A fix is available
APAR status
Closed as new function.
Error description
In order to maintain FIPS 140-2 and NIST SP 800-131a compliance, z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This introduces internal support for a subset of the cryptographic primitivies found in z/OS ICSF. Use of these primitives is restricted to IBM-provided applications such as the TLS/SSL Server. . This support requires updates to CMS and LE via APARs VM65717 and VM65718. . The TLS/SSL Server has been updated to exploit the following new functions: . -AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today. . -Enablement of DSA Certificates in MODE NIST -800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of the z/VM SSL server * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** In order to maintain FIPS 140-2 and NIST SP 800-131a compliance, z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This introduces internal support for a subset of the cryptographic primitives found in z/OS ICSF. Use of these primitives is restricted to IBM-provided applications such as the TLS/SSL servers. This support requires updates to CMS and LE via APARs VM65717 and VM65718. The TLS/SSL Server has been updated to exploit the following new functions: - AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today. - Enablement of DSA Certificates in MODE NIST-800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption
Problem conclusion
Temporary fix
Comments
The main things that System SSL 2.1 and inetrnal support for a subset of the cryptographic primitives found in z/OS ICSF are: 1. NIST 800-131 enhancements 2. Suite B Profile for TLS (RFC 5430) support 3. Eliptic Curve Cryptography (ECC) support 4. AES Galois Counter Mode (GCM) support The major changes to TLS/SSL server include: 1. Update the cipher list for AES GCM in SSLCIPHS.C 2. Report the AES GCM availability by changing CMCOMM.COPY and CMNETST.PASCAL 3. Add a new socket call which is used to return an input vector for AES GCM from TCP/IP stack 4. Update the cipher list to reenable DSA for mode NIST-800-131A 5. Change the function which is used to determine the key bit length of the certificate in use for session, support DSA algorithm
APAR Information
APAR number
PI40702
Reported component name
TCP/IP V2 FOR V
Reported component ID
5735FAL00
Reported release
630
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-05-08
Closed date
2015-09-10
Last modified date
2016-03-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI31015
Modules/Macros
CMCOMM CMNETST CMPRCOM CMSOCK GSKCMS31 GSKC31 GSKC31F GSKKYMAN GSKMSGA GSKMSGS GSKSSL GSKSUS31 GSKS31 GSKS31F GSKTRACE ICSFLIB SSLCIPHS SSLGSKCF SSLMNTOR TCIUCAPI TCPBL492 TCPEQUAT TCPIP TCSOCKRE TCVAR
Fix information
Fixed component name
TCP/IP V2 FOR V
Fixed component ID
5735FAL00
Applicable component levels
R630 PSY UI31015
UP15/09/16 P 1601
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27N","label":"APARs - VM\/ESA environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
30 March 2016