Planning for System SSL in FIPS Mode
Beginning with IBM z/OS Version 1 Release 11, System SSL provides the capability to execute securely in FIPS 140-2 mode. To this end, System SSL can run in either "FIPS mode" or "non-FIPS mode." By default, System SSL runs in non-FIPS mode and must be configured to run in FIPS mode. While executing in FIPS mode, System SSL continues to take advantage of the CP Assist for Cryptographic Function (CPACF) when it is available. System SSL checks for the application of certain restrictions. For information about System SSL in FIPS Mode, see z/OS V1R11.0 Cryptographic Services System Sockets Layer Programming SC24-5901-08.
Connect:Direct® for z/OS® can request for System SSL to be placed into FIPS mode with the appropriate System SSL API calls. The IBM Connect:Direct for z/OS FIPS initialization parameter attempts to place System SSL into FIPS mode. This initialization parameter instructs Connect:Direct FTP+ to initiate FIPS mode by using the appropriate System SSL API call, gsk_fips_state_set. Connect:Direct FTP+ issues the SITA195I message to indicate a successful request. However, if the request is not successful, Connect:Direct FTP+ terminates until the problem is resolved. For more information about FIPS-mode errors, see Troubleshooting. For more information about the FIPS initialization parameter, see IBM Sterling Connect:Direct for z/OS Administration Guide. For more information about special considerations for FIPS-mode, see IBM Sterling Connect:Direct for z/OS Release Notes.