IBM Support

How to determine the SSL/TLS protocol and cipher suite used for each active System TLS connection to the IBM i

Question & Answer


Question

How to determine the SSL/TLS protocol and cipher suite used for each active System TLS connection to the IBM i

Answer

The Trace Licensed Internal Code (LIC) service tool is used to capture a System TLS trace point that contains this information. The Trace Internal (TRCINT) command is the command interface to the Trace LIC Service tool.

*****************
Prior to performing the following steps, make sure that the following PTFs are applied to the system first:

610- MF59767

611- MF59784

710- MF59800

720- MF59777, MF67576

730 - MF67575

740 - MF67574

*****************
 

To trace all SSL/TLS protocol versions issue the following command to start the trace


TRCINT SET(*ON) TRCTBL('SSL-1700x') TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009))

Wait the desired period of time for new SSL/TLS connections to establish and end the trace with the command ;

TRCINT SET(*OFF) TRCTBL('SSL-1700x') OUTPUT(*PRINT)

To delete the trace issue the following command;

TRCINT SET(*END) TRCTBL('SSL-1700x')

If you want to limit the trace and find only specific SSL/TLS protocol version connections use one or more of the following trace points

 
Protocol
Version
Trace
Identifier
TLSv1.3 17005
TLSv1.2 17004
TLSv1.1 17003
TLSv1.0 17002
SSLv3 17001
SSLv2 17000

For example to find only SSLv3 connections use trace point 17001

TRCINT SET(*ON) TRCTBL('SSL-17001') SIZE(128000) TRCTYPE(*SCKSSL) SLTTRCPNT((17001))

For a range of SSL versions specify the beginning Trace ID followed by the end Trace ID, for example SSLv2 through TLSv1.0

TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(128000) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17002))


A spooled file named QPCSMPRT will be created for the user that ran the TRCINT SET(*OFF).
Below is an example output for one connection.




You can see the first highlight is the SSL/TLS version followed by the cipher suite that was negotiated with this connection.

Next the IP information of the local and remote IP and port pair is displayed.

The last two highlights are the local job information and the SSL/TLS application ID if used in DCM.

With this information we see that this connection is using TLSv1.2 and TLS_RSA_WITH_AES_128_CBC_SHA cipher and was for port 443. The job and APP ID tell us that it's an Apache server.

Depending on how the application is setting up the SSL/TLS environment you may not see a job name and number but a task instead, but with the other information it should be enough to determine what application is being accessed on the IBMi.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1;7.2;7.3;7.4"}]

Document Information

Modified date:
14 January 2022

UID

nas8N1020594