Managing encryption protocols

z/OS® Explorer allows you to specify System SSL variables GSK_PROTOCOL_* in rse.env. These variables control which encryption protocols are enabled for secure communication. The RSE daemon passes these settings to the RSE server, where they are used by Java™ cryptographic services.

As of this release, z/OS Explorer clients no longer use TLSv1.0. As the default protocol, Java version 8 uses TLSv1.2 and Java versions 11 and later use TLSv1.3. TLSv1.0 and TLSv1.1 are disabled by default and are no longer supported. Latest z/OS Explorer host version enables TLSv1.2 and TLSv1.3 by default.

To ensure secure communication, clients must use protocol TLSv1.2 or higher.

For example:

GSK_PROTOCOL_SSLV3=OFF
GSK_PROTOCOL_TLSV1=OFF
GSK_PROTOCOL_TLSV1_1=OFF
GSK_PROTOCOL_TLSV1_2=ON
GSK_PROTOCOL_TLSV1_3=ON

This configuration explicitly disables SSLv3.0, TLSv1.0 and TLSv1.1, and enables TLSv1.2 and TLSv1.3. For a list of supported protocols and the matching variable names, see Cryptographic Services System SSL Programming (SC24-5901).