IBM Support

PH18435: TLS CERTIFICATE VERIFICATION

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED: All TCP/IP users with TLS enabled and a need *
*                 either to:                                   *
*                   - authenticate a client's certificate      *
*                   - extract fields from a certificate        *
*                   - allow a client to verify the identity of *
*                     a server                                 *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION: APPLY PTF                                    *
****************************************************************
Enhancements within the TCP/IP TLS/SSL server allow
authentication of client certificates, hostname validation, and
extraction of fields from a certificate.

Client certificate authentication support allows a server to
verify a client by examining the certificate it presents to
ensure that it has been signed by a certificate authority the
server trusts and that it has not expired.  The client
authentication support that was previously added to
dynamically secured Telnet connections has been expanded
to the z/VM FTP and SMTP servers.  Additionally, the PORT
statement in the TCPIP configuration file has been
updated to allow client certificate authentication for
statically secured connections.

Host name validation support allows a client to verify the
identity of a server by passing a string containing a host
name, domain name, or IP address on the handshake request.
The string will be compared to fields in the server
certificate.  If the string is not contained in the server
certificate, the client may decide to fail the handshake.

In addition to the above support, new APIs extract fields
from a client or server certificate.

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • For client certificate authentication, the CLIENTCERTCHECK
option will be used to specify if a client certificate will
be requested and what action will be taken if authentication
fails.  This option has been added to the SECURE statements
in the FTP and SMTP server configuration files and also to
the PORT statement for statically secured connections.  The
allowable values for the CLIENTCERTCHECK option are
NONE | PREFERRED | REQUIRED.  The default setting is
PREFERRED which means that a client certificate will
be requested but if authentication fails, the handshake will
continue.  Note that IBM Host On-Demand users will need to
configure their clients to send client certificates as the
default or will need to add CLIENTCERTCHECK NONE to the
INTERNALCLIENTPARMS statement in the TCPIP Config file so
that a client certificate is not requested.

New APIs will allow fields to be requested from a local or
partner certificate.  The new APIs include a TCPSCERTDTA call
for Pascal routines and a new SIOCGCERTDATA ioctl code for IUCV
and C routines.

For Host Name Verification, the SecureDetailType structure has
been updated with a new Version field.  When the Version is
set to 1, a new SecureDetailExtension can be included on a
secure client call to specify an FQDN, host name or IP address.
This value will be compared to the Common Name, Domain Name,
or Subject Alternate Name extension marked as an IP address in
the server certificate to verify the identity of the server.

The z/VM Telnet client has been updated to use the new
SecureDetailExtension.  Note that when Host Name
Verification is enbled, values inside the server's digital
certificate will be checked against the hostname or
IP address of the TCP/IP stack.  Use of this option may
potentially require new or updated digitial certificates,
if such fields have not already been included.

Refer to the updated TCP/IP Planning and Customization and
TCP/IP Programmer's Reference for details of the above support.

This APAR ships many of the TCP/IP client and server modules.
In addition, new versions of CMS and LE (APARs VM66348 and
VM66349) are required for the SSL server and any users that
will be issuing the new SIOCGCERTDATA ioctl.  A restart of all
of these clients and servers will be required.  No restart
of z/VM itself is required.
×**** PE21/03/24 FIX IN ERROR. SEE APAR PH35671  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    PH18435
    • 

  • Reported component name
    TCP/IP FOR Z/VM
    • 

  • Reported component ID
    5735FAL00
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-10-23
    • 

  • Closed date
    2020-06-10
    • 

  • Last modified date
    2021-06-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI69975
    

    • 



Modules/Macros


    

  • CMCLIEN  CMCOMM   CMCONVXL CMDASDR  CMERUPT  CMFSCRN  CMHOSTN
CMINTER  CMMAKSI  CMNETST  CMOBEY   CMPRCOM  CMRESGLB CMRESOL
CMSOCK   CMVERT   DTCNETRC FPNOTIF  FPQUEUE  FPSCHED  FPSOCKRE
FPTCPREQ FPTCPUP  FTMAIN   FTP      FTPROCS  FTSEVEN  FTSRVCO
FTSRVPA  FTSUTIL  FTSVMSUB FTSYPRO  FTUTIL   F6TCPUP  HOMETEST
LPQ      LPRM     LPRP     MSCOMM   MSCOMMON MSCONVXL MSFTP
MSFTPC   MSHOMETE MSMAKESI MSNETSTA MSOBEY   MSSAMP   MSSMTP
MSSMTR   MSTCP    MSTEL    MSTESTSI MSTFTP   MSTRACE  REXEC
SMTP     SMTPCMDS SMTPEVNT SMTPGLOB SMTPQUEU SMTPRES  SMTPRPLY
SMTPRULE SMTPSMSG SRVRFTP  SSLADMNP SSLCTLIO SSLDPUMP SSLGSKCF
SSLMNTOR SSLREPRT SSLSCBEX SSLTRACE SSLTRSIT TCACB    TCARP
TCBASEX  TCBASTY  TCCLIEN  TCFPSM   TCFR182  TCIPDOW  TCMIB
TCMON    TCMPRIO  TCNOTIF  TCPARSE  TCPDOWN  TCPEQUAT TCPERUP
TCPIP    TCPREQU  TCPRINT  TCPSSL   TCPUP    TCQDIO   TCQUEUE
TCSHUT   TCSKCB   TCSOCKC  TCSOCKRE TCTCB    TCTOATM  TCTOCTC
TCTOHPPI TCTOOSD  TCUDPRE  TCUTIL   TFPARSE  TFUTIL   TNSTMAS
TNUTMAS  T6PREQU  T6PSSL   T6SOCKRE T6UDPRE

    




Publications Referenced


GC24632801GC24633003SC24633104SC24633203SC24633303





Fix information


    

  • Fixed component name
    TCP/IP FOR Z/VM
    • 

  • Fixed component ID
    5735FAL00
    • 



Applicable component levels


    

  • R710  PSY  UI69975
       UP20/06/16  P  2101
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"710"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 June 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback