With increasing frequency, z/OS application owners and network security administrators are being asked to update specific settings for their Transport Layer Security (TLS, formerly known as SSL) protection.  There may be various factors driving these updates, including weaknesses discovered in cryptographic algorithms or TLS protocol versions, as well as pending threats to traditional asymmetric algorithms from quantum attacks.

Given the variety of TLS providers (System SSL, AT-TLS, Java TLS) and exploiters of these various providers on z/OS, rolling out a change to TLS settings across a wide range of z/OS workloads can be challenging. For each TLS-protected application or middleware instance, you need to understand which TLS provider that application or middleware uses and where and how to update the specific setting with certain providers.

This article serves as the starting point for a series of articles that describe the different z/OS TLS providers, how those providers expose their settings, which providers are used by some common IBM z/OS-based products, and examples of changing specific TLS settings for each provider and product. The following topics are covered:

• An overview of z/OS TLS providers
• Risks involved with changing TLS settings
• A review of the TLS protocol and its various settings
• Updating System SSL settings (outside of AT-TLS)
• Updating AT-TLS settings
• Updating Java TLS settings
• Updating TLS settings for various IBM z/OS-based product
  • IBM HTTP Server
  • IBM Tivoli Directory Server (z/OS LDAP)
  • IBM Sterling Connect:Direct using the SecurePlus feature
  • IBM CICS Transaction Server
  • IBM MQ
  • IBM Content Manager On Demand
  • WebSphere Application Server
  • z/OSMF

In addition, the following articles cover the details for configuring settings that address specific issues:

• Configuring ECDHE and DHE key exchange settings for TLSv1.2 handshakes.

More articles like these may be added in the future based on need and demand. 

If you have a comment or question about this article or any in the series, please post it to the z/OS Communications Server discussion group on the IBM Z and Linux ONE Community.  For the quickest response, please prefix your discussion subject line with “TLS Settings:”

For details on setting TLS parameters for ISV products, please consult the appropriate vendor documentation.

Acknowledgements

The authors of this series would like to thank the following individuals for their valuable input and reviews as the articles were being written:

• Alyson Comer, Steve Zammit – IBM z/OS System SSL
• Joyce Anne Porter, Shi Hui Gui – IBM z/OS Communications Server
• Sean Kelleher, Audrey Timkovich, Stephen Flavell and Will Smith – IBM Java
• Keith Jabcuga – IBM WebSphere
• Eric Covener – IBM z/OS HTTP Server
• Mark Pocock and Tino Tropea – IBM CICS
• Mark Womack – IBM MQ
• Ed Peters – IBM Sterling Connect:Direct
• Xiao-Yu Li – IBM z/OS LDAP
• Hiren Shah – IBM z/OSMF
• Larry Fitchett – IBM Content Manager OnDemand for z/OS
• Michael Jordan – IBM z/OS security

Navigation

Next article: An overview of z/OS TLS providers.