Disabling the SSLv3 protocol

Edit online

You can disable SSLv3 after you upgrade to a system that no longer requires this protocol.

About this task

Newer levels of the IBM Java virtual machine (JVM) now disable SSLv3 by default, because it is no longer considered a secure protocol. This protocol can be affected by the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability. Systems with the POODLE fix should not use SSLv3 connections. However, older systems that do not have this fix still connect by using SSLv3. Copy Services Manager enables limited support for the SSLv3 protocol to accommodate these older systems. After you upgrade your system, you need to disable SSLv3.
Note: This procedure is not necessary for Copy Services Manager on the HMC because it only uses TLSv1.2 connections.

Disabling the SSLv3 protocol for DS8000 connections

Edit online

You can disable the SSLv3 protocol for DS8000 connections.

About this task

Perform the following steps to disable SSLv3 in Copy Services Manager for DS8000 connections. You can either edit the essclient.properties and jvm.options files directly, or use the chsystem command.

Note: This procedure is not necessary for Copy Services Manager on the HMC because it only uses TLSv1.2 connections.

Disable SSLv3 on DS8000 by editing the essclient.properties and jvm.options files

Edit online

You can edit the essclient.properties and jvm.options files to change the protocol from SSLv3 to TLSv1.2 for DS8000 connections.

About this task

Follow these steps to change the protocol from SSLv3 to TLSv1.2 by editing the essclient.properties and jvm.options files:

Procedure

  1. In the csm_install_directory/liberty/wlp/usr/servers/csmServer/properties/essclient.properties file, add this line: 
    ssl_protocol=TLSv1.2
  2. In the csm_install_directory/liberty/wlp/usr/servers/csmServer/jvm.options file, delete the following line: 
    -Dcom.ibm.jsse2.disableSSLv3=false

Disable SSLv3 on DS8000 by using the chsystem command

Edit online

You can use the chsystem command to change the protocol from SSLv3 to TLSv1.2 for DS8000 connections.

About this task

Follow these steps to change the protocol from SSLv3 to TLSv1.2 by using the chsystem command:

Procedure

  1. Log in to the Copy Services Manager command line as a user with administrative authority.
  2. Run the chsystem command as follows: 
    csmcli> chsystem -f essclient -p ssl_protocol -v TLSv1.2
    Note: You can view the chsystem command help topic for more information. See the chsystem command in the IBM® Copy Services Manager online product documentation (http://www-01.ibm.com/support/knowledgecenter/SSESK4) for more information.

    The Command-line Interface User's Guide also provides details on the chsystem command.

Disabling the SSLv3 protocol for z/OS host connections

Edit online

You can disable the SSLv3 protocol for z/OS host connections by using the chsystem command.

About this task

Follow this procedure to disable the SSLv3 protocol for z/OS host connections:

Procedure

  1. Log in to the Copy Services Manager command line as a user with administrative authority.
  2. Run the chsystem command as follows: 
    csmcli> chsystem -f zosclient -p protocol -v TLSv1.2
    Note: You can view the chsystem command help topic for more information. See the chsystem command in the IBM Copy Services Manager online product documentation (http://www-01.ibm.com/support/knowledgecenter/SSESK4) for more information.

    The Command-line Interface User's Guide also provides details on the chsystem command.