Question & Answer
Question
What are some common frequently asked questions (FAQs) and answers for the CVE-2014-3566 POODLE Vulnerability in relation to the IBM i Java Development Kit (JDK) (57xxJV1)?
Answer
IBM strongly recommends that you always run your IBM i server with the network protocols and cipher suites specified below disabled. NOTE: Configuring your IBM i server to allow the use of weak protocols and weak cipher suites will result in your IBM i server potentially being at risk of a network security breach. IBM DISCLAIMS AND YOU ASSUME ALL RESPONSIBILITY AND LIABILITY FOR ANY DAMAGE OR LOSS, INCLUDING LOSS OF DATA, ARISING OUT OF OR RELATED TO YOUR USE OF THE SPECIFIED NETWORK PROTOCOL AND/OR CIPHER SUITES.
Weak Protocols (as of April 2016):
Secure Sockets Layer version 2.0 (SSLv2)
Secure Sockets Layer version 3.0 (SSLv3)
Weak Cipher Suites (as of April 2016):
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_RC2_CBC_128_MD5
SSL_RSA_WITH_DES_CBC_MD5
SSL_RSA_WITH_3DES_EDE_CBC_MD5
TLS_ECDHE_ECDSA_WITH_NULL_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_NULL_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
NOTE!!! Please review the following document first, which addresses the general FAQs for the IBM Java Development Kit (JDK).
IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3556)
Here are some additional FAQs specific to the IBM i OS:
What JDK versions are installed on my IBM i?
Execute the GO LICPGM command and then select Option 10. This will display the Licensed Programs installed on your IBM i operating system. Locate the following licensed program product based on your IBM i OS Version and Release.
IBM i VRM | Licensed Program Product (LPP) Number |
6.1 / 6.1.1 / 7.1 | 5761JV1 |
7.2 / 7.3 | 5770JV1 |
Each option listed for the 57xxJV1 LPP is a different JDK Version and Bit Level on the IBM i Operating system. Please review the following IBM Software Technical Document to match up the specific 57xxJV1 Option with a JDK Version and Bit Level:
Supported IBM Java Development Kit (JDK) Versions by IBM i Operating System Version and Release
How do I determine what IBM i Java Group PTF level fixes a specific CVE ?
The "Java on IBM i security updates" page in the Java on IBM i zone of developerWorks contains a detailed matrix of every CVE that effects Java on IBM i and where its corrected.
http://www.ibm.com/developerworks/ibmi/techupdates/java
What are the IBM i Java Group PTF numbers and levels providing the fix disabling SSLv3 by default for all IBM JDKs?
IBM i VRM | Group PTF Number | Level |
6.1/6.1.1 | SF99562 | 30 |
7.1 | SF99572 | 19 |
7.2 | SF99716 | 4 |
7.3 | SF99725 | 1 |
What are the specific IBM i JDK LPP PTFs included in the above Group PTFs that provide the fix disabling SSLv3 by default for all IBM JDKs?
IBM i VRM | JDK Version and Bit Level | PTFs |
6.1 / 6.1.1 / 7.1 | 6.0 SR16 FP2 - 32bit | SI55049 SI54610 |
6.0 SR16 FP2 - 64bit | SI55048 SI55228 | |
6.2.6 SR8 FP2 - 32bit | SI55016 SI55020 | |
6.2.6 SR8 FP2 - 64bit | SI55024 SI55042 | |
7.1 | 7.0 SR8 - 32bit | SI55242 SI55151 SI55152 |
7.0 SR8 - 64bit | SI55243 SI55104 SI55100 | |
7.1 SR2 - 32bit | SI55038 SI55061 | |
7.1 SR2 - 64bit | SI54307 SI54195 | |
7.2 | 6.0 SR16 FP2 - 32bit | SI54652 SI55047 |
6.0 SR16 FP2 - 64bit | SI55046 SI55229 | |
6.2.6 SR8 FP2 - 32bit | SI55021 SI55022 | |
6.2.6 SR8 FP2 - 64bit | SI55027 SI55043 | |
7.0 SR8 - 32bit | SI55241 SI55150 | |
7.0 SR8 - 64bit | SI55244 SI55149 | |
7.1 SR2 - 32bit | SI55036 SI55062 | |
7.1 SR2 - 64bit | SI53688 SI543067.3 | |
7.3 | All JDK Versions | Included in 5770JV1 GA code level |
What are the IBM i Java Group PTF numbers and levels that implements the new java.security property, jdk.tls.disabledAlgorithms, to disable the SSLv3 protocol and RC4 cipher suites by default for IBM i JDKs 5.0, 6.0, 6.2.6, 7.0, 7.1, and 8.0?
IBM i JDKs 5.0 (IBM i 6.1.x & 7.1 only), 7.0, 7.1, and 8.0
IBM i VRM | Group PTF Number | Level |
6.1/6.1.1 | SF99562 | 32 |
7.1 | SF99572 | 21 |
7.2 | SF99716 | 6 |
7.3 | SF99725 | 1 |
IBM i JDKs 6.0 and 6.2.6
IBM i VRM | Group PTF Number | Level |
6.1/6.1.1 | SF99562 | 33 |
7.1 | SF99572 | 22 |
7.2 | SF99716 | 7 |
7.3 | N/A | N/A |
What IBM JDK Service Release (SR) level for each JDK version on the IBM i disables SSLv3 by default?
- IBM SDK, Java Technology Edition, Version 7 Service Release 8
- IBM SDK, Java Technology Edition, Version 7 Release 1 Service Release 2
- IBM SDK, Java Technology Edition, Version 8 GA Release
- IBM SDK, Java Technology Edition, Version 6.0.1 Service Refresh 8 Fix Pack 2 (J9 VM2.6)
- IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2
IBM i 7.1 and later
IBM i 6.1 and later
What IBM JDK Service Release (SR) level for each JDK version on the IBM i disables the SSLv3 and RC4 cipher suites by default via the jdk.tls.disabledAlgorithms property?
- IBM SDK, Java Technology Edition, Version 7 Service Release 9
- IBM SDK, Java Technology Edition, Version 7 Release 1 Service Release 3
- IBM SDK, Java Technology Edition, Version 8 Service Release 1
- IBM SDK, Java Technology Edition, Version 6.0.1 Service Refresh 8 Fix Pack 7 (6.2.6)
- IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7
- IBM SDK, Java Technology Edition, Version 5 Service Refresh 16 Fix Pack 10 (IBM i 6.1 and 7.2 only)
IBM i 7.1 and later
IBM i 6.1 and later
How do I find the JDK SR level for each JDK version on the IBM i?
1) Locate the JAVA_HOME value for the JDK Version and Bit Level you wish to display the SR level for using the following IBM Software Technical Document.
2) Start the Qshell environment.
STRQSH
3) Set up your Java environment.
export JAVA_HOME=<JAVA_HOME value>
i.e. If I wanted to set my Java environment to JDK 6.0 32bit, I would execute the following command.
export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit
4) Execute the 'java -version' command to display the JDK's version information.
java -version
5) Analyze the output to locate the JDK's SR level.
i.e. Here is an example output from the 'java -version' command showing JDK 6.0 32bit SR16 FP1, which stands for Service Release 16 Fix Pack 1.
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr16fp1-20140706_01(SR16 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 OS/400 ppc-32 jvmap3260sr16fp1-20140706_01 (JIT enabled, AOT enabled)
J9VM - 20140626_204542
JIT - r9_20130920_46510ifx7
GC - GA24_Java6_SR16_20140626_1848_B204542)
JCL - 20140704_01
What JSSE providers are affected by this change?
- If SSLv3 is not disabled for IBM i System SSL ( for 6.1 and 7.1, SSLv3 is not disabled by default), after they upgrade their Java to this PTF Group level, their application could now be using the IBMi5OSJSSEProvider, which still supports SSLv3. This application since it is still using SSLv3 would still be exposed to the POODLE issue.
- If SSLv3 is disabled for IBM i System SSL (i 7.2 and higher, SSLv3 is disabled by default), after they upgrade their Java to this PTF Group level, their application will stop working. Refer the technote above to find corresponding actions.
The IBM i OS provides two primary Java Secure Socket Extensions (JSSE) providers.
- 1) IBM JSSE2 Provider (default provider)
2) IBM i5OS JSSE Provider
NOTE: The IBM i5OS JSSE Provider is IBM i specific, which resides in the IBM i JDK and uses the IBM i System SSL settings.
On the IBM i, apart from the default IBM JSSE2 implementation, IBM i has another implementation: IBM i5OS JSSE Provider, which does not support all of the SSLv3 mitigations described above. To disable SSLv3 for this implementation, change the QSSLPCL IBM i System Value to EXCLUDE the *SSLV3 value.
If the IBM JSSE2 provider fails on the initial SSL connection, a lower-level provider like the IBM i5OS JSSE Provider might be used instead. If you see the Java application using the IBM i5OS JSSE provider (com.ibm.i5os.jsse.*) unexpectedly, this might occur if SSLv3 is still enabled in the QSSLPCL system value.
Here is an example of a Java exception known to occur due to the SSLv3 disablement in the IBM JSSE2 provider.
Exception in thread "main" java.lang.NoSuchFieldError:
at com.ibm.i5os.jsse.JSSESocket.beginHandshake(Native Method)
at com.ibm.i5os.jsse.JSSESocket.startHandshake(JSSESocket.java:1477)
For the applications that explicitly support only SSLv3 , they could have the following situations on IBM i.
For more information on the IBM i JDK changes regarding the POODLE vulnerability, please refer to the URL: News of Java on IBM i.
What are the IBM JDK properties to enable SSLv3 after the latest PTFs are applied?
If you must enable SSL V3.0, a new system property is provided.
com.ibm.jsse2.disableSSLv3=false
In addition to the property above, the following java.security property will need to either be commented out or modified to enable SSLv3.
jdk.tls.disabledAlgorithms=SSLv3, RC4
i.e.
Commenting out = #jdk.tls.disabledAlgorithms=SSLv3, RC4
Modified to enable SSLv3, but continue to disable the RC4 cipher suites = jdk.tls.disabledAlgorithms=RC4
How do I implement the IBM JDK property to enable SSLv3 on the IBM i? (Globally and JDK-specific)
- Identify the JDK version your Java program is using. This can be done using WRKJVMJOB Option 5 when the JVM is active.
- Ensure the "security.overridePropertiesFile=true" property is set in the master java.security file for the JDK version you are currently using. The master java.security file is located in the following directory, /QOpenSys/QIBM/ProdData/JavaVM/<jdkVersion>/<bitLevel>/jre/lib/security/java.security. <jdkVersion> = jdk60, jdk626, jdk70, jdk71, or jdk80 and <bitLevel> = 32bit or 64bit
- Copy the java.security file to custom location.
- cp /QOpenSys/QIBM/ProdData/JavaVM/<jdkVersion>/<bitLevel>/jre/lib/security/java.security /home/<jdkVersion><bitLevel>_java.security
- Edit the /home/java.security file to comment or modify the "jdk.tls.disabledAlgorithms" Java security property.
- For example, #jdk.tls.disabledAlgorithms=SSLv3, RC4
- Implement the following property in your SystemDefault.properties file.
NOTE: The SystemDefault.properties file can be created and used to implement Java properties globally or for a specific user profile. It MUST have a CCSID of 819 or 1252 in order for it to be read correctly. An easy way to create the file with a CCSID of 819 or 1252 is through the touch command in Qhsell.
i.e.
STRQSH
touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties
touch -C 819 $HOME/SystemDefault.properties
1) Implement the com.ibm.jsse2.disableSSLv3=false JVM property.
Global Setting (affecting all JVMs on the IBM i OS)
Add the "com.ibm.jsse2.disableSSLv3=false" JVM property to the following file:
/QIBM/UserData/Java400/SystemDefault.properties
Specific JDK User (affects all JVMs running as this user profile)
Add the "com.ibm.jsse2.disableSSLv3=false" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
$HOME/SystemDefault.properties
NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.
Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en
When using the java command in Qshell
Set the "com.ibm.jsse2.disableSSLv3=false" property as a JVM argument.
java -Dcom.ibm.jsse2.disableSSLv3=false <YourProgram>
2) Customize the java.security file to enable SSLv3.
Global Setting (affecting all JVMs on the IBM i OS)
Add the "java.security.properties=/home/<jdkVersion><bitLevel>_java.security" JVM property to the following file:
/QIBM/UserData/Java400/SystemDefault.properties
i.e. JDK 7.0 32bit = java.security.properties=/home/jdk7032bit_java.security
Add the "java.security.properties=/home/<jdkVersion><bitLevel>_java.security" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
$HOME/SystemDefault.properties
NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.
Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en
When using the java command in Qshell
Set the "java.security.properties=/home/<jdkVersion><bitLevel>_java.security" property as a JVM argument.
java -Djava.security.properties=/home/<jdkVersion><bitLevel>_java.security <YourProgram>
For more information on customizing your Java security configuration, please refer to the following IBM Software Technical Document:
Where and how can I locate IBM JDK SSL connection failures?
Any IBM JDK SSL connection failures will be logged in the JDK's standard output and/or error log files defined by the os400.stdout and os400.stderr JVM properties or to the Qshell/PASE Interpreter screen. These property values can be obtained by reviewing the current JVM properties by executing the command WRKJVMJOB Option 5 -> Option 7.
If the os400.stdout and/or os400.stderr JVM properties are not set, cannot be located, or the JVM standard output and/or error logs cannot be located; you can try implementing the following to try and obtain these log files.
ADDENVVAR ENVVAR(QIBM_USE_DESCRIPTOR_STDIO) VALUE('Y') LEVEL(*SYS)
Add the following JVM property values to the /QIBM/UserData/SystemDefault.properties file. If this file doesn't exist, you would want to create the file with a CCSID of 819 or 1252.
os400.stdout=file://tmp/JVMstdout.txt
os400.stderr=file://tmp/JVMstderr.txt
Finally, restart the JVM process to implement the environment variable and JVM properties.
Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en
How can I obtain information related to the SSL configuration for an IBM JDK?
Global Setting (affecting all JVMs on the IBM i OS)
Add the "javax.net.debug=true" JVM property to the following file:
/QIBM/UserData/Java400/SystemDefault.properties
Specific JDK User (affects all JVMs running as this user profile)
Add the "javax.net.debug=true" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
$HOME/SystemDefault.properties
NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.
NOTE: The SystemDefault.properties file MUST have a CCSID of 819 or 1252 in order for it to be read correctly. An easy way to create the file with a CCSID of 819 or 1252 is through the touch command in Qhsell. i.e. touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties
Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en
When using the java command in Qshell
Set the "javax.net.debug=true" property as a JVM argument.
java -Djavax.net.debug=true <YourProgram>
The output from the "javax.net.debug=true" JVM property will go to the JVM stdout, stderr file descriptor stream files set up for the Java environment. For a simple program that is called from Qshell/PASE, the output would be sent to the screen. The client can press F6 at any time within a Qshell/PASE Interpreter session to print the scroll to a spool file. If you cannot locate the output, the best option is to contact the owner of the Java program. Another option is to set the: "os400.stderr" and "os400.stdout" system properties to direct the output to a specific file as discussed in "Where and how can I locate IBM JDK SSL connection failures?"
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1020431