabled. TLS 1.2 must still be enabled using the
PROTOCOL operand.
- Specifying MODE FIPS-140-2 requires that the SSL server be associated with a FIPS-compliant certificate database.
-
MODE can be specified multiple times to enable available standards of
operation. In cases where multiple standards are enabled, the maximum
common subset of functionality will be enabled.
| SSLADMIN QUERY Command Response Updates | ||
The changes cited herein affect: z/VM: TCP/IP Planning and Customization (SC24-6238-04).
The responses for various SSLADMIN QUERY commands are updated, as illustrated in the sample responses that follow:
-
SSLADMIN QUERY STATUS SUMMARY
ssladmin query status summary (ssl all DTCSSL2404I Sending command to server(s): SSL00001 SSL00002 SSL00003 DTCSSL2453I Bypassing inactive server(s): SSL00005 SSL00004 DTCSSL2430I Status summary: Maximum Active Exempt Mode(s) Server Status Sessions Sessions Tracing Ciphers? Configured? -------- -------- -------- -------- ------- -------- ----------- SSL00001 Active 600 600 None Y Y SSL00002 Active 600 600 None Y Y SSL00003 Active 600 300 Enabled Y Y SSL00005 Stopped 600 0 - - - SSL00004 Eligible 600 0 - - - -------- Maximum Session System Limit: 3000 SSL Session High-Water Mark: 1500For this command response, the Mode(s) Configured? field is added. This field indicates whether the SSL server is configured to operate in compliance with any specific cryptographic standard, such as FIPS 140-2 or NIST SP 800-131A.
-
SSLADMIN QUERY STATUS DETAILS
ssladmin query status details (ssl all DTCSSL2404I Sending command to server(s): SSL00001 SSL00002 SSL00003 DTCSSL2453I Bypassing inactive server(s): SSL00005 SSL00004 DTCSSL2430I Status summary: Maximum Active Exempt Mode(s) Server Status Sessions Sessions Tracing Ciphers? Configured? -------- -------- -------- -------- ------- -------- ----------- SSL00001 Active 600 600 None Y Y SSL00002 Active 600 600 None Y Y SSL00003 Active 600 300 Enabled Y Y SSL00005 Stopped 600 0 - - - SSL00004 Eligible 600 0 - - - -------- Maximum Session System Limit: 3000 SSL Session High-Water Mark: 1500 DTCSSL2430I Cryptographic Mode details: Server Status: Modes: --------- -------- -------------------------------------------------- <*ALL*> Enabled FIPS-140-2 <*ALL*> Disabled NIST-800-131A SSL00005 <*Data Not Available*> SSL00004 <*Data Not Available*> ...For this command response, Cryptographic Mode details information is added (existing response information is not included above). The fields of this portion of this response supply the following information:
- Server
- Identifies an SSL server name, or is the value <*ALL*>, which represents all SSL servers.
- Status
- Indicates whether listed cryptographic modes are enabled for, or disabled from, use by an SSL server.
- Modes
- One or more cryptographic modes of operation, such as FIPS 140-2 or NIST SP 800-131A.
| SSL Server - New and Changed Messages | ||
The changes cited herein affect: z/VM: TCP/IP Messages and Codes (GC24-6237-03), "Chapter 17: SSL Server Messages."
Message:
DTCSSL104I Operating in NIST SP 800-131a mode
Explanation:
The SSL server has been started in NIST SP 800-131a compliant mode.
System Action:
Server operations continue.
System Programmer Response:
None.
Message:
DTCSSL105I Not operating in NIST SP 800-131a mode
Explanation:
The SSL server has not been started in NIST SP 800-131a compliant mode.
System Action:
Server operations continue.
System Programmer Response:
None.
Message:
DTCSSL506E Key exchange lengths less than 2048 are not supported in NIST 800-131A mode
Explanation:
For security reasons, RSA or DSA key exchange lengths of less than 2048
bits are not permitted when MODE NIST-800-131A is specified.
System Action:
Server operations continue. The subject secure connection is terminated.
System Programmer Response:
Obtain a new certificate from the appropriate Certifying Authority (CA)
to use in place of the current certificate. Install the replacement
certificate in the key database and make any necessary configuration
changes (inclusive of an SSLADMIN REFRESH command, if appropriate).
Then, confirm that secure connections can be established with the new
certificate in place.
| SSLADMIN/VMSSL - New and Changed Messages | ||
The changes cited herein affect: z/VM: TCP/IP Messages and Codes (GC24-6237-03), "Chapter 17: SSLADMIN and VMSSL Messages."
Message:
DTCSSL2464W Only TLS V1.2 may be used in NIST SP 800-131A mode. All other protocols have been disabled.
Explanation:
For security reasons, the SSL Server disables SSLv2, SSLv3, TLS 1.0, and
TLS 1.1 when operating in NIST SP 800- 131a mode. This is managed
internally by the SSL Server and cannot be overridden.
System Action:
None.
System Programmer Response:
None.
Message:
DTCSSL2465W FIPS operand is deprecated; the MODE operand should be used instead.
Explanation:
The MODE operand replaces the FIPS operand. This message is issued when
the FIPS operand is specified during initialization of the SSL
System Action:
None.
System Programmer Response:
Specify MODE FIPS-140-2 instead of FIPS on the VMSSL command or in
DTCPARMS.