As company security audits become more strict, the need for ciphers that provide perfect forward secrecy are required on the z/TPF system. With perfect forward secrecy, a new public and private key is created for each TLS session. This ensures that if the private key is compromised, it cannot be applied to previous or future sessions that are encrypted. The ported OpenSSL library provides perfect forward secrecy by using ephemeral public/private keys during a TLS session's key exchange.

With APAR PJ46292, the z/TPF system will support the following ephemeral Diffie-Hellman ciphers that provide perfect forward secrecy:

- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384

In addition, APAR PJ46292 provides support for the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM). The AES algorithm in GCM mode performs better than running AES in CBC mode due to the nature of the algorithm.

The following ciphers that use RSA for key exchange (non-ephemeral key exchange) but provide AES in GCM mode are also supported on the z/TPF system:
 
- AES128-GCM-SHA256
- AES256-GCM-SHA384

The new ephemeral Diffie-Hellman ciphers on z/TPF leverage hardware in CP Assist for Cryptographic Functions (CPACF) if it is available to optimize performance for AES in Galois Counter Mode (GCM) and SHA256/SHA384. Other operations that do not utilize hardware support such as the Diffie-Hellman key exchange are performed in software.

The new supported cipher algorithms improve the overall security of the z/TPF system. For more information about APAR PJ46292, see the APEDIT.