I opened a PMR with IBM.
Learned that each IBM application also needs to have its SSL default settings changed.
Enable Telnet and Host servers
http://www-01.ibm.com/support/docview.wss?uid=nas8N1019971
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020017
At V7R1, all IBM apps use default, this can be seen via DCM, update Application Definition.
One example, Application ID: QIBM_QTV_TELNET_SERVER, has the below default settings, which are all set to *PGM (not sure what V7R1 *PGM is at this point, looking for this documentation, anyone have this).
Each app needs to be changed from *PGM and customized for the desired SSL needed.
Each app needs to be recycled for the SSL changes to take effect, which is different than changing the i5/OS system values QSSL*.
At V7R2, *PGM has different defaults, may not need as many changes, if any.
Update Application Definition
Application type: Server
Application ID: QIBM_QTV_TELNET_SERVER
Application description: IBM i TCP/IP Telnet Server
Certificate Assigned: PENCOR0115WCSHA256
Information that can be updated:
SSL protocols
*PGM
Define protocols supported:
TLS 1.2
TLS 1.1
TLS 1.0
SSL 3.0
SSL 2.0
SSL cipher specification options
*PGM
Define cipher specification list:
Order
RSA_AES_128_CBC_SHA256
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA256
RSA_AES_256_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_RC4_128_SHA
RSA_RC4_128_MD5
RSA_DES_CBC_SHA
RSA_EXPORT_RC2_CBC_40_MD5
RSA_EXPORT_RC4_40_MD5
RSA_NULL_SHA256
RSA_NULL_SHA
RSA_NULL_MD5
RSA_RC2_CBC_128_MD5
RSA_3DES_EDE_CBC_MD5
RSA_DES_CBC_MD5
Extended renegotiation critical mode processing:
*PGM Enable Disable
Server Name Indication (SNI):
Special indicators:
(The following information applies when client authentication is enabled)
Client authentication required:
Yes No
Define the CA trust list:
Yes No
Certificate Revocation List (CRL) checking:
Yes No
Online Certificate Status Protocol (OCSP) attributes:
OCSP URL: *PGM Disable Define URL value
URL value:
OCSP Authority Information Access (AIA) processing: *PGM Enable Disable
SSL signature algorithms
*PGM
Define signature algorithms supported:
Order
RSA_SHA512
RSA_SHA384
RSA_SHA256
RSA_SHA224
RSA_SHA1
RSA_MD5
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Tuesday, June 02, 2015 12:52 PM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2
We have been working on this issue with our LPAR's for several weeks now.
As you discovered you need to be careful just changing the system values to limit to TLS V1.1 and higer as you will break secure Telnet.
You can through a combination of system values set the ciphers supported to values that support the lower secure TLSv1 for telnet but then overide to only support higher secure protocls for web servers through the use of Apache directives (don't attempt to override the SSL PROTOCOL in DCM for apache web servers as it does not work, these must be done in the apache directives)
However, you also then need to evaluate the browsers. Modern browser like safari, chrome, firefox (at current levels have no issues) but Internet Exploxer can be problematic. IE8, IE9 can support TLS but not right out of the box (windows patches are required). IE10 out of the box supports TLS 1.2 but is not enabled by default, you need to turn on ssl 1.2 in the settings.
If you are on IBMi V7R1 TR6 or higher you should be okay.
Jim
Jim W Grant
Web: www.pdpgroupinc.com<
http://www.pdpgroupinc.com>
From: Phil McCullough <Phil.McCullough@xxxxxxxx<mailto:Phil.McCullough@xxxxxxxx>>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>
Date: 06/02/2015 11:35 AM
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1
and TLSV1.2
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>
Hey,
Can you help me with some Microsoft licensing questions?
Thanks
Phil
-----Original Message-----
From: Matt Olson [mailto:Matt.Olson@xxxxxxxx]
Sent: Tuesday, June 02, 2015 8:58 AM
To: Midrange Systems Technical Discussion
Subject: RE: Disabling SSL version TLSV1 - only allowing TLSV1.1 and
TLSV1.2
If you follow this guide you will be golden with TLS and a bunch more
important security items:
Linux flavors:
https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/
Windows:
https://scotthelme.co.uk/getting-an-a-on-the-qualys-ssl-test-windows-edition/
More info on windows:
http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html
-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Tuesday, June 02, 2015 8:36 AM
To: 'Midrange Systems Technical Discussion'
Subject: Disabling SSL version TLSV1 - only allowing TLSV1.1 and TLSV1.2
To all,
I was just informed that *TLSV1 no longer passes PCI compliancy and must
be also be disabled.
Every one of my SSL connections is TLSV1.
Has anyone disabled TLSV1, only left TLSV1.1 and TLSV1.2 enabled?
Our IT staff informed me that most of our remote servers and applications
may need a combination of OS upgrades, application upgrades, and/or
application default changes.
I disabled TLSV1 on my playground LPAR, my PC would no longer connect SSL
via client access.
This is looking very ugly.
I'm looking for some good SSL links for various OS (i5OS, Windows, CentOS)
and application links also.
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx%3cmailto:psteinmetz@xxxxxxxxxx>>
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,
unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a
moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.