A fix is available
APAR status
Closed as new function.
Error description
NEW FUNCTION - zERT support for z/OS 3.1 OpenSSH upgrade
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS 3.1 IP: * * z/OS Encryption Readiness Technology (zERT) * **************************************************************** * PROBLEM DESCRIPTION: * * NEW FUNCTION - zERT support for z/OS 3.1 OpenSSH upgrade * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** z/OS Encryption Readiness Technology (zERT) is updated to recognize and report new SSH cryptographic attributes. zERT supports the following new SSH key exchange methods: gss-group14-sha256-, gss-group16-sha512-, gss-curve25519-sha256-, and gss-nistp256-sha256-. zERT supports the following new SSH key types: sk-ecdsa-sha2-nistp256@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, and sk-ssh-ed25519-cert-v01@openssh.com The new attributes can be recognized and reported in the zERT SMF 119 connection detail (subtype 11) and summary (subtype 12) records. zERT policy-based enforcement is also updated to allow specification of the new key exchange methods on zERT SSH rules.
Problem conclusion
Temporary fix
Comments
z/OS Encryption Readiness Technology (zERT) is updated to recognize and report new SSH cryptographic attributes. zERT supports the following new SSH key exchange methods: gss-group14-sha256-, gss-group16-sha512-, gss-curve25519-sha256-, and gss-nistp256-sha256-. zERT supports the following new SSH key types: sk-ecdsa-sha2-nistp256@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, and sk-ssh-ed25519-cert-v01@openssh.com The new attributes can be recognized and reported in the zERT SMF 119 connection detail (subtype 11) and summary (subtype 12) records. zERT policy-based enforcement is also updated to allow specification of the new key exchange methods on zERT SSH rules. For documentation updates, see the "zERT Support for z/OS 3.1 OpenSSH Upgrade" section in the z/OS Communication Server New Function Summary: https://www.ibm.com/docs/en/zos/3.1.0?topic=security-zert-suppor t-zos-31-openssh-upgrade
APAR Information
APAR number
PH58110
Reported component name
TCP/IP MVS
Reported component ID
5655HAL00
Reported release
310
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-09
Closed date
2024-03-05
Last modified date
2024-04-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI95954
Modules/Macros
EZBZSSAP EZBIPPCT EZBTCZRT EZASMF77 EZAPAUTL EZADLPAP EZAPAPP EZAPADAT EZAPAPGN EZAPAPNT EZAPAZPK EZAPAEZP EZBZTMGT EZASMF EZBZSSAC EZAPAPLD EZAPAPSH EZAPACLT EZAPAUTI EZAPARUL EZAPAZPE EZATRZOS
Fix information
Fixed component name
TCP/IP MVS
Fixed component ID
5655HAL00
Applicable component levels
R310 PSY UI95954
UP24/03/26 P F403
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"310"}]
Document Information
Modified date:
04 April 2024