Managing security changes after an upgrade

Edit online

After you upgrade Copy Services Manager, the upgrade might also include upgrades to internal components, such as Java™.

Secure LDAP

Edit online
To support a more secure LDAP connection, Java changed endpoint validation from relaxed to strict by default. Unfortunately, any existing LDAP connections that were not configured for endpoint identification fail if endpoint identification is required. Therefore, by default, Copy Services Manager disables endpoint identification in Java. This practice help ensure that existing LDAP connections that are not configured for endpoint identification still work and you can continue logging in to Copy Services Manager.

If your LDAP service is configured for endpoint identification, re-enable this Java feature to improve security. To reset the Java property after an upgrade, perform the following steps:

Procedure

  1. Open the JVM.options file.
  2. Set the following property to false, as shown:
    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=false
  3. Restart the Copy Services Manager server.

Results

Copy Services Manager can reconnect to LDAP servers for user authentication.

Storage system connections

Edit online
For DS8000 HMC users: Java updates can cause disconnects to DS8000®® systems after Copy Services Manager upgrades if Java disables older encryption algorithms. Contact support to help re-enable the algorithms.

z/OS over IP connection with self-signed certificates

Edit online
If you used self-signed certificates to establish a host connection to z/OS® over IP before you upgraded to Copy Services Manager 6.2.9, you might need to recertify and reclaim the certificates to reconnect successfully after the upgrade. The newer versions of Java (as of version 1.8 -- 8.0.6.10) require a key tag attribute called CA:TRUE, which is not available from older, self-signed certificates.
Recommended: Purchase a signed CA to provide an extra layer of security.

Procedure

See the IBM® Copy Services Manager Implementation Guide (http://www.redbooks.ibm.com/redbooks/pdfs/sg248375.pdf) Redbooks® publication that is on the IBM Redbooks website (www.redbooks.ibm.com/) for more information on how to generate a self-signed certificate in z/OS.

z/OS over IP connection failures after Java security updates

Edit online

After you upgrade Copy Services Manager to 6.3.17, which updates the underlying Java runtime to 21.0.0.10, secure z/OS over IP connections might fail if deprecated TLS cipher suites are configured in AT-TLS policies.

Newer versions of Java disable legacy TLS RSA key-exchange cipher suites by default. These cipher suites do not provide forward secrecy and are no longer considered secure. If an AT-TLS policy still specifies these deprecated cipher suites, the TLS handshake fails after the upgrade.

Recommended: Update your AT-TLS configuration to remove TLS_RSA_* cipher suites and replace them with supported ECDHE-based cipher suites.

Procedure

  1. Review the AT-TLS policy file (for example, ttlsPol.txt) and locate any TLS_RSA_* cipher suite definitions.
  2. Remove all TLS_RSA_* cipher suites from the policy.
  3. Add supported ECDHE-based cipher suites, such as: 
    
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  4. Refresh the Policy Agent to activate the updated configuration. 
    F PAGENT,REFRESH

Results

Secure z/OS over IP connections completes the TLS handshake successfully after the AT-TLS configuration is updated.