Secure Protocol and Security Mode
IBM® Connect:Direct® for z/OS® and SecurePlus had implemented support for Secure protocols including SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 and a new mode called Security Mode. With version 6.3 release of Connect:Direct SSLv3.0, TLSv1.0 and TLSv1.1 protocols have been deprecated and are no longer available for selection. The Secure protocol and the Security mode work hand in hand and the mode will apply further restrictions as to Secure protocol can be used.
The SecurePlus Admin tool, SPAdmin, will allow multiple protocols to be enabled and depending on the needs and settings of the Remote Connect:Direct negotiate to the highest supported Secure protocol. For example, if the Local parameter record enables all Secure protocols if the Remote Connect:Direct has enabled TLSv1.3 then TLSv1.3 will be selected. However, if the Remote Connect:Direct has not enabled TLSv1.3 or does not support TLSv1.3 then the highest Secure protocol that Remote does support will be selected.
The Security mode restricts not only which Secure protocol that can be enabled and/or selected, if may also restrict cipher suite selection, certificate key strength and encryption algorithms. SPAdmin provides field level help for each Secure protocol and Security mode by pressing PF1 key while the cursor is positioned on the field.
FIPS mode requires the Secure protocol to be a minimum of TLSv1.0 and disables the use of SSLv3.0 and TLSv1.3. FIPS mode also disables or ignores certain cipher suites.