Security

• A hash algorithm to ensure data integrity.

Here, TLSv1.2 comes into play. Protocol versions up to TLSv.1.1 are using the SHA-1 algorithm or even older algorithms such as MD5. TLSv1.2 introduces new cipher suites using the SHA-256 algorithm and are therefore compliant with NIST 800-131A. TLSv1.2 is described in Internet Engineering Task Force (IETF) RFC 5246 at here

TLSv1.2 in OpenSSL
In the past, the following three SSL cipher suites were the most secure ones available on z/VSE and either supported by TCP/IP for VSE/ESA or OpenSSL (available on z/VSE since z/VSE 5.1):

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA.

Besides using RSA for authenticating, all three cipher suites are using SHA-1 for hashing. The first one uses Triple-DES for encryption, the second one the more secure AES algorithm with 128 bits key length and the last one uses AES with a 256-bit key.

TLSv1.2 adds three cipher suites:

• TLS_RSA_WITH_NULL_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA256.

The first one only authenticates the communication partners and ensures data integrity, but in fact doesn’t encrypt any data. You wouldn’t normally use this cipher suite. The latter two use AES-128 and AES-256 for data encryption. All three use SHA-256 for hashing.

Usage Scenarios With z/VSE
Here are some examples of how to use TLSv1.2 in a z/VSE environment. This requires the IPv6/VSE product from Barnard Software Inc.:

z/VSE e-business connectors. On z/VSE, you set up one of the SSL/TLS servers provided by IPv6/VSE (BSTTATLS or BSTTPRXY) to SSL-enable the VSE Connector Server. On a Java-enabled workstation, you use Java 7, which supports the TLSv1.2 cipher suites. This way you can enable any VSE Connector Client application for TLSv1.2. Our tests went well with VSE Navigator.

FTP. If VSE is the server, you SSL-enable the BSTTFTPS FTP server for SSL via BSTTATLS/BSTTPRXY. On a Windows PC, you, for example, use the FileZilla FTP client, which supports TLSv1.2. In our tests, we used FileZilla client 3.7.0.2, but other free FTP clients, such as Core FTP LE and Total Commander, are also available.

If VSE is the client, you SSL-enable the BSTTFTPC FTP client for SSL. On a Linux platform, you use the VSFTPD server that supports TLSv1.2. In our tests, we used VSFTPD Version 3. Unfortunately, FileZilla server currently doesn’t support TLSv1.2. However, there are other freeware FTP servers such as Cerberus that support TLSv1.2.

TN3270. For Telnet, it’s a bit difficult to find a TN3270 client that supports TLSv1.2. IBM Personal Communications V6.0, for example, doesn’t support TLSv1.2. However, you can use the free x3270 client, which internally uses OpenSSL.

HTTPS. Mozilla Firefox supports TLSv1.2 with version 27; Google Chrome uses TLSv1.2 since version 30. This allows you to, for example, connect to BSTTATLS/BSTTPRXY for CICS web support.

Summary
TLSv1.2 provides enhanced security for your IT environment. NIST Special Publication 800-131A strongly encourages migration to TLSv1.2. Apply the PTFs shown in Figure 1 on your z/VSE system to take advantage of greater SSL/TLS security.

3 Pages