IBM Support

SI62358 - Disable the default configuration of 3DES

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

Disable the default configuration of 3DES


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
PRE  5770SS1  710  SI50077   00/00    0000
PRE  5770SS1  710  SI47650   00/00    0000
PRE  5770SS1  710  SI44775   00/00    0000
PRE  5770SS1  710  SI44802   00/00    0000
PRE  5770SS1  710  SI44807   00/00    0000
PRE  5770SS1  710  SI44821   00/00    0000
DIST 5770999  710  MF99007   00/00    0000
DIST 5733SC1  610  SI49904   NONE     0001
DIST 5770SS1  710  SI45609   NONE     0003



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
3DES is an old symmetric algorithm which may cause a
vulnerability known as the SWEET32 Birthday attack. By capturing
large amounts of encrypted traffic between the SSL/TLS server
and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to
recover the plaintext data and obtain sensitive information.
At a high level, the suggested remediation is to disable (by
default) 3DES for TLS or VPN.

CORRECTION FOR APAR 'SE65684' :
-------------------------------
For CIMOM server, in order to avoid the potential risk of 3DES,
this fix disables 3DES in cipher suite(by default) for TLS or
VPN.

CIRCUMVENTION FOR APAR 'SE65684' :
----------------------------------
None.


Activation Instructions

None.




Special Instructions

********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

1. Stop CIMOM server.
2. Install this CIMOM PTF SI62516.
3. This CIMOM PTF set prereq PTFs SI50077(5770SS1 V7R1M0) and distreq
MF99007(5770999 V7R1M0). But please double check to make sure SI50077
and MF99007 are already installed on the system before startup CIMOM.


In order to enable this fix, you should do:
1. Stop CIMOM server.
2. Make sure OpenSSL version 0.9.8 or above is installed. The minimum
PTF version for V6R1 is SI49904.
3. Install CIMOM PTF SI61209.
4. Back up default key file path
"/Qopensys/QIBM/UserData/UME/Pegasus/ssl/keystore". Then delete this
directory and all the files under this. Please note default key file
path could be configured by changing server property sslKeyFilePath and
sslCertificateFilePath.
5. Start CIMOM server, a new certificate should be automatically
created under "/Qopensys/QIBM/UserData/UME/Pegasus/ssl/keystore".


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI62516      Remove PTF check in QUME_StorageExtentProvider
   SI61209      Change CIM default OpenSSL certificate and key to SHA512with
   SI59244      OSP-OTHER To fix the potential risk of SLOTH, we are disabli
   SI57743      OSP-UNPRED Fix the issue that Timestamp retrieved is incorre
   SI57434      OSP-UNPRED Fix the issue that after apply PTF SI57128 STRTCP
   SI57128      OSP-OTHER Fix Poodle vulnerability issue
   SI55063      OSP-UNPRED enable new feature to support setting CIM server
   SI51896      OSP-UNPRED CIM repository reshipped after IPL
   SI51788      OSP-UNPRED Fix bug that message queue indication could not b
   SI50885      OSP-UNPRED Implement a new method to enable Activation Engin
   SI50606      OSP-UNPRED Fix bug that CIM could not retrieve storage pool
   SI50075      OSP-UNPRED Implement new performance metrics, disk unit inst
   SI49063      OSP-UNPRED Implement some new performance metrics and enhanc
   SI48633      OSP-UNPRED Fix three 5770-UME problems.
   SI47798      OSP-UNPRED Implement new performance metrics, cache battery
   SI47798      OSP-UNPRED Include all the new/updated messages in SI47798 i
   SI43552      OSP-UNPRED Implement new performance metrics, link aggregati
   SI46881      OSP-UNPRED Enhance Message Queue monitor provider of 5770-UM
   SI45460      OSP-UNPRED New runtime configuration options for indication
   SI41540      OSP-UNPRED Upgrade OpenPegasus version of 5770-UME from 2.8.
   SI41540      OSP-UNPRED DELETE PEGASUS-2.5.1 CODE of 5770-UME IN V1R3M0F.
   SI41540      OSP-UNPRED Update Message Queue code of 5770-UME
   SI41540      OSP-UNPRED Update Pegasus 2.10 source code of 5770-UME
   SI36447      For v1r3 ptf: TVT dat files
   SI39334      cimconfig command reports incorrect exit status (bug7908)
   SI39334      getservbyname() is not thread safe(bug8010)
   SI39334      File rename operations should be atomic(bug7800)
   SI39334      GetLine mishandles multibyte characters(bug8111)
   SI39334      IndicationService is called after it is destructed(bug8281)
   SI39334      Socket::timedConnect does not handle EAGAIN(bug7957)
   SI39334      cimserver may hang on start-up exception(bug8253)
   SI39334      Repository _resolveInstance logic is not thread safe (bug789
   SI39334      invalid arguments are passed to activateFilter (bug8091)
   SI39334      Interoperability issue with wbemservices CIMOM - CLASSORIGIN
   SI39334      NoSuchProperty exception while returning instances without a
   SI39334      Delete Provider Module fails when CMPI Provider Manager was
   SI39334      Disabling object normalization does not work (bug7924)
   SI39334      cimprovagt crash if tracing is enabled(bug7941)
   SI39334      high cpu consumption of cimprovagt processes
   SI39334      TestOOPModuleFailure fails
   SI39334      exitThread() may crash
   SI39334      CMPI threads are not joinable
   SI39334      AtomicInt implementation is broken on PowerPC Architecture
   SI39334      multiple creations of CMPI_ThreadContext::contextKey
   SI39334      CIMStopAllProvidersRequestMessage is processed twice (bug 85
   SI39334      Memory leak in snmpIndicationHandler (bug7998)
   SI39334      Memory is leaking on releasing cloned CMPIArray (bug 8560)
   SI39334      CQLValueRep: Wrong switch statement in array comparison (bug
   SI39334      CIM operation in provider using its cimom handle fails after
   SI39334      System::isLoopBack() doest not handle all allowed IPv4 loopb
   SI39334      enumProviderProfileCapabilityInstances does not work if chec
   SI39334      CMPIClassCache::getClass() does not handle all exceptions (b
   SI39334      pthread_attr_destroy not called on pthread_create failure. (
   SI39334      CMGetObjectPath() returns incorrect ObjectPath (bug 8655)
   SI39334      unhandled exception in instGetObjectPath (bug 8321)
   SI39334      newThread() may cause provider hangs (bug 8699)
   SI39334      time_wait() implementation is incorrect for pthread semaphor
   SI39334      CMPIError objects are leaking (bug 8555)
   SI39334      incorrect check for local and target interface type in creat
   SI39334      SLP Provider not advertizing Registered Profiles
   SI39087      cimserver doesn't start while QIBM_USE_DESCRIPTOR_STDIO is s
   SI39087      splf for QUMECIMOM created
   SI39087      Director consumer create spool files and indication provider
   SI39087      i5provider msg makefile
   SI39087      Provider interface is invalid when gi PG_ShutdownService
   SI36868      Fix all v1r3m0 bugs in the first v1r3m0f - integrate to one
   SI41685      OSP-UNPRED Update CIM Schema of 5770-UME to 2.26 and update
   SI37733      change the onwnership of files: cit, lpume.log

Summary Information

System.............................. i
Models..............................
Release............................. V1R3M0
Licensed Program............... 5770UME
APAR Fixed.......................... View details for APAR SE65684
Superseded by:...................... View fix details for PTF SI63489
Recompile........................... N
Library............................. QUME
MRI Feature ........................ NONE
Cum Level........................... NONE


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V1R3M0

Operating system(s): OS/400

Reference #: SI62358

Modified date: 27 October 2016