Support for SSLv3 (deprecated)

Due to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support for this protocol is deprecated in z/OS® Explorer. However, SSL was the default protocol up until the deprecation, which implies that existing host and client setups require updates to switch to TLS (Transport Layer Security).

The recommended action for the host is to explicitly disable the usage of SSL by adding GSK_PROTOCOL_SSLV3=OFF to rse.env (support for TLS is already enabled by default).

During the transition period in which older clients are updated to use TLS, the z/OS Explorer host must be able to support both SSL and TLS. Depending on your service level of System SSL and Java™, this might be a more involved process, as outlined here:

  1. Copy Java’s lib/security/java.security to /etc/zexpl/ssl.java.security and comment out the jdk.tls.disabledAlgorithms=SSLv3 line. This step must be repeated each time you apply service to Java.
    $ cp /usr/lpp/java/J7.0/lib/security/java.security /etc/zexpl/ssl.java.security
    $ oedit /etc/zexpl/ssl.java.security
          -> comment: #jdk.tls.disabledAlgorithms=SSLv3
  2. Add the following statements to the end of rse.env (note the double equal sign (==) in the java.security.properties line) and restart RSE daemon to pick up the changes.
    GSK_PROTOCOL_SSLV3=ON
    GSK_PROTOCOL_TLSV1=ON
    _RSE_JAVAOPTS="$_RSE_JAVAOPTS –Dcom.ibm.jsse2.disableSSLv3=false"
    _RSE_JAVAOPTS="$_RSE_JAVAOPTS –Djava.security.properties==/etc/zexpl/ssl.java.security"