TLS V1.3 with Common Services

book

Article ID: 197513

calendar_today

Updated On:

Products

CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA LDAP Server for z/OS CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware MF - MISC OLD CODES SERVICE ASSURE Generic Uniservice for CICS Generic Uniservice II CA Output Management Web Viewer

Issue/Introduction

PTF SO12236 is showing as a requirement for z/OS 2.4 and for CCS V15 and raises the following questions:   
1.   Is this PTF forcing the use of TLS V1.3 or just allowing it to be used? 
2.   Are new certs required for TLS V1.3 and are they only needed on LPARs where CCISSL tasks are running or for all LPARs?
3.  Will old certs continue to work under V15 of Common Services or do new certs need to be in place when V15 is installed? 
4. Current certs are stored in /etc/security/*.kdb or .sth but I am told the certs now need to be stored in the ACP.  Please provide details of how this is done. 

 

Cause

Need to know formatting process for TLS 1.3  The Documentation seems to say that the old certs should remain in place, but is that possible if old ones are stored one way and the new one is under the ACP.  I didn't see any mention of this in the release notes, so I wanted to make sure this is needed for the upgrade.  

Environment

Release : 15.0

Component : CAICCI-MVS

Resolution

1) This PTF provides support for TLSV1.3 (which is only supported at z/OS release 2.4 minimum) but does NOT force it. After applying the PTF, if there is no additional configuration done for TLSV1.3 then your systems should continue to run with the same settings. That is to say that TLSV1.3 is NOT enabled by default. It minimally requires someone to manually import a new certificate/root, and update your configuration file to add new cipher suites (CIPHER_SUITES=), the new certificate (CERT=), and a protocol option (PROT=) that supports it ("TLSV1.3" to mandate it or "TLS" to allow all versions of TLS).

2) Due to new certificate requirements for TLSV1.3, a new default certificate was delivered with this PTF. This new certificate will be required for any TLSV1.3 connections, and also supports connections prior to TLSV1.3 as well. You should import this certificate into all key databases (kdb) used by CCISSL/CCISSLGW tasks on each LPAR that you upgrade with this support. You should also leave the old certificates in place in the same kdb. This will allow newly upgraded CCISSL/GW tasks to communicate with other tasks that may or may not have this support yet.

3) Old certificates will still continue to work as is, you just will not be able to use TLSV1.3.

4) We provide instructions on importing the new certificate into the SAME key database (kdb) that you have been using previously.   The instructions are found in the r15.0 documentation and   cover instructions for adding the new root certificate and certificate/private key into the kdb. Since you already have the kdb set up and the old root & certificate/private key already imported, you should focus on Step 9 (importing to the new Root certificate) and Step 11 (importing the new certificate/private key).

Additional Information

Please consult the r15.0 documentation on how to Create and Populate the HFS Key Database as mentioned in #4 above