PH49284: NEW FUNCTION - AT-TLS TLSV1.3 sysplex ticket caching support andclient support to perform server certificate domain validation

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• NEW FUNCTION - Add AT-TLS TLS V1.3 sysplex ticket caching
  support and AT-TLS client support to perform server certificate
  domain validation
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users of the IBM Communications Server for z/OS 2.5 IP:  *
  * AT-TLS                                                       *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * AT-TLS enhancement includes support to enable sysplex        *
  * caching of TLS V1.3 sessions by the TLS server. Support is   *
  * also provided to allow a TLS client to perform server        *
  * certificate domain name validation during an SSL V3 or TLS   *
  * handshake.                                                   *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply PTF                                                    *
  ****************************************************************
  AT-TLS has been enhanced to allow sysplex caching of TLS V1.3
  sessions by the TLS server. This allows for TLS V1.3 sessions
  established by one server application to be resumed by another
  like-server application running on the same or a different
  system within a sysplex. A new AT-TLS parameter
  GSK_SYSPLEX_SESSION_TICKET_CACHE is added on the
  TTLSGskAdvancedParms statement.
  
  AT-TLS has been enhanced to allow the maximum number of TLS V1.3
  session tickets stored per unique session to be specified for a
  TLS client. A new parameter GSK_SESSION_TICKET_CLIENT_MAXCACHED
  is added on the TTLSGskAdvancedParms statement.
  
  AT-TLS has been enhanced to allow a TLS client to perform server
  certificate domain name validation during an SSL V3, TLS V1.0,
  TLS V1.1, TLS V1.2 and TLS V1.3 handshake. This validation
  entails comparing the server?s expected fully qualified domain
  name provided on the AT-TLS client rule against either the
  server?s subject alternate name extension DNS entries or the
  subject DN Common Name. Optional wildcard matching is supported.
  The new AT-TLS parameters, HostReferenceIdDNS,
  HostReferenceIdCN, and HostRefWildcardValidation, are added on
  the TTLSEnvironmentAdvancedParms and TTLSConnectionAdvancedParms
  statements.
  

Problem conclusion

Temporary fix

Comments

• AT-TLS has been enhanced to allow sysplex caching of TLS V1.3
  sessions by the TLS server. This allows for TLS V1.3 sessions
  established by one server application to be resumed by another
  like-server application running on the same or a different
  system within a sysplex. A new AT-TLS parameter
  GSK_SYSPLEX_SESSION_TICKET_CACHE is added on the
  TTLSGskAdvancedParms statement.
  
  AT-TLS has been enhanced to allow the maximum number of TLS V1.3
  session tickets stored per unique session to be specified for a
  TLS client. A new parameter GSK_SESSION_TICKET_CLIENT_MAXCACHED
  is added on the TTLSGskAdvancedParms statement.
  
  AT-TLS has been enhanced to allow a TLS client to perform server
  certificate domain name validation during an SSL V3, TLS V1.0,
  TLS V1.1, TLS V1.2 and TLS V1.3 handshake. This validation
  entails comparing the server?s expected fully qualified domain
  name provided on the AT-TLS client rule against either the
  server?s subject alternate name extension DNS entries or the
  subject DN Common Name. Optional wildcard matching is supported.
  The new AT-TLS parameters, HostReferenceIdDNS,
  HostReferenceIdCN, and HostRefWildcardValidation, are added on
  the TTLSEnvironmentAdvancedParms and TTLSConnectionAdvancedParms
  statements.
  
  For documentation updates, see the "AT-TLS currency with System
  SSL with APAR PH49284" section in the z/OS Communications Server
  New Function Summary:
  https://www.ibm.com/docs/en/zos/2.5.0?topic=security-tls-currenc
  y-system-ssl-apar-ph49284
  
  The PTFs for System SSL APARs OA63252 and OA63164 must be
  installed before or concurrently with this PTF.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI92145

Modules/Macros

• EZBTLSRH EZBTLRTN EZACDTNE EZAPAUTL EZACDONE EZAPAPP  EZAPAPNT
  EZBDGTLS EZAPAZPK EZAPAAMG EZAPAETL EZACDDNE EZAPAPLD EZAPACLT
  EZAPATTL EZAPAUTI EZADLPAP EZBDGDAT EZAPAACT EZAPADAT EZAPAPGN
  EZACDNE6 EZACDNE1 EZACDNE0 EZACDNE2 EZACDNM6 EZAPAPSH EZBTCIC2
  EZBDGMAQ EZAPAPDP EZBIPPCT EZB2SCET EZBIEIP  EZBIEACC
  

Fix information

• Fixed component name

  TCP/IP MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R250 PSY UI92145

     UP23/06/28 P F306

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.