IBM Support

Enabling ibm-slapdSslFipsProcessingMode fails with the GSKit 8 version bundled with ITDS 6.3 GA

Question & Answer


Question

The FIPS processing mode cannot be enabled using the version of GSKit 8 bundled with GA version of ITDS 6.3.

Cause

FIPS support/certification was not available in GSKit v8.0.13.1 that was shipped with ITDS 6.3.

Answer

When attempting to enable ibm-slapdSslFipsProcessingMode on ITDS 6.3, the following errors may occur when clients attempt to connect to the server over SSL:

GLPSSL009E An incorrect value of /path/to/the/kdb/file was given for the SSL cipher specification.

An addition, an error like the following will show up in the server trace:

009:17:50:18 T1134971200 SSLGSKIT::secureSocOpen: open a secure connection
009:17:50:18 T1134971200 SSLGSKIT::setSocAttributeBuffer: set user data in the GSKit socket handle.
009:17:50:18 T1134971200 SSLGSKIT::enableTLSCiphers: enable TLS ciphers for GSKit socket handle
009:17:50:18 T1134971200 SSLGSKIT::enableV3Ciphers: turn on SSL V3 ciphers for GSKit socket handle
009:17:50:18 T1134971200 Error - SSLGSKIT::secureSocInit(): initializing secure socket
009:17:50:18 T1134971200 gsk_secure_soc_init failed, system errno=22 Invalid argument
009:17:50:18 T1134971200 gsk_secure_soc_init failed, GSK_ERROR_BAD_V3_CIPHER: rc=422

Upgrade GSKit to 8.0.14.14 or later and ibm-slapdSslFipsProcessingMode can then be enabled. GSKit 8.x can be downloaded from this link from Fix Central.

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21578181