Has z/OS Communications Server V2R3 changed the default cipher for any IPSec parameters?

Question & Answer

Question

Answer

Yes, in z/OS V2R3, the default values for the following IPSec policy parameters are changed:

The default value for the HowToAuthMsgs parameter on the KeyExchangeOffer statement is changed from MD5 to SHA1.
The default value for the HowToAuth parameter on the IpDataOffer statement is changed from HMAC_MD5 to HMAC_SHA1.
The default value for the HowToEncrypt parameter on the KeyExchangeOffer and IpDataOffer statements in the IPSec policy is changed from DES to AES_CBC Keylength 128.
The default value for the DHGroup parameter on the KeyExchangeOffer statement in the IPSec policy is changed from Group1 to Group2.

If you have an IPSec policy, determine whether these changes affects your policy.

MD5, DES, 3DES, and Diffie-Hellman group 1 are considered weak algorithms and are not recommended. Regardless of whether you use IBM Configuration Assistant for z/OS Communications Server or manually configure your policies, you should evaluate your usage of the MD5-based, DES, 3DES, and Diffie-Hellman group 1 algorithms and decide whether to upgrade to a more secure algorithm.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
07 September 2017

UID

dwa1399308

Tips

Has z/OS Communications Server V2R3 changed the default cipher for any IPSec parameters?

Question & Answer

Question

Answer

Product Synonym

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?