IBM Support

OA39422: NEW FUNCTION - TLS V1.2 SUPPORT

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • Need TLS V1.2 support
    
    Additional Symptoms / Keywords:
    DFHSO0002  A severe error (code X'080C') has occurred in module
    DFHSOSE
    Above message may be experienced when CICS's DFHSIT parameter
    (ENCRYPTION) is coded to either ENCRYPTION=ALL  or
    ENCRYPTION=TLS12FIPS
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of z/OS Cryptographic Services System  *
    *                 Secure Sockets Layer (SSL).                  *
    ****************************************************************
    * PROBLEM DESCRIPTION: This APAR adds support to z/OS          *
    *                      System SSL for the TLS V1.2 protocol.   *
    *                      The TLS V1.2 protocol is defined in     *
    *                      RFC 5246 and includes updates to        *
    *                      previous versions of the Transport      *
    *                      Layer Security (TLS) Protocol. This     *
    *                      support enables applications to use     *
    *                      SHA-256 and SHA-384 hashing algorithms  *
    *                      during SSL handshake operations.        *
    *                      This support also has added new         *
    *                      cipher suites, which use the AES-GCM    *
    *                      (Galois Counter Mode) encryption        *
    *                      algorithms that can be used by          *
    *                      applications.                           *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    New function support has been added to System SSL in z/OS V1R13
    for TLS V1.2.  The TLS V1.2 protocol is defined in RFC 5246 and
    includes updates to previous versions of the Transport Layer
    Security (TLS) Protocol.
    

Problem conclusion

Temporary fix

Comments

  • z/OS System SSL in z/OS V1R13 has been updated to support the
    TLS V1.2 protocol as defined in RFC 5246.
    
    If using sysplex session ID caching, the PTFs for conditioning
    APAR OA37102 must be installed prior to exploiting the new
    TLS V1.2 functionality provided in this APAR.  If these PTFs
    are not installed on the back level releases and TLS V1.2
    session IDs are present in the cache, the TLS V1.2 resumed
    session on the back level release will fail with a return code
    of 411 (although other return codes are possible).
    
    For installations running on a z196 or z114 processor with CEX3C
    installed, to ensure proper ECC processing, the CEX3C level
    needs to be at least CCA Release level 4.2.7z driver 93G and MCL
    Bundle 31b containing - N48132.006.  For installations running
    on a z12EC processor with CEX3C installed, the fix is already
    present in the CCA Release level 4.3 and later drivers.
    
    Please refer to the "z/OS Cryptographic Services System Secure
    Sockets Layer Programming" manual (SC24-5901-11) for
    information about using the TLS V1.2 protocol with z/OS System
    SSL.
    
    The manual is available on the web in the z/OS Information
    Center and in the Cryptographic Services bookshelf at URL:
    http://www.ibm.com/systems/z/os/zos/bkserv/
    Navigate to the z/OS V1R13.0 manuals.
    
    This APAR support was provided through internal features 4063,
    4299, and 4370 and internal defects 4397 and 4403.
    

APAR Information

  • APAR number

    OA39422

  • Reported component name

    SYSTEM SSL

  • Reported component ID

    565506805

  • Reported release

    3D0

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2012-04-23

  • Closed date

    2012-10-09

  • Last modified date

    2016-12-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA66870 UA66871 UA66872

Modules/Macros

  • GSKAH002 GSKAH007 GSKAH010 GSKAH039 GSKAM003
    GSKCMS31 GSKCMS64 GSKC31   GSKC31F  GSKC64   GSKC64F  GSKHP001
    GSKHP002 GSKJM003 GSKKYMAN GSKSRVR  GSKSSL   GSKSSL64 GSKS31
    GSKS31F  GSKS64   GSKS64F
    

Publications Referenced
SC245901XX        

Fix information

  • Fixed component name

    SYSTEM SSL

  • Fixed component ID

    565506805

Applicable component levels

  • R3DJ PSY UA66871

       UP12/10/28 P F210

  • R3D0 PSY UA66870

       UP12/10/28 P F210

  • R3D1 PSY UA66872

       UP12/10/28 P F210

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 3D0

Operating system(s): MVS, z/OS

Reference #: OA39422

Modified date: 08 December 2016