Question & Answer
Question
As a user of AT-TLS groups configured in FIPS 140 mode, what do I have to do to migrate to V2R1 Communications Server?
Answer
As of z/OS V2R1, FIPS140 support now requires ICSF services.
Ensure ICSF is started before starting AT-TLS groups with FIPS140 support enabled.
ICSF services will be used for random number generation and for Diffie Hellman support for generating key parameters, key pairs and key exchanges.
Steps to take:
Ensure ICSF is active before starting AT-TLS groups configured to support FIPS140-2.
If the CSFSERV class is defined, give READ access to the userid associated with the TCPIP stack and any application userid using the TTLSGroup to the CSFRNG resource within the RACF CSFSERV class.
If the CSFSERV class is defined and Diffie Hellman is being used, give READ access to the application userid to the CSF1TRC, CSF1DVK, CSF1GKP, CSF1GSK, CSF1GAV, and CSF1TRD resources within the RACF CSFSERV class.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
18 April 2015
UID
dwa1187021