IBM Support

IBM i Java Development Kit SSLv3 Security Bulletin (CVE-2014-3566 POODLE) Frequently Asked Questions (FAQ)

Technote (FAQ)


Question

What are some common frequently asked questions (FAQs) and answers for the CVE-2014-3566 POODLE Vulnerability in relation to the IBM i Java Development Kit (JDK) (57xxJV1)?

Answer

IBM strongly recommends that you always run your IBM i server with the network protocols and cipher suites specified below disabled. NOTE: Configuring your IBM i server to allow the use of weak protocols and weak cipher suites will result in your IBM i server potentially being at risk of a network security breach. IBM DISCLAIMS AND YOU ASSUME ALL RESPONSIBILITY AND LIABILITY FOR ANY DAMAGE OR LOSS, INCLUDING LOSS OF DATA, ARISING OUT OF OR RELATED TO YOUR USE OF THE SPECIFIED NETWORK PROTOCOL AND/OR CIPHER SUITES.
Weak Protocols (as of April 2016):
Secure Sockets Layer version 2.0 (SSLv2)
Secure Sockets Layer version 3.0 (SSLv3)

Weak Cipher Suites (as of April 2016):
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_RC2_CBC_128_MD5
SSL_RSA_WITH_DES_CBC_MD5
SSL_RSA_WITH_3DES_EDE_CBC_MD5
TLS_ECDHE_ECDSA_WITH_NULL_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_NULL_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA

NOTE!!! Please review the following document first, which addresses the general FAQs for the IBM Java Development Kit (JDK).
IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3556)

Here are some additional FAQs specific to the IBM i OS:

What JDK versions are installed on my IBM i?


    Execute the GO LICPGM command and then select Option 10. This will display the Licensed Programs installed on your IBM i operating system. Locate the following licensed program product based on your IBM i OS Version and Release.

    IBM i VRM
    Licensed Program Product (LPP) Number
    6.1 / 6.1.1 / 7.1
    5761JV1
    7.2 / 7.3
    5770JV1

    Each option listed for the 57xxJV1 LPP is a different JDK Version and Bit Level on the IBM i Operating system. Please review the following IBM Software Technical Document to match up the specific 57xxJV1 Option with a JDK Version and Bit Level:
    Supported IBM Java Development Kit (JDK) Versions by IBM i Operating System Version and Release

How do I determine what IBM i Java Group PTF level fixes a specific CVE ?

The "Java on IBM i security updates" page in the Java on IBM i zone of developerWorks contains a detailed matrix of every CVE that effects Java on IBM i and where its corrected.
http://www.ibm.com/developerworks/ibmi/techupdates/java

What are the IBM i Java Group PTF numbers and levels providing the fix disabling SSLv3 by default for all IBM JDKs?

IBM i VRM
Group PTF Number
Level
6.1/6.1.1
SF99562
30
7.1
SF99572
19
7.2
SF99716
4
7.3
SF99725
1

What are the specific IBM i JDK LPP PTFs included in the above Group PTFs that provide the fix disabling SSLv3 by default for all IBM JDKs?

IBM i VRM
JDK Version and Bit Level
PTFs
6.1 / 6.1.1 / 7.1
6.0 SR16 FP2 - 32bit
SI55049
SI54610
6.0 SR16 FP2 - 64bit
SI55048
SI55228
6.2.6 SR8 FP2 - 32bit
SI55016
SI55020
6.2.6 SR8 FP2 - 64bit
SI55024
SI55042
7.1
7.0 SR8 - 32bit
SI55242
SI55151
SI55152
7.0 SR8 - 64bit
SI55243
SI55104
SI55100
7.1 SR2 - 32bit
SI55038
SI55061
7.1 SR2 - 64bit
SI54307
SI54195
7.2
6.0 SR16 FP2 - 32bit
SI54652
SI55047
6.0 SR16 FP2 - 64bit
SI55046
SI55229
6.2.6 SR8 FP2 - 32bit
SI55021
SI55022
6.2.6 SR8 FP2 - 64bit
SI55027
SI55043
7.0 SR8 - 32bit
SI55241
SI55150
7.0 SR8 - 64bit
SI55244
SI55149
7.1 SR2 - 32bit
SI55036
SI55062
7.1 SR2 - 64bit
SI53688
SI543067.3
7.3
All JDK Versions
Included in 5770JV1 GA code level

What are the IBM i Java Group PTF numbers and levels that implements the new java.security property, jdk.tls.disabledAlgorithms , to disable the SSLv3 protocol and RC4 cipher suites by default for IBM i JDKs 5.0, 6.0, 6.2.6, 7.0, 7.1, and 8.0?

IBM i JDKs 5.0 (IBM i 6.1.x & 7.1 only), 7.0, 7.1, and 8.0
IBM i VRM
Group PTF Number
Level
6.1/6.1.1
SF99562
32
7.1
SF99572
21
7.2
SF99716
6
7.3
SF99725
1

IBM i JDKs 6.0 and 6.2.6
IBM i VRM
Group PTF Number
Level
6.1/6.1.1
SF99562
33
7.1
SF99572
22
7.2
SF99716
7
7.3
N/A
N/A

What IBM JDK Service Release (SR) level for each JDK version on the IBM i disables SSLv3 by default?

    IBM i 7.1 and later
    • IBM SDK, Java Technology Edition, Version 7 Service Release 8
    • IBM SDK, Java Technology Edition, Version 7 Release 1 Service Release 2
    • IBM SDK, Java Technology Edition, Version 8 GA Release

    IBM i 6.1 and later
    • IBM SDK, Java Technology Edition, Version 6.0.1 Service Refresh 8 Fix Pack 2 (J9 VM2.6)
    • IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 2

What IBM JDK Service Release (SR) level for each JDK version on the IBM i disables the SSLv3 and RC4 cipher suites by default via the jdk.tls.disabledAlgorithms property?

    IBM i 7.1 and later
    • IBM SDK, Java Technology Edition, Version 7 Service Release 9
    • IBM SDK, Java Technology Edition, Version 7 Release 1 Service Release 3
    • IBM SDK, Java Technology Edition, Version 8 Service Release 1

    IBM i 6.1 and later
    • IBM SDK, Java Technology Edition, Version 6.0.1 Service Refresh 8 Fix Pack 7 (6.2.6)
    • IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 7
    • IBM SDK, Java Technology Edition, Version 5 Service Refresh 16 Fix Pack 10 (IBM i 6.1 and 7.2 only)

How do I find the JDK SR level for each JDK version on the IBM i?

    1) Locate the JAVA_HOME value for the JDK Version and Bit Level you wish to display the SR level for using the following IBM Software Technical Document.

    2) Start the Qshell environment.

      STRQSH

    3) Set up your Java environment.

      export JAVA_HOME=<JAVA_HOME value>

      i.e. If I wanted to set my Java environment to JDK 6.0 32bit, I would execute the following command.
      export JAVA_HOME=/QOpenSys/QIBM/ProdData/JavaVM/jdk60/32bit

    4) Execute the 'java -version' command to display the JDK's version information.

      java -version

    5) Analyze the output to locate the JDK's SR level.

      i.e. Here is an example output from the 'java -version' command showing JDK 6.0 32bit SR16 FP1, which stands for Service Release 16 Fix Pack 1.

      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pap3260 sr16fp1-20140706_01( SR16 FP1))
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 OS/400 ppc-32 jvmap3260 sr16fp1-20140706_01 (JIT enabled, AOT enabled)
      J9VM - 20140626_204542
      JIT - r9_20130920_46510ifx7
      GC - GA24_Java6_SR16_20140626_1848_B204542)
      JCL - 20140704_01

What JSSE providers are affected by this change?

    The IBM i OS provides two primary Java Secure Socket Extensions (JSSE) providers.
      1) IBM JSSE2 Provider (default provider)
      2) IBM i5OS JSSE Provider

      NOTE: The IBM i5OS JSSE Provider is IBM i specific, which resides in the IBM i JDK and uses the IBM i System SSL settings.

      On the IBM i, apart from the default IBM JSSE2 implementation, IBM i has another implementation: IBM i5OS JSSE Provider, which does not support all of the SSLv3 mitigations described above. To disable SSLv3 for this implementation, change the QSSLPCL IBM i System Value to EXCLUDE the *SSLV3 value.

      If the IBM JSSE2 provider fails on the initial SSL connection, a lower-level provider like the IBM i5OS JSSE Provider might be used instead. If you see the Java application using the IBM i5OS JSSE provider (com.ibm.i5os.jsse.*) unexpectedly, this might occur if SSLv3 is still enabled in the QSSLPCL system value.
      Here is an example of a Java exception known to occur due to the SSLv3 disablement in the IBM JSSE2 provider.

      Exception in thread "main" java.lang.NoSuchFieldError:
      at com.ibm.i5os.jsse.JSSESocket.beginHandshake(Native Method)
      at com.ibm.i5os.jsse.JSSESocket.startHandshake(JSSESocket.java:1477)

      For the applications that explicitly support only SSLv3 , they could have the following situations on IBM i.
      • If SSLv3 is not disabled for IBM i System SSL ( for 6.1 and 7.1, SSLv3 is not disabled by default), after they upgrade their Java to this PTF Group level, their application could now be using the IBMi5OSJSSEProvider, which still supports SSLv3. This application since it is still using SSLv3 would still be exposed to the POODLE issue.
      • If SSLv3 is disabled for IBM i System SSL (i 7.2 and higher, SSLv3 is disabled by default), after they upgrade their Java to this PTF Group level, their application will stop working. Refer the technote above to find corresponding actions.

    For more information on the IBM i JDK changes regarding the POODLE vulnerability, please refer to the URL: News of Java on IBM i.

What are the IBM JDK properties to enable SSLv3 after the latest PTFs are applied?

    If you must enable SSL V3.0, a new system property is provided.
    com.ibm.jsse2.disableSSLv3=false

    In addition to the property above, the following java.security property will need to either be commented out or modified to enable SSLv3.
    jdk.tls.disabledAlgorithms=SSLv3, RC4

    i.e.
    Commenting out = #jdk.tls.disabledAlgorithms=SSLv3, RC4
    Modified to enable SSLv3, but continue to disable the RC4 cipher suites = jdk.tls.disabledAlgorithms=RC4

How do I implement the IBM JDK property to enable SSLv3 on the IBM i? (Globally and JDK-specific)

    NOTE: The SystemDefault.properties file can be created and used to implement Java properties globally or for a specific user profile. It MUST have a CCSID of 819 or 1252 in order for it to be read correctly. An easy way to create the file with a CCSID of 819 or 1252 is through the touch command in Qhsell.

    i.e.
    STRQSH
    touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties
    touch -C 819 $HOME/SystemDefault.properties

    1) Implement the com.ibm.jsse2.disableSSLv3=false JVM property.

      Global Setting (affecting all JVMs on the IBM i OS)
      Add the " com.ibm.jsse2.disableSSLv3=false" JVM property to the following file:
      /QIBM/UserData/Java400/SystemDefault.properties

      Specific JDK User (affects all JVMs running as this user profile)
      Add the " com.ibm.jsse2.disableSSLv3=false" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
      $HOME/SystemDefault.properties

      NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.

      Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
      http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en

      When using the java command in Qshell
      Set the " com.ibm.jsse2.disableSSLv3=false" property as a JVM argument.

      java -Dcom.ibm.jsse2.disableSSLv3=false <YourProgram>

    2) Customize the java.security file to enable SSLv3.
      1. Identify the JDK version your Java program is using. This can be done using WRKJVMJOB Option 5 when the JVM is active.
      2. Ensure the "security.overridePropertiesFile=true" property is set in the master java.security file for the JDK version you are currently using. The master java.security file is located in the following directory, /QOpenSys/QIBM/ProdData/JavaVM/<jdkVersion>/<bitLevel>/jre/lib/security/java.security. <jdkVersion> = jdk60, jdk626, jdk70, jdk71, or jdk80 and <bitLevel> = 32bit or 64bit
      3. Copy the java.security file to custom location.
        1. cp /QOpenSys/QIBM/ProdData/JavaVM/<jdkVersion>/<bitLevel>/jre/lib/security/java.security /home/<jdkVersion><bitLevel>_java.security
      4. Edit the /home/java.security file to comment or modify the "jdk.tls.disabledAlgorithms" Java security property.
        1. For example, #jdk.tls.disabledAlgorithms=SSLv3, RC4
      5. Implement the following property in your SystemDefault.properties file.

          Global Setting (affecting all JVMs on the IBM i OS)
          Add the " java.security.properties=/home/<jdkVersion><bitLevel>_java.security" JVM property to the following file:
          /QIBM/UserData/Java400/SystemDefault.properties

          i.e. JDK 7.0 32bit = java.security.properties=/home/jdk7032bit_java.security
            Specific JDK User (affects all JVMs running as this user profile)
            Add the " java.security.properties=/home/<jdkVersion><bitLevel>_java.security" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
            $HOME/SystemDefault.properties

            NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.

            Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
            http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en

            When using the java command in Qshell
            Set the " java.security.properties=/home/<jdkVersion><bitLevel>_java.security" property as a JVM argument.

            java -Djava.security.properties=/home/<jdkVersion><bitLevel>_java.security <YourProgram>

        For more information on customizing your Java security configuration, please refer to the following IBM Software Technical Document:

    Where and how can I locate IBM JDK SSL connection failures?

      Any IBM JDK SSL connection failures will be logged in the JDK's standard output and/or error log files defined by the os400.stdout and os400.stderr JVM properties or to the Qshell/PASE Interpreter screen. These property values can be obtained by reviewing the current JVM properties by executing the command WRKJVMJOB Option 5 -> Option 7.

      If the os400.stdout and/or os400.stderr JVM properties are not set, cannot be located, or the JVM standard output and/or error logs cannot be located; you can try implementing the following to try and obtain these log files.

      ADDENVVAR ENVVAR(QIBM_USE_DESCRIPTOR_STDIO) VALUE('Y') LEVEL(*SYS)
      Add the following JVM property values to the /QIBM/UserData/SystemDefault.properties file. If this file doesn't exist, you would want to create the file with a CCSID of 819 or 1252.

      os400.stdout=file://tmp/JVMstdout.txt
      os400.stderr=file://tmp/JVMstderr.txt

      Finally, restart the JVM process to implement the environment variable and JVM properties.

      Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
      http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en

    How can I obtain information related to the SSL configuration for an IBM JDK?

      Global Setting (affecting all JVMs on the IBM i OS)
      Add the " javax.net.debug=true" JVM property to the following file:
      /QIBM/UserData/Java400/SystemDefault.properties

      Specific JDK User (affects all JVMs running as this user profile)
      Add the " javax.net.debug=true" JVM property to the SystemDefault.properties file located in the current home directory of the IBM i user profile:
      $HOME/SystemDefault.properties

      NOTE: The value for $HOME can be found by locating the value for "Home directory" in the "DSPUSRPRF <profile>" command output.

      NOTE: The SystemDefault.properties file MUST have a CCSID of 819 or 1252 in order for it to be read correctly. An easy way to create the file with a CCSID of 819 or 1252 is through the touch command in Qhsell. i.e. touch -C 819 /QIBM/UserData/Java400/SystemDefault.properties

      Please refer to the following URL for more information on the SystemDefault.properties file and the list of available Java system properties.
      http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/sysprop.htm?lang=en

      When using the java command in Qshell
      Set the "javax.net.debug=true" property as a JVM argument.

      java -Djavax.net.debug=true <YourProgram>

      The output from the "javax.net.debug=true" JVM property will go to the JVM stdout, stderr file descriptor stream files set up for the Java environment. For a simple program that is called from Qshell/PASE, the output would be sent to the screen. The client can press F6 at any time within a Qshell/PASE Interpreter session to print the scroll to a spool file. If you cannot locate the output, the best option is to contact the owner of the Java program. Another option is to set the: "os400.stderr" and "os400.stdout" system properties to direct the output to a specific file as discussed in " Where and how can I locate IBM JDK SSL connection failures?"


    Cross reference information
    Segment Product Component Platform Version Edition
    Operating System IBM i 7.2
    Operating System IBM i 7.1
    Operating System IBM i 6.1
    Operating System IBM i 7.3

    Document information

    More support for: IBM i
    Java

    Software version: 6.1, 6.1.0, 6.1.1, 7.1, 7.1.0, 7.2, 7.2.0, 7.3

    Operating system(s): IBM i, iSeries

    Reference #: N1020431

    Modified date: 11 June 2018


    Translate this page: