IBM Support

PI40702: SYSTEM SSL V2.1 AND TLS/SSL SERVER UPGRADE

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • In order to maintain FIPS 140-2 and NIST SP 800-131a compliance,
z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This
introduces internal support for a subset of the cryptographic
primitivies found in z/OS ICSF. Use of these primitives is
restricted to IBM-provided applications such as the TLS/SSL
Server.
.
This support requires updates to CMS and LE via APARs VM65717
and VM65718.
.
The TLS/SSL Server has been updated to exploit the following new
functions:
.
  -AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key
   algorithm which is more secure than the current CBC mechanism
   employed today.
.
  -Enablement of DSA Certificates in MODE NIST -800-131a, an
   update to the size of the DSS certificates the server can
   support for asymmetric encryption.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All users of the z/VM SSL server             *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION: APPLY PTF                                    *
****************************************************************
In order to maintain FIPS 140-2 and NIST SP 800-131a compliance,
z/VM System SSL has been upgraded to z/OS V2.1 equivalency. This
introduces internal support for a subset of the cryptographic
primitives found in z/OS ICSF. Use of these primitives is
restricted to IBM-provided applications such as the TLS/SSL
servers.
This support requires updates to CMS and LE via APARs VM65717
and VM65718.

The TLS/SSL Server has been updated to exploit the following new
functions:

- AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key
  algorithm which is more secure than the current CBC mechanism
  employed today.

- Enablement of DSA Certificates in MODE NIST-800-131a, an
  update to the size of the DSS certificates the server can
  support for asymmetric encryption

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • The main things that System SSL 2.1 and inetrnal support for
a subset of the cryptographic  primitives found in z/OS ICSF
are:
1. NIST 800-131 enhancements
2. Suite B Profile for TLS (RFC 5430) support
3. Eliptic Curve Cryptography (ECC) support
4. AES Galois Counter Mode (GCM) support

The major changes to TLS/SSL server include:
1. Update the cipher list for AES GCM in SSLCIPHS.C
2. Report the AES GCM availability by changing CMCOMM.COPY and
   CMNETST.PASCAL
3. Add a new socket call which is used to return an input vector
   for AES GCM from TCP/IP stack
4. Update the cipher list to reenable DSA for mode NIST-800-131A
5. Change the function which is used to determine the key bit
   length of the certificate in use for session, support
   DSA algorithm

    



APAR Information




    

  • APAR number
    PI40702
    • 

  • Reported component name
    TCP/IP V2 FOR V
    • 

  • Reported component ID
    5735FAL00
    • 

  • Reported release
    630
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-05-08
    • 

  • Closed date
    2015-09-10
    • 

  • Last modified date
    2016-03-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI31015
    

    • 



Modules/Macros


    

  • CMCOMM   CMNETST  CMPRCOM  CMSOCK   GSKCMS31
GSKC31   GSKC31F  GSKKYMAN GSKMSGA  GSKMSGS  GSKSSL   GSKSUS31
GSKS31   GSKS31F  GSKTRACE ICSFLIB  SSLCIPHS SSLGSKCF SSLMNTOR
TCIUCAPI TCPBL492 TCPEQUAT TCPIP    TCSOCKRE TCVAR

    



Fix information


    

  • Fixed component name
    TCP/IP V2 FOR V
    • 

  • Fixed component ID
    5735FAL00
    • 



Applicable component levels


    

  • R630  PSY  UI31015
       UP15/09/16  P  1601
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27N","label":"APARs - VM\/ESA environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 March 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback