A fix is available
APAR status
Closed as new function.
Error description
Add support to allow authentication of client certificates, host name validation and extraction of fields from a certificate. Refer to the following website for more information: http://www.vm.ibm.com/newfunction/#ssl-cert-ver
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All TCP/IP users with TLS enabled and a need * * either to: * * - authenticate a client's certificate * * - extract fields from a certificate * * - allow a client to verify the identity of * * a server * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** Enhancements within the TCP/IP TLS/SSL server allow authentication of client certificates, hostname validation, and extraction of fields from a certificate. Client certificate authentication support allows a server to verify a client by examining the certificate it presents to ensure that it has been signed by a certificate authority the server trusts and that it has not expired. The client authentication support that was previously added to dynamically secured Telnet connections has been expanded to the z/VM FTP and SMTP servers. Additionally, the PORT statement in the TCPIP configuration file has been updated to allow client certificate authentication for statically secured connections. Host name validation support allows a client to verify the identity of a server by passing a string containing a host name, domain name, or IP address on the handshake request. The string will be compared to fields in the server certificate. If the string is not contained in the server certificate, the client may decide to fail the handshake. In addition to the above support, new APIs extract fields from a client or server certificate.
Problem conclusion
Temporary fix
Comments
For client certificate authentication, the CLIENTCERTCHECK option will be used to specify if a client certificate will be requested and what action will be taken if authentication fails. This option has been added to the SECURE statements in the FTP and SMTP server configuration files and also to the PORT statement for statically secured connections. The allowable values for the CLIENTCERTCHECK option are NONE | PREFERRED | REQUIRED. The default setting is PREFERRED which means that a client certificate will be requested but if authentication fails, the handshake will continue. Note that IBM Host On-Demand users will need to configure their clients to send client certificates as the default or will need to add CLIENTCERTCHECK NONE to the INTERNALCLIENTPARMS statement in the TCPIP Config file so that a client certificate is not requested. New APIs will allow fields to be requested from a local or partner certificate. The new APIs include a TCPSCERTDTA call for Pascal routines and a new SIOCGCERTDATA ioctl code for IUCV and C routines. For Host Name Verification, the SecureDetailType structure has been updated with a new Version field. When the Version is set to 1, a new SecureDetailExtension can be included on a secure client call to specify an FQDN, host name or IP address. This value will be compared to the Common Name, Domain Name, or Subject Alternate Name extension marked as an IP address in the server certificate to verify the identity of the server. The z/VM Telnet client has been updated to use the new SecureDetailExtension. Note that when Host Name Verification is enbled, values inside the server's digital certificate will be checked against the hostname or IP address of the TCP/IP stack. Use of this option may potentially require new or updated digitial certificates, if such fields have not already been included. Refer to the updated TCP/IP Planning and Customization and TCP/IP Programmer's Reference for details of the above support. This APAR ships many of the TCP/IP client and server modules. In addition, new versions of CMS and LE (APARs VM66348 and VM66349) are required for the SSL server and any users that will be issuing the new SIOCGCERTDATA ioctl. A restart of all of these clients and servers will be required. No restart of z/VM itself is required. ×**** PE21/03/24 FIX IN ERROR. SEE APAR PH35671 FOR DESCRIPTION
APAR Information
APAR number
PH18435
Reported component name
TCP/IP FOR Z/VM
Reported component ID
5735FAL00
Reported release
710
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-10-23
Closed date
2020-06-10
Last modified date
2021-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI69975
Modules/Macros
CMCLIEN CMCOMM CMCONVXL CMDASDR CMERUPT CMFSCRN CMHOSTN CMINTER CMMAKSI CMNETST CMOBEY CMPRCOM CMRESGLB CMRESOL CMSOCK CMVERT DTCNETRC FPNOTIF FPQUEUE FPSCHED FPSOCKRE FPTCPREQ FPTCPUP FTMAIN FTP FTPROCS FTSEVEN FTSRVCO FTSRVPA FTSUTIL FTSVMSUB FTSYPRO FTUTIL F6TCPUP HOMETEST LPQ LPRM LPRP MSCOMM MSCOMMON MSCONVXL MSFTP MSFTPC MSHOMETE MSMAKESI MSNETSTA MSOBEY MSSAMP MSSMTP MSSMTR MSTCP MSTEL MSTESTSI MSTFTP MSTRACE REXEC SMTP SMTPCMDS SMTPEVNT SMTPGLOB SMTPQUEU SMTPRES SMTPRPLY SMTPRULE SMTPSMSG SRVRFTP SSLADMNP SSLCTLIO SSLDPUMP SSLGSKCF SSLMNTOR SSLREPRT SSLSCBEX SSLTRACE SSLTRSIT TCACB TCARP TCBASEX TCBASTY TCCLIEN TCFPSM TCFR182 TCIPDOW TCMIB TCMON TCMPRIO TCNOTIF TCPARSE TCPDOWN TCPEQUAT TCPERUP TCPIP TCPREQU TCPRINT TCPSSL TCPUP TCQDIO TCQUEUE TCSHUT TCSKCB TCSOCKC TCSOCKRE TCTCB TCTOATM TCTOCTC TCTOHPPI TCTOOSD TCUDPRE TCUTIL TFPARSE TFUTIL TNSTMAS TNUTMAS T6PREQU T6PSSL T6SOCKRE T6UDPRE
GC24632801 | GC24633003 | SC24633104 | SC24633203 | SC24633303 |
Fix information
Fixed component name
TCP/IP FOR Z/VM
Fixed component ID
5735FAL00
Applicable component levels
R710 PSY UI69975
UP20/06/16 P 2101
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"710"}]
Document Information
Modified date:
30 June 2021