What TLS versions are supported for CA XCOM r11.6 SP00 32-bit/64-bit Unix/Linux and what is used for the SSL handshake to AS/400 r11.0 SP02 which supports TLSv1.2

book

Article ID: 209637

calendar_today

Updated On:

Products

CA XCOM Data Transport CA XCOM Data Transport - Linux PC

Issue/Introduction

1. XCOM r11.6 SP00 32-bit and 64-bit Unix/Linux . Please confirm the highest TLS Cipher protocol available in this release (e.g. TLSv1.0 , TSLv1 or TSLv1.1 ) 

2. I am testing XCOM SSL from base XCOM r11.6 SP00 32-bit and doing XCOM SSL transmission to iSeries (AS400) XCOM r11.0 SP02 which is capable of TLSv1.2. 
iSeries XCOM r11.0 SP02 does not support xcomtcp -ping. I have run an XCOM SSL transmission from Linux r11.6 SP00 32-bit with XTRACE=10 but I am not able to confirm what TLS protocol is negotiated in the SSL handshake. The TRACE does not capture the Protocol used as SSL session start up within the XCOM product. 
Please advise how I can confirm the TLS protocol used in the SSL session between XCOM r11.6 SP00 32-bit and iSeries (AS400) XCOM r11.0 SP02?

Environment

Release : 11.6
Component : CA XCOM Data Transport for Linux PC

Resolution

1. XCOM r11.6 SP00 32-bit and 64 bit Unix/Linux only supports SSLv3 and TLSv1.  The 11.6 SP00 User Guide covers it and is accessible from the legacy bookshelves section:
Legacy Bookshelves and PDFs > Bookshelves and PDFs > Bookshelves and PDFs > CA XCOM Data Transport for UNIX and Linux
That will refer to this page: CA XCOM Data Transport for UNIX and Linux Release 11.6 Second Edition
After downloading the User Guide (x000111e.pdf) see "Chapter 5: Generating SSL Certificates"
+++
Supported Cryptographic Protocols

CA XCOM Data Transport supports the following protocols:
-  TLSV1
 - V3

In configssl.cnf, you can set the protocol used in SSL communications in one of the following ways:

For V3
# Mandatory, note that CA-XCOM uses the v3 protocol
[SSL_METHOD]
INITIATE_SIDE = v3
RECEIVE_SIDE = v3

For TLSV1
# Mandatory, note that CA-XCOM uses the v3 protocol
[SSL_METHOD]
INITIATE_SIDE = tlsv1
RECEIVE_SIDE = tlsv1

Note: The V3 method is applicable only if FIPS_MODE=OFF.
+++

There is no SP01 for 11.6 32-bit Unix/Linux, but support for TLSv1.1 and TLSV1.2 was added for r11.6 SP01 64-bit Unix/Linux per the "Release Notes > Enhanced Features" section for "Service Pack 11.6.01" here:
CA XCOM Data Transport for UNIX/Linux 11.6.1 > Release Notes > Enhanced Features > Service Pack 11.6.01
The $XCOM_HOME/config/configssl.cnf file in SP01 and later will have additional comments for "all" protocols up to TLS v1.2.


2. The SSL/TLS protocol is not visible when setting XTRACE=10. One way to see the SSL protocol used by a Linux XCOM server is by running an openssl command to its XCOM secure port using this type of syntax:
openssl s_client -connect hostname:8045 -cert /opt/CA/XCOM/ssl/certs/clientcert.pem -key /opt/CA/XCOM/ssl/private/clientkey.pem -showcerts -status -msg < /dev/null > test1.out 2>&1
For the transfer to the iSeries (AS/400) XCOM r11.0 SP02, the SSL handshake should drop down to the SSLv3 or TLSv1 supported by the XCOM r11.6 SP00 32-bit, depending on what is configured in the Linux $XCOM_HOME/config/configssl.cnf file. That assumes that in the iSeries (AS/400) XCOM r11.0 SP02 configssl.cnf file, the [SSL_METHOD] parameter RECEIVE_SIDE is set to the default value of ALL. This is per the AS/400 i5/OS service pack 11.0.02 release Notes page section for "TLS v1.1 and TLS v1.2 Support" here: CA XCOM Data Transport for AS/400 11.0 > Release Notes