This article is the seventh in a series that describe the different z/OS TLS providers, how those providers expose their settings, which providers are used by some common IBM z/OS-based products, and some examples of changing very specific TLS settings for each provider and product.   

For a complete listing of all the articles, please refer to the anchor article entitled z/OS TLS/SSL Configuration One-stop information hub

If you have a comment or question about this article or any in the series, please post it to the z/OS Communications Server discussion group on the IBM Z and Linux ONE Community.  For the quickest response, please prefix your discussion subject line with “TLS Settings:”

Java Secure Sockets Extension (JSSE) on z/OS

Java provides a complete TLS implementation via the Java Secure Sockets Extension (JSSE), which is a set of classes that any Java program can use to achieve TLS protection of their TCP sockets. JSSE in turn relies on underlying Java Cryptographic Extension (JCE) providers for its cryptographic operations.

The version of Java you use largely depends on which release of z/OS you are using.

• On z/OS V2R4 and z/OS V2R5, Java 8 (IBM SDK, Java Technology Edition, Version 8) is the primary Java version. Java 8 supports JSSE through the IBMJSSE2 provider. However, in late 2022, Java 11 became available on z/OS V2R4 and V2R5, but on those releases, very few z/OS-based products or components support Java 11 on z/OS. 
• On z/OS 3.1, Java 11 (IBM Semeru Runtime Certified Edition for z/OS 11) is the primary Java version. Java 11 supports JSSE through the SunJSSE provider.

The various TLS settings can be controlled through API calls, security properties, or system properties, in that order of preference. Not all settings are available through each mechanism – you need to consult the JSSE documentation to see which approaches work for any given setting. The following references are especially helpful:

• Java 8
  • IBMJSSE2 Provider JSSE classes and interfaces
  • IBMJSSE2 Provider Customization topic
  • IBM Java 8 Supplementary Documentation (contains information on service refreshes, including new/changed JSSE functionality)
• Java 11
  • Oracle’s Java Platform, Standard Edition Documentation
  • SunJSSE topic in the Oracle documentation
  • IBM Java 11 Supplementary Documentation (contains information on service refreshes, including new/changed JSSE functionality)

Unless a Java program explicitly codes a specific value or set of values for a given setting, they can be customized through Java security properties in the java.security file or Java system properties in the java.lang.system file.  Most IBM products written in Java do not explicitly code TLS settings in order to allow them to be customized through properties.

Java SDK’s java.security file should be checked and updated each time you put on new maintenance as the updated SDK might introduce changes to settings that may need to copied to other java.security files on your system.

An example: Controlling ephemeral Diffie Hellman (DHE) key exchange key length with JSSE (Java 8 or Java 11)

On the relevant jdk.tls.disabledAlgorithms property, specify DH keySize < 2048. 

For example: jdk.tls.disabledAlgorithms=. . .,  DH keySize < 2048, . . .

This property is typically specified in the JVM’s java.security file.  If you do not find such a file for your JVM, consult the documentation for your program or product to find the location of this property specification.

For more information, check the related infocenter topic: How to disable SSL/TLS Diffie-Hellman keys less than 2048 bits.

Navigation

Next article: Updating TLS settings for various z/OS products

Previous article: Updating AT-TLS settings