IBM z/OS Server User Manual


 
65
z/OS SSL support includes the ability for applications to
create multiple SSL environments within a single process.
An application can now modify environment attributes
without terminating any SSL sessions already underway.
IPv6 Support: This support allows System SSL to be
used in an IPv6 network confi guration. It also enables
System SSL to support both IPv4 and IPv6 Internet pro-
tocol addresses.
Performance is improved with CRL Caching: Today,
SSL supports certifi cate revocation lists (CRLs) stored
in an LDAP server. Each time a certifi cate needs to be
validated, a request is made to the LDAP server to get
the list of CRLs. CRL Caching enables applications to
request that the retrieved list of CRLs be cached for a
defi ned length of time.
Support for the AES Symmetric Cipher for SSL V3 and
TLS Connections: System SSL supports the Advanced
Encryption Standard (AES), which provides data encryp-
tion using 128-bit or 256-bit keys for SSL V3.0 and TLS
V1.0 connections.
Support for DSS (Digital Signature Standard) Certifi -
cates: System SSL has been enhanced to support Digi-
tal Signature Standard certifi cates defi ned by the FIPS
(Federal Information Processing Standard) 186-1 Stan-
dard.
System SSL of RSA Private Keys Stored in ICSF: With
z/OS 1.4, support is introduced that is designed to allow
a certifi cate’s private key to reside in ICSF thus lifting
a restriction where the private key had to reside in the
RACF database.
Failover LDAP provides greater availability: You can
now specify a list of Security Server-LDAP servers to be
used for storing certifi cate revocation lists (CRLs). When
certifi cate validation is being performed, this list will be
used to determine which LDAP server to connect to for
the CRL information.
Simplifi ed administration with the ability to export
and import certifi cate chains using PKCS#7 format
fi les.defi ned length of time.
LDAP
z/OS provides industry-standard Lightweight Directory Pro-
tocol (LDAP) services supporting thousands of concurrent
clients. Client access to information in multiple directories
is supported with the LDAP protocol. The LDAP server
supports thousands of concurrent clients, increasing the
maximum number of concurrently connected clients by an
order of magnitude.
Enhancements
Mandatory Authentication Methods (required by IETF
RFC 2829) are supported in z/OS 1.4: The CRAM-MD5
and DIGEST-MD5 authentication methods have been
added. The methods avoid fl owing the user’s password
over the connection to the server. The LDAP Server, the
C/C++ APIs, and the utilities are updated with this sup-
port. Interoperability is improved for any applications
that make use of these methods.
TLS: z/OS LDAP now provides support for TLS (Trans-
port Layer Security) as defi ned in IETF RFC 2830 as an
alternative to SSL support. It also provides support, via
an LDAP extended operation, that allows applications to
selectively activate TLS for certain LDAP operations at
the application’s discretion.