Managing security changes after an upgrade

Edit online

After you upgrade Copy Services Manager, the upgrade might also include upgrades to internal components, such as Java™.

Secure LDAP

Edit online
To support a more secure LDAP connection, Java made a change in endpoint validation from relaxed to strict by default. Unfortunately, any existing LDAP connections that were not configured for endpoint identification fail if endpoint identification is required. Therefore, by default, Copy Services Manager disables endpoint identification in Java. This practice ensures that existing LDAP connections that are not configured for endpoint identification still work and you can continue logging in to Copy Services Manager.

If your LDAP service has been configured for endpoint identification, it is recommend that you re-enable this Java feature for better security. To reset the Java property after an upgrade, perform the following steps:

Procedure

  1. Open the JVM.options file.
  2. Set the following property to false, as shown:
    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=false
  3. Restart the Copy Services Manager server.

Results

Copy Services Manager should be able to reconnect to LDAP servers for user authentication.

Storage system connections

Edit online
For DS8000 HMC users: Java updates can cause disconnects to DS8000®® systems after Copy Services Manager upgrades if Java disables older encryption algorithms. Contact support to help re-enable the algorithms.

z/OS over IP connection with self-signed certificates

Edit online
If you used self-signed certificates to establish a host connection to z/OS® over IP before upgrading to Copy Services Manager 6.2.9, you might need to re-certify and reclaim the certificates to successfully connect again after upgrading to 6.2.9. The newer versions of Java (as of version 1.8 -- 8.0.6.10) require a key tag attribute called CA:TRUE, which is not available from older, self-signed certificates.
Recommended: You should purchase a signed CA to provide an additional layer of security.

Procedure

See the IBM® Copy Services Manager Implementation Guide (http://www.redbooks.ibm.com/redbooks/pdfs/sg248375.pdf) Redbooks® publication located on the IBM Redbooks website (www.redbooks.ibm.com/) for more information on how to generate a self-signed certificate in z/OS.