A fix is available
APAR status
Closed as new function.
Error description
Transport Layer Security (TLS) cryptographic protocol is the industry stardard used for Secure Socket Layer (SSL) communication. This APAR allows selective TLS protocol selection for use by either a Tivoli Monitoring agent or a Tivoli Monitoring server. Detailed Recreation Procedure: There is no product-provided means of setting or restricting the versions of Transport Layer Security to TLS 1.0, 1.1 or 1.2 . Related Files and Output: The GSKit level and TLS protocol use is now presented in the RAS1 log during SSL initialization.
Local fix
No workaround available.
Problem summary
There is no GSKit v8 TLS protocol selection mechanism. Transport Layer Security (TLS) cryptographic protocol is the industry standard used for Secure Socket Layer (SSL) communication. There is no product-provided means of setting or restricting the versions of Transport Layer Security to TLS 1.0, 1.1 or 1.2 . In order for this APAR to be properly implemented in your environment, a new environment variable has been added. See the "Install Actions" section of the APAR conclusion for more details.
Problem conclusion
This APAR allows TLS protocol selection for use by either a Tivoli Monitoring agent or a Tivoli Monitoring server. By default, TLS 1.0, 1.1 and 1.2 protocols are enabled for non-FIPS, non-SuiteB, non-CC, and non-SP800 users. These keywords are NOT intended to be used for GSKit V8 users who run with specific subsets of GSKit protocols: FIPS mode, CC Mode, SP800 mode, or SuiteB mode. Install Actions: Assuming none of the specialized modes are enabled, the following GSKit/KDEBE environment variables can be set to disable their respective named protocols by setting the environment variable value to NO: KDEBE_TLS10_ON KDEBE_TLS11_ON KDEBE_TLS12_ON The final disposition of the TLS protocols are displayed during "ssl_provider_constructor" initialization in the RAS1 log. The following is a display of the expected default settings when no overrides are configured: "ssl_provider_constructor") TLS 1.0 protocol enabled "ssl_provider_constructor") TLS 1.1 protocol enabled "ssl_provider_constructor") TLS 1.2 protocol enabled It is recommended that the <pc>.environment file in $CANDLEHOME/config be used to house these GSKit / KDEBE environment variables. For example, to force the kuxagent to use TLS 1.2 exclusively, the following would be coded in the ux.environment file: KDEBE_TLS10_ON=NO KDEBE_TLS11_ON=NO These same statements in the ms.environment file would force the TEMS server in this CANDLEHOME environment to accept ONLY the TLS 1.2 protocol in SSL connection establishment. The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.3.0-TIV-ITM-FP0007
Temporary fix
Comments
APAR Information
APAR number
IV82451
Reported component name
TEMS
Reported component ID
5724C04MS
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-03-09
Closed date
2016-04-25
Last modified date
2017-01-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEMS
Fixed component ID
5724C04MS
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 March 2023