IBM Support

V6R1 How to Disable SSL Version 3 for HTTP Admin (Port 2005) - CVE-2014-3566

Technote (troubleshooting)


Problem(Abstract)

The following instructions explain how to disable SSL Version 3 for the HTTP ADMIN server on V6R1, so that port 2005 will only use TLS. This is to address concerns about CVE-2014-3566 (POODLE).

Environment

V6R1 only - V7R1+ the ADMIN2 job has been updated to use Liberty, so these instructions do not apply

Resolving the problem

Warning: Disabling SSL Version 3 for the HTTP ADMIN may prevent older browsers from being able to connect to the IBM Systems Director Navigator page

To disable SSL Version 3 for port 2005, you must perform the following steps:
1. End the HTTP ADMIN server by issuing the following IBM i command:

ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
2. Once all the ADMIN jobs have ended in the QHTTPSVR subsystem, type the following command on the IBM i command line:

EDTF '/qibm/userdata/os/osgi/lwisysinst/admin2/lwi/conf/webcontainer.properties'

If the above command returns a empty file the following steps should be completed.
WRKLNK '/QIBM/UserData/OS/OSGI/LWISysInst/admin2/lwi/conf/webcontainer.properties'
Then option 2


a. Modify the last line from this:

com.ibm.ssl.enabledCipherSuites.SSL_TEST=SSL_RSA_WITH_RC4_128_SHA

To the following:

com.ibm.ssl.enabledCipherSuites.SSL_TEST=TLS_RSA_WITH_AES_128_CBC_SHA

b. Insert the following line:

com.ibm.ssl.protocol.SSL_TEST=TLS
3. Press F3 two times to save/exit the file.
4. Restart the HTTP ADMIN server by issuing the following command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Once ADMIN is started, it will only support connections on port 2005 with TLS enabled in the browser.
-----------------------------------------------

The above changes now can be done by applying the following *IMMED PTFs with the ADMIN server ended:

SI57921                                  V6R1M0      

Once the PTF is applied the ADMIN server will automatically perform the steps outlined above the first time it starts up.

Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1
Operating System IBM i 6.1

Document information

More support for: IBM i
Web technologies

Software version: 6.1, 6.1.0, 6.1.1

Operating system(s): IBM i, iSeries

Reference #: N1020397

Modified date: 14 November 2016