IBM Support

How to enable TLSV1.x support on the HTTP Server 5.3 for z/OS (DGW HTTP server)

Technical Blog Post


Abstract

How to enable TLSV1.x support on the HTTP Server 5.3 for z/OS (DGW HTTP server)

Body

 

Do you still have an older DGW HTTP server on z/OS that you have to keep going while making the transition to the newer Apache based HTTP Server? Are you having problems enabling TLSv1.x?

 

Most browsers are now using only the higher TLS protocols, such as TLSv1.1 or TLSv1.2, so your server has to be set up to support those protocols.

System SSL added support for TSL V1.1 and TLS V1.2 quite some time ago. Since the IHS V5.3 uses System SSL for SSL Handshakes, you probably reviewed APAR PK53555 and consulted the "HTTP Server Planning, Installing, and Using" Guide (SC34-4826-10) to see what configuration changes are required. You also made sure you have APAR OA39422 installed, which is required for TLSv1.2 support.

 

So you did everything you thought needed to be configured, such as setting:

SSLMode multi

  and

adding T1 on the SSLCipherSpec directive

 

Yet you're still having problems with clients trying to connect.  Maybe you're even seeing

IMW6802E SSL Handshake failed: return code -13 (GSK_ERROR_UNSUPPORTED)
messages in your error log when clients are trying to establish an SSL connection, indicating that the protocol used in the SSL handshake is not supported by the server.

 

So where do you go from there? You can enable SSL tracing to see what protocol the client and the Server are trying to use. Most likely you will see the client using TLSv1.2 and the server anything other than that.

 

 

The following might be the missing piece to the puzzle.

To enable TLSv1.x support in the HTTP server, you need to also have one or all of the following environment variables in the httpd.envvars file, depending on which level of TLS you want the server to support:

   GSK_PROTOCOL_TLSV1=ON
   GSK_PROTOCOL_TLSV1_1=ON
   GSK_PROTOCOL_TLSV1_2=ON

where
TLSV1    = TLSv1.0
TLSV1_1 = TLSV1.1
TLSV1_2 = TLSV1.2

 

 

You need to restart the server to pick up the changes.

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11080639