What can be done in CA XCOM to make sure SSLv3 is still supported once the IBM PTF that disables SSLv3 is applied?

Document ID : KB000011883
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Please be aware that IBM has issued a PTF that will affect cryptographic services, in which it will disable SSLv2 and SSLv3 at a system level. This will affect all 3rd party vendors, such as CA XCOM, that still support SSLv3.

What can be done in XCOM to make sure SSLv3 is still supported once the IBM PTF is applied?

 

Environment:
- XCOM r11.6, XCOM r12.0- z/OS 1.13 and above
Answer:

XCOM for z/OS will work with SSLv3.

 

- XCOM r11.5, which is no longer supported, supports SSL v3 by default. Please read informational solution RI73608.

 

- XCOM r11.6, which is supported (but not the latest) release, supports SSL v3 by default. Please read informational solution RI73236 and RI76359. It also supports TLS 1.0 once you apply RO75875.

 

- XCOM r12.0, which is the latest release of the product, supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2 when you configure/implement XCOM r12.0 to use IBM System SSL.

 

The parameter you need to review in the configssl.cnf/SYSconfigssl.cnf is SSL_METHOD=ALL. That will permit XCOM r11.6 and r12.0 to support SSL v3 and TLS.

 

- For XCOM r11.6, you must make sure you have all of the necessary fixes applied in order to specify SSL_METHOD=ALL. That will support SSLv3 and TLS 1.0.

 

- For XCOM r12.0 you must add the parameter to the SYSconfigssl.cnf if you are implementing IBM System SSL with XCOM. Now, if you decide to use OpenSSL, which is supported with r12.0, the default for the parameter is SSL_METHOD=ALL. Again, OpenSSL will only support SSLv3 and TLS 1.0.

 

XCOM r11.5, is not supported and you will need to upgrade to the latest release.

 

Note: With XCOM 12.0 you will see some deprecated messages when the transfers are using SSLv3, that will confirm that your transfers are indeed using SSLv3.