IP Services: Enable SSLv3 for z/OS components if required
Description
In z/OS V2R2, Communications Server changed its default protocol support for components that use SSL/TLS natively or through AT-TLS. SSLv3 is now disabled by default, which can affect the usage of AT-TLS, the FTP client and server, the TN3270 server, the DCAS server, Policy Agent, and sendmail. For any exploiters (installations and applications) that must continue to use SSLv3, you can explicitly enable this protocol.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | z/OS Communications Server. |
|---|---|
| When change was introduced: | z/OS V2R1 with APAR PI28679, and z/OS V1R13 with APAR PI28678. |
| Applies to migration from: | z/OS V2R1 without APAR PI28679 and z/OS V1R13 without APAR PI28678. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if you have applications that use SSLv3. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Review each of the Communications Server components that follow to determine whether you are affected. Make changes as directed. For applications that are protected by AT-TLS and that require SSLV3, evaluate their usage and change them to use TLS protocols, if possible. TLS addresses many security deficiencies that exist in the prior SSLv2 and SSLv3 protocols. For applications that must continue to use SSLv3, you can explicitly enable this protocol, as described in the sections that follow.
- AT-TLS
- AT-TLS is modified to disable SSLv3 by default. Any applications
that are protected by AT-TLS default to SSLv3 Off.
If SSLv3 is explicitly enabled in your policy, no action is required. However, it is recommended that you evaluate whether applications can be updated to use a more secure protocol version, such as TLSv1, TLSv1.1, or TLSv1.2.
Applications that require SSLv3, and for which this protocol is not explicitly enabled in the policy, rely on AT-TLS defaults. For these applications, you can enable SSLv3 at the environment or connection level by specifying the parameter SSLv3 on the relevant TTLSEnvironmentAdvancedParms or TTLSConnectionAdvancedParms policy statement with a value of ON. For Configuration Assistant users, you can enable SSLv3 in the name tab of the Modify Security Level dialog under the AT-TLS perspective.
- FTP client and server
- The FTP client and FTP server are modified to disable SSLv3 by
default when TLSMECHANISM FTP is specified. In this
mode, the FTP client or server uses System SSL APIs natively for SSL/TLS
protection, rather than AT-TLS. Because the z/OS FTP client and server enabled SSLv3 by default, evaluate whether either of the following conditions are true:
- Your server is supporting clients that require SSLv3
- Your client is connecting to a server that requires SSLv3
If so, you can enable SSLv3 by specifying the new parameter SSLV3 in the relevant FTP configuration data set FTP.DATA with a value of TRUE.
If TLSMECHANISM ATTLS is specified, the FTP client or server is protected by AT-TLS; the changes that are described for the AT-TLS function apply.
- TN3270 server
- The TN3270 server is modified to disable SSLv3 by default when SECUREPORT is
specified. In this mode, the TN3270 server uses System SSL APIs natively
for SSL/TLS protection, rather than AT-TLS.
Because the TN3270 server enabled SSLv3 by default, determine whether your server is supporting clients that require SSLv3. If so, you can enable SSLv3 by specifying the new statement SSLV3 in the relevant TN3270 profile data set and refreshing the configuration by using the command VARY TCPIP,tnproc,OBEYFILE.
If TTLSPORT is specified, the TN3270 server is protected by AT-TLS; the changes that are described for the AT-TLS function apply.
- DCAS server
- The DCAS server is modified to disable SSLv2 and SSLv3 by default
when TLSMECHANISM DCAS is specified. In this mode,
the DCAS server uses System SSL APIs natively for its SSL/TLS protection,
rather than AT-TLS.
Because the DCAS server enabled SSLv2 and SSLv3 by default, evaluate whether your server is supporting clients that require SSLv2 or SSLv3. If so, you can enable SSLv2 and SSLv3 by specifying the new parameter TLSV1ONLY in your DCAS configuration file with a value of FALSE and restarting DCAS.
If TLSMECHANISM ATTLS is specified, the DCAS server is protected by AT-TLS; the changes that are described for the AT-TLS function apply.
- Policy Agent
- The Policy agent, when it operates as a policy client, is modified to disable SSLv3 by default. Because the policy client enabled SSLv3 by default, evaluate whether your policy server supports SSLv3 only. If so, you can enable SSLv3 by specifying the new parameter ServerSSLv3 on the ServerSSL substatement of the ServerConnection statement with a value of ON in the policy agent main configuration file. Then, update the policy agent configuration by using the command MODIFY pagent,UPDATE.
- Sendmail
- Sendmail, which operates as both a client and server, is modified
to disable SSLv3 by default. Because the z/OS sendmail program enabled
SSLv3 by default, evaluate whether either of the following conditions
is true:
- Your server is supporting clients that require SSLv3
- Your client is connecting to a server that requires SSLv3
- If so, you can enable SSLv3 by specifying the parameter SSLV3 in the zOS.cf configuration file with a value of TRUE and restarting sendmail.
Reference information
None.