The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

even if they are not running zERT, depending on the loggin level you should be abel to see in the PAGENT Log (wherever the SYSLOGD it writes) the TLS Level and Cipher Suite (TLSV1.2   C02F or TLSV1.3   1301  0025).  For TLSV1.3 you also get the Key Negotiation Info.

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Peter,

Thank you for that pointer. I am not an expert in the use of Pagent, although I have managed to configure it for a few products.

I am looking at a test system (z/OS 3.1) with LOGLEVEL 511 specified and not seeing the log entries you mention. Is it dependent on the TRACE levels specified in the TLS policy?

Lennie

Hi Lennie,

even if they are not running zERT, depending on the loggin level you should be abel to see in the PAGENT Log (wherever the SYSLOGD it writes) the TLS Level and Cipher Suite (TLSV1.2   C02F or TLSV1.3   1301  0025).  For TLSV1.3 you also get the Key Negotiation Info.

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

yes it requires the right trace level in the TLS policy.  TRACE 15 is what I have configured.

Peter,

Thank you for that pointer. I am not an expert in the use of Pagent, although I have managed to configure it for a few products.

I am looking at a test system (z/OS 3.1) with LOGLEVEL 511 specified and not seeing the log entries you mention. Is it dependent on the TRACE levels specified in the TLS policy?

Lennie

Hi Lennie,

even if they are not running zERT, depending on the loggin level you should be abel to see in the PAGENT Log (wherever the SYSLOGD it writes) the TLS Level and Cipher Suite (TLSV1.2   C02F or TLSV1.3   1301  0025).  For TLSV1.3 you also get the Key Negotiation Info.

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

yes it requires the right trace level in the TLS policy.  TRACE 15 is what I have configured.

Peter,

Thank you for that pointer. I am not an expert in the use of Pagent, although I have managed to configure it for a few products.

I am looking at a test system (z/OS 3.1) with LOGLEVEL 511 specified and not seeing the log entries you mention. Is it dependent on the TRACE levels specified in the TLS policy?

Lennie

Hi Lennie,

even if they are not running zERT, depending on the loggin level you should be abel to see in the PAGENT Log (wherever the SYSLOGD it writes) the TLS Level and Cipher Suite (TLSV1.2   C02F or TLSV1.3   1301  0025).  For TLSV1.3 you also get the Key Negotiation Info.

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie

Hi Lennie,

I have just checked, the message is an "info" level message and comes when the TRACE is >= 4.  But yes, that is the meassage.  You have the Cipher Suite 002F (TLS_RSA_WITH_AES_128_CBC_SHA) and TLS 1.2.

Hi Lennie,

yes it requires the right trace level in the TLS policy.  TRACE 15 is what I have configured.

Peter,

Thank you for that pointer. I am not an expert in the use of Pagent, although I have managed to configure it for a few products.

I am looking at a test system (z/OS 3.1) with LOGLEVEL 511 specified and not seeing the log entries you mention. Is it dependent on the TRACE levels specified in the TLS policy?

Lennie

Hi Lennie,

even if they are not running zERT, depending on the loggin level you should be abel to see in the PAGENT Log (wherever the SYSLOGD it writes) the TLS Level and Cipher Suite (TLSV1.2   C02F or TLSV1.3   1301  0025).  For TLSV1.3 you also get the Key Negotiation Info.

Hi Lennie,

Comms Server IP provides the Application Transparent - Transport Layer Security (AT-TLS) function that CKNSERVE takes advantage of, and it also provides z/OS Encryption Readiness Technology (zERT) "that provides information about the cryptographic network protection state of TCP and Enterprise Extender connections terminating on a z/OS system."

When zERT detail is enabled and a CKNSERVE connection terminates or initiates you will see SMF 119-11 records, which zSecure Audit can format, and the summary information looks something like this:

28Nov24 02:55:59.66 Connection termination TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 124/124 bytes inbound/outbound ......
28Nov24 02:56:25.06 Connection initiation TLSv1.2 AES-CBC-256 server RSA-2048 client RSA-2048 .....

zERT also provides an aggregation function which then produces SMF 119-12 summary records.

Regards,

The title says it all. 
Security architects would like some evidence that CKNSERVE is using at least TLS 1.2 (or even TLS 1.3)
I can show them the AT-TLS definitions and the certificates, but is there some far easier more obvious way?
Lennie