PH28216: Z/VM TLS/SSL SERVER OCSP/CDP SUPPORT

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• This support provides optional cross-checking for general peer
  certificate revocation status via OCSP and/or CDP.
  
  OCSP - Online Certificate Status Protocol
  CDP - CRL (Certificate Revocation List) Distribution Points
  
  The cross-checking mechanisms are imbedded as part of the z/VM
  System SSL Cryptographic library. Cross-checking will be
  initiated when the peer certificate is built with the
  extensions(s) for OCSP and/or CDP and the corresponding support
  is enabled via new DTCPARMS tags.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All z/VM TCP/IP users of the TLS/SSL server  *
  *                 who require certificate revocation checking  *
  *                 in the form of OCSP and/or HTTP CDP          *
  *                 checking.                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  Through the addition of OCSP and HTTP CDP support,the z/VM
  TCP/IP TLS/SSL server will now allow a trusted certificate
  authority to verify a certificate's revocation status before
  establishing a connection. Certificates must contain the
  necessary information required by either of those two
  specifications for the revocation status to be checked.
  
  This support is enabled via a new OCSPParms tag in the
  DTCPARMS configuration file. Details on new options to be
  placed in the OCSPParms tag can be found in the TCP/IP
  Planning and Customization manual. A small enhancement has
  also been made to the TCP/IP stack which will require a
  restart of TCP/IP after the PTF is applied.
  
  When this support is enabled, a noticeable increase in the
  handshake time may be observed when a peer certificate is
  presented with OCSP and/or CDP extensions, since a connection
  needs to be made to an external server.
  
  More info can be found here:
  https://www.vm.ibm.com/newfunction/#zvm-tcpip-ocsp
  

Problem conclusion

Temporary fix

Comments

• N/A
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI72963

Modules/Macros

• DTCUME   DTCUMEB  FPTCPREQ F6TCPREQ SSLADMIN SSLADMIO SSLADMNP
  SSLCACHE SSLCIPHS SSLCTLIO SSLDPUMP SSLDSPTC SSLGSKCF SSLMNTOR
  SSLPARGS SSLREPRT SSLSCBEX SSLSTART SSLTOOLS SSLTRACE SSLTRSIT
  TCPRUN
  

Fix information

• Fixed component name

  TCP/IP FOR Z/VM

• Fixed component ID

  5735FAL00

Applicable component levels

• R720 PSY UI72963

     UP21/01/06 P 2102  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.