Policy Agent, AT-TLS, and Ciphersuites

Thu, 05 Jun 2014 07:49:01 -0700 

Hello,
I am trying to work out how to get the zOS 1.13 FTP client to connect to a FTP server (a FileZilla Server on Windows) via FTPS. I'm am having trouble getting Policy Agent setup to use the correct cipher suites. 

In the Policy Agent configuration, I have the following:

TTLSCipherParms                   cipher1~Default_Ciphers
{
  V3CipherSuites                  TLS_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_AES_128_CBC_SHA
}



However, when I fire up Policy Agent, it complains that all of these 
ciphers are invalid and discards my policy.    I tried changing to 
different ciphers and I do find 2 that is accepted but those either 50 
bit DES or no encryption at all.  So not very useful.   The FileZilla 
Server uses "Protocol: TLS1.0, Key exchange: RSA, Cipher: AES-256-CBC, 
MAC: SHA1".



"F GSKSRV,DISPLAY CRYPTO"   shows that I do not have not AES either in 
hardware or software, that explains the invalid ciphers.


GSK01009I Cryptographic status 681
Algorithm       Hardware    Software
DES                 56          56
3DES                --          --
AES                 --          --
RC2                 --          40
RC4                 --          40
RSA Encrypt         --        4096
RSA Sign            --        4096
DSS                 --        1024
SHA-1              160         160
SHA-2              512         512
ECC                 --          --



But in my TCPIP joblog, System SSL indicates that AES 256 crypto assist 
is available:


System SSL: SHA-1 crypto assist is available
System SSL: SHA-224 crypto assist is available
System SSL: SHA-256 crypto assist is available
System SSL: SHA-384 crypto assist is available
System SSL: SHA-512 crypto assist is available
System SSL: DES crypto assist is available
System SSL: DES3 crypto assist is available
System SSL: AES 128-bit crypto assist is available
System SSL: AES 256-bit crypto assist is available
System SSL: ICSF services are not available




So the question is how do I get AES enabled in zOS?  I thought AES 256 
was supported by the base zOS 1.13, but it looks like I am wrong. Do I 
need to fire up ICSF?  Is there an APAR that needs to be installed?



Any help is appreciated.



Frank


--
Development Programmer
ColeSoft Marketing
www.colesoft.com
Phone : 540.456.6164  Fax : 540.456.6658
Email : [email protected]


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to