V6R1 How to Disable SSL Version 3 for HTTP Admin (Port 2005) - CVE-2014-3566
The following instructions explain how to disable SSL Version 3 for the HTTP ADMIN server on V6R1, so that port 2005 will only use TLS. This is to address concerns about CVE-2014-3566 (POODLE).
V6R1 only - V7R1+ the ADMIN2 job has been updated to use Liberty, so these instructions do not apply
Resolving the problem
|Warning: Disabling SSL Version 3 for the HTTP ADMIN may prevent older browsers from being able to connect to the IBM Systems Director Navigator page|
To disable SSL Version 3 for port 2005, you must perform the following steps:
|1.||End the HTTP ADMIN server by issuing the following IBM i command:
ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
|2.||Once all the ADMIN jobs have ended in the QHTTPSVR subsystem, type the following command on the IBM i command line:
If the above command returns a empty file the following steps should be completed.
Then option 2
a. Modify the last line from this:
To the following:
b. Insert the following line:
|3.||Press F3 two times to save/exit the file.|
|4.||Restart the HTTP ADMIN server by issuing the following command:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
Once ADMIN is started, it will only support connections on port 2005 with TLS enabled in the browser.
The above changes now can be done by applying the following *IMMED PTFs with the ADMIN server ended:
Once the PTF is applied the ADMIN server will automatically perform the steps outlined above the first time it starts up.
|Operating System||IBM i 7.2|
|Operating System||IBM i 7.1|
|Operating System||IBM i 6.1|
More support for:
Software version: 6.1, 6.1.0, 6.1.1
Operating system(s): IBM i, iSeries
Reference #: N1020397
Modified date: 14 November 2016