Fixes are available
APAR status
Closed as new function.
Error description
Add support for TLS 1.3
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM HTTP Server and the WAS * * WebServer Plug-in * **************************************************************** * PROBLEM DESCRIPTION: Add TLS1.3 support to IBM HTTP Server * * and the WAS WebServer Plug-in * **************************************************************** * RECOMMENDATION: * **************************************************************** Support needed for TLS 1.3
Problem conclusion
The respective code was updated to exploit TLS 1.3 support in GS and System SSL. - For IHS on distributed platforms, TLS 1.3 is implicitly enabled for any virtual host with "SSLEnable" - For IHS on z/OS, TLS 1.3 may be enabled on z/OS 2.4 (or later) with ´SSLProtocolEnable TLSv13´ with the following caveats: -- TLS 1.3 performs best on z15 and later and with the servers RSA private key stores on a PKDS and ICSF APAR OA58358 installed. -- Existing certificates may need to be recreated to work with TLS 1.3: https://ibm.biz/BdfuJA - On any platform: if 'SSLCipherSpec ALL NONE' is present followed by individual ciphers, TLSv13 will be implicitly disabled since all valid TLSv13 ciphers are new. In these configurations, the following stanza adds TLSv13 unique ciphers: # Can be combined but presented below one per line for RETAIN: ## All Platforms: SSLCipherSpec ALL +TLS_AES_128_GCM_SHA256 SSLCipherSpec ALL +TLS_AES_256_GCM_SHA384 SSLCipherSpec ALL +TLS_CHACHA20_POLY1305_SHA256 ## Distributed only: SSLCipherSpec ALL +TLS_AES_128_CCM_SHA256 SSLCipherSpec ALL +TLS_AES_128_CCM_8_SHA256 - For the WAS WebServer Plug-in, TLS 1.3 must be explicitly enabled by setting global <Config> property in plugin-cfg.xml to specify 'UseTLS13="true"'. -- Currently TLS1.3 can only be negotiated with Liberty based servers running Java 11 or later -- For WAS traditional configuration: Set Plugin custom property 'PLG.Config.USETLS13' with a value of 'true' -- For Liberty configuration: Add <extraConfigProperties UseTLS13="true" to <pluginConfiguration in server.xml -- Consult the IHS section for caveats about enabling TLSv13 on z/OS. The fix for this APAR is currently targeted for inclusion in fix pack 9.0.5.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PH17128
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-09-23
Closed date
2019-11-25
Last modified date
2021-11-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
Document Information
Modified date:
07 September 2022