Protocol configuration
System TLS has the infrastructure to support multiple protocols.
- Transport Layer Security version 1.3 (TLSv1.3)
- Transport Layer Security version 1.2 (TLSv1.2)
- Transport Layer Security version 1.1 (TLSv1.1)
- Transport Layer Security version 1.0 (TLSv1.0)
- Secure Sockets Layer version 3.0 (SSLv3)
IBM strongly recommends that you always run your IBM i server with the following network protocols disabled. Using configuration options that are provided by IBM to enable the weak protocols results in your IBM i server being configured to allow use of the weak protocols. This configuration results in your IBM i server potentially being at risk of a network security breach. IBM DISCLAIMS AND YOU ASSUME ALL RESPONSIBILITY AND LIABILITY FOR ANY DAMAGE OR LOSS, INCLUDING LOSS OF DATA, ARISING OUT OF OR RELATED TO YOUR USE OF THE SPECIFIED NETWORK PROTOCOL.
- Transport Layer Security version 1.1 (TLSv1.1)
- Transport Layer Security version 1.0 (TLSv1.0)
- Secure Sockets Layer version 3.0 (SSLv3)
- Secure Sockets Layer version 2.0 (SSLv2)
Enabled protocols
The QSSLPCL system value setting identifies the specific protocols that are enabled on the system. Applications can negotiate secure sessions with only protocols that are listed in QSSLPCL. For example, to restrict the System TLS implementation to use only TLSv1.3 and not allow any older protocol versions, set QSSLPCL to contain only *TLSV1.3.
The QSSLPCL special value *OPSYS allows the operating system to change the protocols that are enabled on the system. The value of QSSLPCL remains the same when the system upgrades to a newer operating system release. If the value of QSSLPCL is not *OPSYS, then the administrator must manually add newer protocol versions to QSSLPCL after the system moves to a new release.
| IBM i release | QSSLPCL *OPSYS definition |
|---|---|
| i 7.1 | *TLSV1, *SSLV3 |
| i 7.2 | *TLSV1.2, *TLSV1.1, *TLSV1 |
| i 7.3 |  *TLSV1.3 , *TLSV1.2,
*TLSV1.1, *TLSV1 |
| i 7.4 | *TLSV1.3, *TLSV1.2 |
| i 7.5 |
*TLSV1.3, *TLSV1.2 |
Default protocols
When an application does not specify the protocols to enable, the System TLS default protocols are used. Applications use this design to pick up new TLS support without requiring application code changes. The default protocol setting has no meaning for applications that explicitly specify the protocols to enable for the application.
The default protocols on a system are the intersection of the enabled protocols from QSSLPCL and the eligible default protocols. The eligible default protocol list is configured by using the System Service Tools (SST) Advanced Analysis command TLSCONFIG.
To determine the current value of the eligible default protocol list and the default protocol list on the system, use TLSCONFIG option display. The Retrieve TLS Attributes (QsoRtvTLSA) API retrieves TLS attributes allowing the eligible default protocol list to be retrieved from a program.
An administrator should consider changing the default protocol settings only when no other configuration setting allows an application to interoperate with peers successfully. It is preferred to enable an older protocol for only the specific application that requires it. When the application has an “application definition,” then this enablement is accomplished through the Digital Certificate Manager (DCM).
If the default protocols must be changed on the system, use TLSCONFIG option eligibleDefaultProtocols to change the value. TLSCONFIG option h displays the help panel that describes how to set the protocol list. Only protocol versions that are listed in the help text can be added to the list.
TLSCONFIG -eligibleDefaultProtocols:20| IBM i release | Eligible default protocol list with latest Security Group PTF |
|---|---|
| i 7.1 | TLSv1.2, TLSv1.1, TLSv1.0 |
| i 7.2 | TLSv1.2, TLSv1.1, TLSv1.0 |
| i 7.3 | TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0 |
| i 7.4 | TLSv1.3, TLSv1.2 |
| i 7.5 |
TLSv1.3, TLSv1.2 |