IBM Support

How do I disable SSLv3 in z/OS Communications Server ?

Question & Answer


Question

I have been directed to disable SSLv3 in z/OS Communications Server. What parameters need to be updated to do that?

Answer

APARs available for V2R1 z/OS Communications Server and V1R13 z/OS Communications Server change their default protocol support for all components that use SSL/TLS, either through AT-TLS or natively. z/OS Communications Server provides means for exploiters (installations and/or applications) that must continue to use this protocol to explicitly enable the protocol. SSLV3 is disabled by default, which can affect the usage of AT-TLS, the FTP client and server, the TN3270 server, the DCAS server, Policy Agent, and sendmail.

For applications that use SSLV3, evaluate their usage and change them to use TLS protocols if possible. TLS has addressed many security deficiencies in the prior SSLV2 and SSLV3 protocols.

This change was introduced via the integrity apar PI28679 for V2R1 and the integrity APAR PI28678 for V1R13.

The following changes were introduced: - The SSLV3, APPLNAME statements were added to the FTP server configuration statements. - The SSLV3 statement was added to the FTP client configuration statements. - The SSLV3 and NOSSLV3 statement was added to the TN3270 Telnet server TELNETGLOBALS information block configuration statements and TN3270 Telnet server TELNETPARMS information block configuration statements. .

For more information see: https://www-01.ibm.com/support/knowledgecenterSSLTBW_2.1.0com.ibm.zos.v2r1.e0zm100/icn_migration_v2r1.htm?cp=SSLTBW_2.1.0%2F1-6-4-4-1-11

Further information on the new TN3270 parameters is available at these urls:

TELNETPARMS: https://www-304.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.e0zh300/telsept.htm

TELNETGLOBALS: http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.e0zh300/telgl.htm

Further information on the new FTP parameters is found here:

FTP client configuration statements:

https://www-304.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.e0zh300/fcpg.htm

FTP server configuration statements:

https://www-304.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.e0zh300/fspg.htm

If you are running AT-TLS then, you can disable SSLv3 in the associated AT-TLS policy. If you code your AT-TLS policy files by hand, then specify SSLv3 Off on the associated TTLSEnvironmentAdvancedParms or TTLSConnectionAdvancedParms statements. If you are using the Configuration Assistant then use the Modify Security Level dialog in the AT-TLS perspective to disable SSLv3. For further information:

TTLSEnvironmentAdvancedParms:

http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz001/ttlsenvironmentadvancedparms.htm

TTLSConnectionAdvancedParms:

http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz001/ttlsconnadvancedparmspolicyagent.htm

Further information on these APARs is available on the System z Security portal. IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site here:

http://www-03.ibm.com/systems/z/solutions/security_subintegrity.html

Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. .

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
03 August 2015

UID

dwa1205761