For applications that use SSLV3, evaluate their usage and change them to use TLS protocols if possible. TLS has addressed many security deficiencies in the prior SSLV2 and SSLV3 protocols.
| Element or feature: | z/OS Communications Server. |
| When change was introduced: |
|
| Applies to migration from: |
|
| Timing: | Before the first IPL. |
| Is the migration action required? | Yes, if migrating from V1R13 without APAR PI28678. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM Health Checker for z/OS check: | None. |
AT-TLS
AT-TLS is modified to disable SSLV3 by default. Any applications protected by AT-TLS will default to SSLv3 Off. SSLV3 can be enabled for applications protected by AT-TLS that require SSLV3.
No action is required if SSLV3 is explicitly enabled in your policy. However, you should evaluate whether the application can use a more secure protocol version, such as TLSv1, TLSv1.1, or TLSv1.2.
Applications protected by AT-TLS that require SSLV3 and for which it is not explicitly enabled in the policy are relying on AT-TLS defaults. For these applications, enable SSLV3 at the environment or connection level by specifying the existing parameter SSLv3 on the relevant TTLSEnvironmentAdvancedParms or TTLSConnectionAdvancedParms policy statement with a value of On. For Configuration Assistant users, use the name tab of Modify Security Level dialog under the AT-TLS perspective to enable SSLV3.
FTP client and server
The FTP client and FTP server are modified to disable SSLV3 by default when TLSMECHANISM FTP is specified. In this mode, the FTP client or server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.
If TLSMECHANISM ATTLS is specified, the FTP client or server is protected by AT-TLS, so the changes described under the AT-TLS function apply.
TN3270 server
The TN3270 server is modified to disable SSLV3 by default when SECUREPORT is specified. In this mode, the TN3270 server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.
Because the TN3270 server has historically enabled SSLV3 by default, evaluate whether your server is supporting clients that require SSLV3. If so, enable SSLV3 by specifying the new SSLV3 statement in the relevant TN3270 profile data set and refreshing the configuration using the VARY TCPIP,tnproc,OBEYFILE command.
If TTLSPORT is specified, the TN3270 server is protected by AT-TLS, so the changes described under the AT-TLS function apply.
DCAS server
The DCAS server is modified to disable SSLV2 and SSLV3 by default when TLSMECHANISM DCAS is specified. In this mode, the DCAS server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.
Because the DCAS server has historically enabled SSLV2 and SSLV3 by default, evaluate whether your server is supporting clients that require SSLV2 or SSLV3. If so, enable SSLV2 and SSLV3 by specifying the new TLSV1ONLY parameter in your DCAS configuration file with a value of FALSE and restarting DCAS.
If TLSMECHANISM ATTLS is specified, the DCAS server is protected by AT-TLS, so the changes described under the AT-TLS function apply.
Policy Agent
The Policy agent, when operating as a policy client, is modified to disable SSLV3 by default.
Because the policy client has historically enabled SSLV3 by default, evaluate whether your policy server supports SSLV3 only. If so, enable SSLV3 by specifying the new ServerSSLv3 parameter on the ServerSSL sub-statement of the ServerConnection statement with a value of On in the policy agent main configuration file. Update the policy agent configuration by using the MODIFY pagent,UPDATE command.
Sendmail
Sendmail, which operates as both a client and server, is modified to disable SSLV3 by default.