Global Storage

 View Only

  • 1.  chsecurity level and CVE-2023-48795

    Posted Mon July 29, 2024 02:02 PM

    I recently upgraded to 8.6.0.4 so that was a help.  But they are also recommended upping from 3 to 4 on the TLS protocol level.

    Has there been any level concerns with Copy Services Manager or any other such product

    https://www.ibm.com/support/pages/node/7154643

    Is there some place to check?  Like Fix Level Recommendation Tool (FLRT) or that genre?



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------


  • 2.  RE: chsecurity level and CVE-2023-48795

    Posted Mon July 29, 2024 02:39 PM

    I did try the following: https://www.ibm.com/support/pages/node/5692850 but that didn't list compatibility between FS7300 and Copy Services Manager.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 3.  RE: chsecurity level and CVE-2023-48795

    Posted Tue July 30, 2024 04:21 AM

     Hello Robert, here you will find the compatibility for the FS7300 at the 'Supported Storage Systems' section:

    https://www.ibm.com/support/pages/find-copy-services-manager-supported-storage-system-and-platform-matrix-links

     regarding the TLS question, we currently have FlashSystems at 8.7.0.0 code level and TLS 1.2/1.3 (option 5) + no SHA1 (option 3) operating without issues with CSM 6.3.10.
    In any case, this are a reversible settings so if you find any issues, you can always revert to the previous TLS configuration.

    Regards.



    ------------------------------
    Javier Gavilan Lopez
    IT Director
    COLABORATIC
    Valencia
    ------------------------------

    Original Message


  • 4.  RE: chsecurity level and CVE-2023-48795

    Posted Tue July 30, 2024 09:00 AM

    Thank you.  I did find a link via one of your suggestions which states that any version 6.3.x of CSM should handle 8.3-8.7 of FS7300.

    I had to look at https://www.ibm.com/docs/en/flashsystem-7x00/8.6.x?topic=csc-chsecurity-1 for more sslprotocol options on chsecurity.  Thank you.  My initial google scan for chsecurity must have pulled me to something ancient as it stopped at 4.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 5.  RE: chsecurity level and CVE-2023-48795

    Posted Tue July 30, 2024 02:39 PM
    Edited by Robert Berendt Tue July 30, 2024 02:41 PM

    Tried to raise it from 3 to 4 via the GUI and I received:

    svctask chsecurity -sslprotocol 4
    CLI returned error message:
    CMMVC9309E The command failed because the SSL protocol level is incompatible with the current system certificate.
    Synchronizing memory cache.
    The task is 100% complete.
    The task completed with errors.
    It is a Digicert certificate.
    Certificate Signature Algorithm : PKCS #1 SHA-256 With RSA Encryption
    Subject Public Key Algorithm: PKCS #1 RSA Encryption
    I'll have to research that...



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 6.  RE: chsecurity level and CVE-2023-48795

    Posted Tue July 30, 2024 02:49 PM



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 7.  RE: chsecurity level and CVE-2023-48795

    Posted Wed July 31, 2024 03:09 PM

    My bad.  My bad.

    sshprotocol, not sslprotocol.  Now, the documentation for 8.6 doesn't list option 4 for sshprotocol but 8.7 does.  However, if you use the gui for 8.6.0.4 option 4 is supported for sshprotocol.  I changed it to that and, so far, I do not see any negative ramifications.  I even used the IBM i tool for Safe Guarded Copy WRKSGCPY and all that seems to work.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message