TLS 1.0 and 1.2

[markjf]

Hi,
My customer has secure telnet for several of their system. They are still at z/OS 1.12 (an will be till next year). They have advised me that TLS 1.0 should be migrated to TLS 1.2, by June 30. Note that they are not configured for AT_TLS.
I have spent a couple of days trying to find out how. One person told me that TLS 1.2 is built into z/OS 2.1 ,, others have told me that it's set in the certificate ..and other that it's done by changing the ciphers ( I will start another thread on those) in the encryption block in the telnet parms. Web searches have not been helpful.
If anyone know, or knows a good reference site, I'd appreciate hearing from you.
Thanks
Mark

[JFranadis]

This link may help you

http://www-01.ibm.com/support/docview.w ... s8N1019971

Question
How can I enable high transport security for an IBM i application like Telnet?
Cause
Security
Answer
Like all client/server applications, we must consider both the client and the server.
First, on the Client Side, verify that the client is capable of TLS 1.2. If not, then enabling the server for TLS 1.2 will not have any effect.
On the IBM iOS side, verify that Technology Refresh 6 or newer has been installed by confirming the *INSTALLED Level of the SF99707 Group PTF.
Step 1) Enter the command CHGSYSVAL QSSLPCL and remove *OPSYS (which equates to *SSLV3 and *TLSV1). Then list the protocols that are desired to be supported. To just add the latest TLS protocol support, enter:

*TLSV1.2
*TLSV1.1
*TLSV1
*SSLV3
Note: Ensure that the protocol lists are concurrent. Do not skip a protocol.
Step 2) Enter the command DSPSYSVAL QSSLCSLCTL and verify it is set to *OPSYS. If set to *USRDFN, then the SSL Administration for this system is customizing the list of ciphers. If this is the case, enter CHGSYSVAL QSSLCSL to verify the ciphers supported and include the new ciphers:
*RSA_AES_256_CBC_SHA256
*RSA_AES_128_CBC_SHA256
Step 3) Open Digital Certificate Manager (DCM) from the IBM i Tasks option on the Welcome Panel of the IBM Navigator for i port 2001 interface, and log into the *SYSTEM keystore.
Step 4) From the left navigation pane, expand Manage Applications and then select Update Application Definition.
Step 5) Select the Server radio button and then select the Continue button.
Step 6) in the list of Server Applications, find and select the radio button for IBM i TCP/IP Telnet Server and then select the Update Application Definition button.
Step 7) Change the SSL Protocols from *PGM to Define Protocols Suppored. Check the protocols desired for this application to support or use. This list should match or be a subset of the QSSLPCL System Value. For example: TLS 1.2, TLS 1.1, TLS 1.0 and SSLV3.
Step 8) Change SSL Cipher Specification Options from *PGM to Define Cipher Specification List. The first six ciphers in the list should be enabled and are a good starting point. But you may want to set RSA_AES_256_CBC_SHA256 and RSA_AES_128_CBC_SHA256 as the first two in the list. RSA_AES_128_CBC_SHA is a good cipher to have listed third as it supports more than just the TLS 1.2 protocol.
Step 10) At the bottom of the screen, click the Apply button.
At the next restart of the Telnet Server, it will be enabled for TLS 1.2 and prefer the TLS 1.2 specific ciphers.
Access for Windows is enabled for TLS 1.2 in Service Pack SI50567 for IBM i Access for Windows r7.1. You could also test the Telnet Server by using the IBM i v7.1 Telnet Client. The same system values have to be set to enable TLS 1.2 protocols and ciphers. But in DCM, update the Application Definition, chose Application type of "Client", then the IBM i Telnet Client and make the same protocol and cipher changes. Start a new interactive job and telnet to the destination telnet server. (If an interactive job is running before the DCM configuration change, end it and restart)

[markjf]

Thank you but that link is for the IBM I 7.1 operating system, which I'd never heard of - had to Google it, .. so I don't believe the commands are applicable. Also, the customer security request/gets the certificate and installs, we just specify the keyring. As for the ciphers, they are not listed in the z/OS 1.12 or 2.1 Com Server TCP/IP ref. .. so I don't THINK I can use them (see my other thread)

Mark

[BANEILF]

Is there anyone who can answer markjf's question?
Hi,
My customer has secure telnet for several of their system. They are still at z/OS 1.12 (an will be till next year). They have advised me that TLS 1.0 should be migrated to TLS 1.2, by June 30. Note that they are not configured for AT_TLS.
I have spent a couple of days trying to find out how. One person told me that TLS 1.2 is built into z/OS 2.1 ,, others have told me that it's set in the certificate ..and other that it's done by changing the ciphers ( I will start another thread on those) in the encryption block in the telnet parms. Web searches have not been helpful.
If anyone know, or knows a good reference site, I'd appreciate hearing from you.
Thanks
Mark


The answer suplliied by JFranadis is for a different platform so doesn't belong on here, can it be deleted?

[Robert Sample]

The manual z/OS Introduction and Release Guide (https://www.ibm.com/support/knowledgece ... tm?lang=en) appears to me to indicate that z/OS 1.13 is required for TLS 1.2:

System SSL: Transport Layer Security (TLS) protocol version 1.2

Description: TLS V1.2 protocol support is provided according to RFC 5246, for establishing secure connections between two communicating partners. TLS V1.2 adds support for exploiters to use higher strength cryptographic ciphers. TLS V1.2 main objectives are to replace the standard SHA-1/MD5 pseudorandom function (PRF) with a cipher-based PRF based on SHA-256, add support for SHA-256 based ciphers and allow client applications to specify what signature/hash values are supported for digital signatures.
When change was introduced: This function is available for z/OS® V2R1 and rolled back to z/OS V1R13 with PTFs for APAR OA39422.
Reference information:
[ul][li]z/OS Cryptographic Services System SSL Programming[/li][/ul]

So the client has a choice -- abandon the requirement for TLS 1.2 (or upgrade to at least 1.13) by June 30th.

[Robert Sample]

I was just on my 2.1 system with z/OSMF and spotted this:

Security Level: AT-TLS__Platinum - IBM supplied: AES-256 bit encryption
Type:AT-TLSEncryption:0x0000000035 - TLS_RSA_WITH_AES_256_CBC_SHA
(This is the first choice of ciphers. For all available ciphers see below.)
Use TLS Version 1.0:
Yes
Use TLS Version 1.1:
Yes
Use TLS Version 1.2: (available beginning with V2R1)
No

So your client will NOT be able to use TLS 1.2 with z/OS 1.12.

[BANEILF]

Thanks Robert. I wouldn't have thought to look at the z/OS Introduction and Release Guide! My situation is different to markjf as we have z/OS 1.13 on production and we are playing with 2.2 on test. I will look to see if we have apar OA39422 on 1.13 system to allow TLS 1.2 to be used.

[enrico-sorichetti]

BANEILF,
when You have a question start a new topic
no reason to tailgate to a 3 month topic