z/OS Communications Server

z/OS Communications Server

z/OS Communications Server

A high-performance foundation for building and deploying networking applications on z/OS

 View Only

Updating TLS settings for various IBM z/OS-based products

By Navya Ramanjulu posted Fri December 29, 2023 08:42 AM

  

This article is the eighth in a series that describe the different z/OS TLS providers, how those providers expose their settings, which providers are used by some common IBM z/OS-based products, and some examples of changing very specific TLS settings for each provider and product.    

For a complete listing of all the articles, please refer to the anchor article entitled z/OS TLS/SSL Configuration One-stop information hub

If you have a comment or question about this article or any in the series, please post it to the z/OS Communications Server discussion group on the IBM Z and Linux ONE Community.  For the quickest response, please prefix your discussion subject line with “TLS Settings:”

For details on setting TLS parameters for ISV products, please consult the appropriate vendor documentation.

Introduction

In this article, we examine the general approach for customizing TLS settings for the following popular IBM z/OS-based products:

  • Products that call System SSL directly (do not use AT-TLS):
    • IBM HTTP Server
    • IBM Tivoli Directory Server (z/OS LDAP)
    • IBM Sterling Connect:Direct using the SecurePlus feature
    • IBM CICS Transaction Server
    • IBM MQ
    • IBM Content Manager On Demand
  • Products that use the Java JSSE TLS provider:
    • WebSphere Application Server
    • z/OSMF

This article does not examine any specific product that depends on AT-TLS.  Rather, for any applications or middleware that use AT-TLS for their TLS protection, follow the instructions in Updating AT-TLS settings.

Controlling TLS settings for specific products that call System SSL directly (not using AT-TLS)

The following sections discuss product-specific techniques for customizing TLS settings and behavior for a variety of IBM-supplied products that call System SSL directly.  

IBM HTTP Server

IBM HTTP Server (IHS) provides a variety of TLS-related settings.  For more information, refer to the IBM HTTP Server topic on Setting advanced SSL options.  You will also find useful information in the Apache HTTP Server documentation on module mod_ibm_ssl .

IBM Tivoli Directory Server for z/OS (z/OS LDAP server)

The z/OS LDAP server does not provide any configuration parameters related to TLS settings.  As such, you must rely on System SSL environment variables to control these settings. Two approaches are available to you for setting System SSL environment variable for this server.

Specify the variables in the LDAP server’s environment file.  For more information, see the z/OS IBM Tivoli Directory Server Administration and Use for z/OS book’s topic entitled “Environment variables used by the LDAP server”.

IBM Sterling Connect:Direct for z/OS 

The IBM Sterling Connect:Direct SecurePlus for z/OS product calls System SSL directly to provide TLS protection to Connect:Direct connections. Like the z/OS LDAP server, Connect:Direct SecurePlus does not provide any explicit configuration parameters for TLS settings.  As such, you must rely on System SSL environment variables to control these settings. Two approaches are available to you for setting System SSL environment variable for this server.

Some users use AT-TLS to protect their Connect:Direct traffic. In these cases, Connect:Direct is configured to run without any TLS support from SecurePlus, essentially as if it were communicating over the network in cleartext and the underlying AT-TLS protection is completely transparent to Connect:Direct on z/OS. If your shop uses this approach, then follow the guidance in Updating AT-TLS settings for your Connect:Direct traffic.

IBM CICS Transaction Server

IBM CICS Transaction Server (CICS TS), when operating as a server, can be configured to either call System SSL directly or to use AT-TLS for its TLS protection. The CICS TS TCPIPSERVICE configuration determines which approach is used. For more information on TCPIPSERVICE configuration, see the CICS Transaction Server for z/OS Securing CICS topic “Introduction to Application Transparent Transport Layer Security (AT-TLS).”

When AT-TLS is used, the guidance in Updating AT-TLS settings applies to CICS TS server-side function.

When CICS TS is acting as a client or when CICS TS is configured to use its own SSL support as a server, then you can configure TLS settings and behavior using a variety of feature toggles.  For details on these feature toggles, see the CICS Transaction Server for z/OS Reference topic on Feature toggles.

IBM MQ

IBM MQ provides TLS protection through direct calls System SSL. As an alternative, you can choose to bypass MQ’s built-in System SSL support and instead rely on AT-TLS to protect your MQ traffic. 

If you use MQ’s built-in System SSL support, IBM MQ for z/OS provides some configuration parameters related to TLS protection as described in the IBM MQ information center topic on Working with SSL/TLS on z/OS.  However, for the majority of TLS settings, MQ relies on the use of System SSL environment variables.  As with z/OS LDAP and Connect:Direct, you can either specify those environment variables in the CEEPRMxx parmlib member as described in Updating System SSL settings (outside of AT-TLS), or you can set them in the MQ jobs themselves as described in the Modifying elliptic curve key length on z/OS topic in the IBM MQ information center.

If you use AT-TLS to protect your MQ connections, MQ operates as if it were communicating in cleartext and the AT-TLS protection is completely transparent to MQ on z/OS.  In this case, follow the guidance in Updating AT-TLS settings.

IBM Content Manager On Demand (CMOD)

Like the z/OS LDAP server and Connect:Direct, CMOD does not provide any explicit configuration parameters for TLS settings.  As such, you must rely on System SSL environment variables to control these settings. Two approaches are available to you for setting System SSL environment variable for this server.

Controlling TLS settings for specific z/OS Java products

WebSphere Application Server

WebSphere Traditional as well as WebSphere Liberty are written in Java and therefore rely on the JSSE TLS provider to protect their connections. See the WebSphere Application Server Liberty for z/OS information center topic on Enabling SSL communication in Liberty and the Open Liberty website topic on SSL Options for more information. 

Depending on which setting you need to manipulate, you may need to edit Liberty’s java.security file. The general steps for doing that are as follows:

  1. Replace the java.security symbolic links at:
        WAS_HOME/DeploymentManager/properties/java.security
        WAS_HOME/AppServer/properties/java.security
    with regular files that can be edited.
  2. Copy the value of the property you want to change from the JVM's
        WAS_HOME/AppServer/java/javaVersion/lib/security/java.security
    to
        WAS_HOME/DeploymentManager/properties/java.security and
        WAS_HOME/AppServer/properties/java.security
  3. Add or modify the specific settings in the copied property value.

As an example, see the related Infocenter topic: How to disable SSL/TLS Diffie-Hellman keys less than 2048 bits

Note: The java.security file should be checked and updated each time you put on new maintenance as the JVM might introduce a new algorithm to TLS-related properties like jdk.tls.disabledAlgorithms, which needs to be copied to your java.security file in WebSphere.

z/OS Management Facility (z/OSMF)

z/OSMF depends on WAS Liberty, so refer to the instructions above for WebSphere Application Server.

Navigation

Next article: Configuring ECDHE and DHE key exchange settings for TLSv1.2 handshakes

Previous article: Updating Java settings 

0 comments
46 views

Permalink

https://community.ibm.com/community/user/blogs/navya-ramanjulu/2023/12/29/tls-config-4-ibm-zos-products