XCOM for z/OS 12.0 & IBM System SSL using SSLv3 to older XCOM
search cancel

XCOM for z/OS 12.0 & IBM System SSL using SSLv3 to older XCOM


Article ID: 245009


Updated On:


XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - z/OS XCOM Data Transport - Windows


XCOM r11.6 13014 SP00 is running on a legacy Linux server which will be phased-out this year i.e.

However there are some critical transfers setup with z/OS still using OpenSSL. The Mainframe team has been asked to switch to System SSL, so options are being explored  to get the best of both worlds; enable System SSL, yet use SSLv3 for transfer with legacy systems running r11.6 SP00. 

Can IBM System SSL on z/OS with SSLv3 enabled be successfully used for secure transfers using SSLv3 with XCOM 11.6 SP00 on Linux? 


Release : 11.6

Component : XCOM Data Transport for Linux PC


It is possible to use IBM System SSL with SSLv3 to enable compatibility with older/legacy versions of XCOM that only support SSLv3 like the XCOM for Linux version highlighted i.e. "CA XCOM Data Transport r11.6 13014 SP00 (for <no SNA Support>".
NOTE: No reference to "bitness" in the "xcomqm -r" version output means it is the older 32-bit version which has reached End Of Service on February 28, 2018 per CA XCOM Data Transport 11.6 End of Service Announcement.

There have been some previous reported problems with a secure transfer initiated from XCOM for z/OS 12.0 using IBM System SSL to a XCOM for Linux 32-bit r11.6 SP00 server. The Linux machine was sending back an invalid message during the initial SSL handshake because of invalid "distinguished names" section and likely due to the use of the old openssl version on Linux.
The suggested resolution was:
EITHER: Change to use OpenSSL on z/OS
OR: In order to retain use of IBM System SSL set the parameter VERIFY_CERTIFICATE=NO in the Linux file $XCOM_HOME/config/configssl.cnf (set both RECEIVE_SIDE and INITIATE_SIDE to cover both transfer directions).

NOTE: The older XCOM for Linux 11.6 SP00 32-bit will also support TLS 1.0 well as SSLv3 i.e. in the configssl.cnf file the SSL_METHOD values can be set to v3 or tlsv1, depending on preference.

Additional Information

Related KB article: XCOM random S0C4 abends in format_distinguished_names (SSLv3)