Support for SSLv3 (deprecated)
Due to a vulnerability in the SSLv3 (Secure Socket Layer) protocol, support for this protocol is deprecated in z/OS® Explorer. However, SSL was the default protocol up until the deprecation, which implies that existing host and client setups require updates to switch to TLS (Transport Layer Security).
The recommended action for the host is to explicitly disable the
usage of SSL by adding GSK_PROTOCOL_SSLV3=OFF
to rse.env
(support
for TLS is already enabled by default).
During the transition period in which older clients are updated to use TLS, the z/OS Explorer host must be able to support both SSL and TLS. Depending on your service level of System SSL and Java™, this might be a more involved process, as outlined here:
- Copy Java’s
lib/security/java.security
to/etc/zexpl/ssl.java.security
and comment out thejdk.tls.disabledAlgorithms=SSLv3
line. This step must be repeated each time you apply service to Java.$ cp /usr/lpp/java/J7.0/lib/security/java.security /etc/zexpl/ssl.java.security $ oedit /etc/zexpl/ssl.java.security -> comment: #jdk.tls.disabledAlgorithms=SSLv3
- Add the following statements to the end of
rse.env
(note the double equal sign (==
) in thejava.security.properties
line) and restart RSE daemon to pick up the changes.GSK_PROTOCOL_SSLV3=ON GSK_PROTOCOL_TLSV1=ON _RSE_JAVAOPTS="$_RSE_JAVAOPTS –Dcom.ibm.jsse2.disableSSLv3=false" _RSE_JAVAOPTS="$_RSE_JAVAOPTS –Djava.security.properties==/etc/zexpl/ssl.java.security"