IBM Education Assistance for z/OS V2R1...IBM Tivoli Directory Server Administration and Use for z/OS...

© 2013 IBM CorporationMaterial is current as of June 2013

Item: Support of TLS V1.1, TLS V1.2, and NSA Suite BElement/Component: IBM Tivoli Directory Server for z/OS (LDAP)

IBM Education Assistance for z/OS V2R1

of 17 © 2013 IBM Corporation

Filename: zOS V2R1 TDS (LDAP) Support of TLS V1.2 and NSA Suite B

IBM Education Assistance

Agenda

■ Trademarks■ Presentation Objectives■ Overview■ Usage and Invocation

– Server– Server dsconfig utility– Client– Command line utilities

■ Appendix

IBM Presentation Template Full Version




Trademarks

■ See url http://www.ibm.com/legal/copytrade.shtml for a list of trademarks.


http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml




Presentation Objectives

■ At the end of this presentation, you should have an understanding of:– The IBM Tivoli Directory Server enhancements for exploitation of TLS

V1.1, TLS V1.2, and NSA Suite B– How to use the enhancements





Overview

■ Problem Statement / Need Addressed – Customers want to use secure connections for applications communicating to

the z/OS IBM Tivoli Directory Server over SSL, exploiting the recent enhancements provide with TLS V1.1 and TLS V1.2 protocol and NSA Suite B profile.

■ Solution– The z/OS IBM Tivoli Directory Server, its client, and its command line utilities

(which utilize the client) are enhanced to support current z/OS System SSL capabilities, including TLS V1.1 protocol, TLS V1.2 protocol, and NSA Suite B profile.

■ Benefit / Value – Increased security is available for the SSL connections used to communicate

between z/OS IBM Tivoli Directory Server and client.





Overview

■ The enhancements to the z/OS IBM Tivoli Directory Server predominantly exploit the z/OS System SSL environment variables for configuration.

–The z/OS IBM Tivoli Directory Server (LDAP) previously allowed environment variables to govern its behavior, including those of other products.

–The z/OS IBM TDS (LDAP) client previously honored the z/OS System SSL environment variable GSK_V3_CIPHER_SPECS

–Use of z/OS System SSL environment variables avoids additional LDAP specific 1-for-1 configuration keywords to tailor SSL function

–Where needed, a few z/OS IBM Tivoli Directory Server keywords or environment variables are used.





Usage & Invocation: ServerIBM Presentation Template Full Version

■ Previously, the z/OS IBM Tivoli Directory Server enabled SSL V3 protocol, TLS V1.0 protocol, and used a default cipher list of 2 byte cipher specifications.

■ The sslCipherSpecs server configuration option is specified as an expression and represents an ORed bitmask, with each bit indicating a specific cipher suite. The bitmask can be specified as a number, a numeric expression, or a set of keywords for each desired cipher suite combined with “+” operators.

– The keyword “ANY” is also allowed, as well as an expression with ANY followed by excluded cipher suites combined with “-” operators.

– For example:sslCipherSpecs RC4_MD5_US+RC4_SHA_USsslCipherSpecs 2048+1024

sslCipherSpecs ANY sslCipherSpecs ANY-RC4_MD5_US-RC4_SHA_US

If omitted, sslCipherSpecs defaults to ANY, which results in the “050435363738392F303132330A1613100D0915120F0C0306”

– Note that with this mechanism, the preference order of cipher suites is as shown above in the “ANY” list, even when only a subset of cipher suites is chosen.





■ The server no longer enables SSL V3 and TLS V1.0 protocols explicitly.– The z/OS System SSL defaults already have these protocols enabled.– This allows a customer to disable them via environment variable settings.– The customer can enable TLS V1.1 and TLS 1.2 protocols using environment

variables provided by z/OS System SSL

■ The previous syntax is still allowed for the sslCipherSpecs configuration option. The customer can also set it to GSK_V3_CIPHER_SPECS_EXPANDED.

– In this case, the server uses the 4 byte ciphers specified externally in the environment variable of the same name. If the environment variable is not set, the z/OS System SSL defaults are used.

– The specification of cipher suites in the z/OS System SSL environment variable allows the customer to specify the desired order of preference.

– The customer may also set the GSK_SUITE_B_PROFILE environment variable in the server environment variable file. This sets up a profile for client/server communications that is compliant with Suite B Cryptography as defined in RFC 5430 (Suite B Profile for Transport Layer Security).





Example 1:

■ Server configuration file, in the general section:

sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED■ Server environment variable file:

GSK_PROTOCOL_TLS_V1_1=ONGSK_PROTOCOL_TLS_V1_2=ONGSK_V3_CIPHER_SPECS_EXPANDED=C003

■ The example above configures the server to use the 4-byte cipher specifications available externally.

■ The single cipher “C003” is set by the environment variable GSK_V3_CIPHER_SPECS_EXPANDED.

■ Protocols for SSL V3 and TLS 1.0 will be allowed, by default.■ TLS 1.1 and TLS 1.2 will be allowed because of the environment

variable settings.





Example 2:

■ Server configuration file, in the general section:

sslCipherSpecs GSK_V3_CIPHER_SPECS_EXPANDED■ Server environment variable file:

GSK_SUITE_B_PROFILE=192■ The example above configures the server to use the 4-byte cipher

specifications available externally.■ Since the Suite B profile choice is 192, this includes the following

settings as defined by z/OS System SSL:– The cipher specification is “C02CC024”.– The only protocol level enabled is TLS 1.2.– Other protocol levels are disabled.




Usage & Invocation: Server dsconfig utilityIBM Presentation Template Full Version

■ The dsconfig utility already supports configuring sslCipherSpecs. In addition, a value of GSK_V3_CIPHER_SPECS_EXPANDED is now allowed

■ The dsconfig utility is also enhanced to support a new generic keyword ENVVAR to propagate environment variables directly into the output server envvar file. The format is documented in the ds.slapd.profile with samples, including the use of continuation (“\” at end of line) for long cipher specifications:

ENVVAR = GSK_PROTOCOL_TLSV1_1=ONENVVAR = GSK_PROTOCOL_TLSV1_2=ONENVVAR = GSK_V3_CIPHER_SPECS_EXPANDED=0005000400350036003700380039\ENVVAR = 002F0030003100320033000A001600130010000D000900150012000F\ENVVAR = 000C00030006000200010000

Note that this capability allows other environment variables (not just for SSL) pertinent to the LDAP server to be specified using dsconfig.




Usage & Invocation: ClientIBM Presentation Template Full Version

■ Previously, the LDAP client enabled SSL V3 protocol and TLS V1.0 protocol.

■ It also used the 2 byte cipher specification defaults, or whatever was overridden with the GSK_V3_CIPHER_SPECS environment variable.

■ The ldap_set_option() routine could be used to explicitly set the cipher specs with the LDAP_OPT_SSL_CIPHER option.

–The cipher specifications could be specified using the list of z/OS System SSL 2 character values in string form.

ldap_set_option(ld, LDAP_OPT_SSL_CIPHER, "0405");–The ldap.h header file also has its own symbols for the cipher suites

specified via #define.ldap_set_option(ld, LDAP_OPT_SSL_CIPHER, LDAP_SSL_RC4_MD5_EX LDAP_SSL_RC4_MD5_US);





■ The client no longer enables SSL V3 and TLS V1.0 protocols explicitly. –The z/OS System SSL defaults already have them enabled.–This allows a customer to disable these protocols through environment

variable settings.–The customer can enable TLS V1.1 and TLS V1.2 protocols using

environment variables provided by z/OS System SSL.

■ The 2 byte ciphers can continue to be set in GSK_V3_CIPHER_SPECS or via ldap_set_option() as before.

■ Note that with the vast number of SSL cipher suites now in existence, ldap.h will no longer hold LDAP-specific names for newly supported values. The previously existing #define names will remain for compatibility.





■ 4 byte ciphers can be set with GSK_V3_CIPHER_SPECS_EXPANDED, or by ldap_set_option() via the LDAP_OPT_SSL_CIPHER_EXPANDED option.

■ z/OS System SSL provides no environment variable for controlling which cipher format is used (2 byte or 4 byte). Instead, the LDAP client defines its own environment variable, LDAP_SSL_CIPHER_FORMAT. This can be set to CHAR2 or CHAR4. The default format is 2 byte, and is used when this environment variable is not defined or not set to a valid value.

■ The ldap_set_option() routine adds option LDAP_OPT_SSL_CIPHER_FORMAT. LDAP_SSL_CIPHER_FORMAT_CHAR2 and LDAP_SSL_CIPHER_FORMAT_CHAR4 are its values, defined in the ldap.h header file.

■ Example:ldap_set_option(ld, LDAP_OPT_SSL_CIPHER_FORMAT, LDAP_SSL_CIPHER_FORMAT_CHAR4);ldap_set_option(ld, LDAP_OPT_SSL_CIPHER_EXPANDED, “C003C008”);




Usage & Invocation: Command line utilitiesIBM Presentation Template Full Version

The following LDAP command line utilities which use the client will behave according to the environment variables:

ldapchangepwdldapcompareldapdeleteldapmodify/ldapaddldapmodrdnldapsearch

db2pwdends2ldif -r (remote option, using extended operation)ldapexop




Usage & Invocation: Command line utilitiesIBM Presentation Template Full Version

Example 1.

export LDAP_SSL_CIPHER_FORMAT=CHAR4export GSK_PROTOCOL_TLSV1_2=ONexport GSK_V3_CIPHER_SPECS_EXPANDED=C003ldapsearch -p 636 -Z -K my.kdb -P mykdbpw -N mykeylabel

-D bindDN -w mybindpw -b basedn “objectclass=*”

Example 2.

export GSK_SUITE_B_PROFILE=ALLldapsearch -p 636 -Z -K my.kdb -P mykdbpw -N mykeylabel

-D bindDN -w mybindpw -b basedn “objectclass=*”




Appendix

Publications IBM Tivoli Directory Server Plug-in Reference for z/OS (SA76-0169)

IBM Tivoli Directory Server Administration and Use for z/OS (SC23-6788)

IBM Tivoli Directory Server Messages and Codes for z/OS (SA23-2262)

IBM Tivoli Directory Server Client Programming for z/OS (SA23-2295)

IBM z/OS Cryptographic Services Secure Systems Socket Layer Programming (SC14-7495)


IBM Education Assistance for z/OS V2R1...IBM Tivoli Directory Server Administration and Use for z/OS...

Documents

Transcript of IBM Education Assistance for z/OS V2R1...IBM Tivoli Directory Server Administration and Use for z/OS...