IBM z/OS User Manual

65

z/OS SSL support includes the ability for applications to

create multiple SSL environments within a single process.

An application can now modify environment attributes

without terminating any SSL sessions already underway.

• IPv6 Support: This support allows System SSL to be

used in an IPv6 network confi guration. It also enables

System SSL to support both IPv4 and IPv6 Internet pro-

tocol addresses.

• Performance is improved with CRL Caching: Today,

SSL supports certifi cate revocation lists (CRLs) stored

in an LDAP server. Each time a certifi cate needs to be

validated, a request is made to the LDAP server to get

the list of CRLs. CRL Caching enables applications to

request that the retrieved list of CRLs be cached for a

defi ned length of time.

• Support for the AES Symmetric Cipher for SSL V3 and

TLS Connections: System SSL supports the Advanced

Encryption Standard (AES), which provides data encryp-

tion using 128-bit or 256-bit keys for SSL V3.0 and TLS

V1.0 connections.

• Support for DSS (Digital Signature Standard) Certifi -

cates: System SSL has been enhanced to support Digi-

tal Signature Standard certifi cates defi ned by the FIPS

(Federal Information Processing Standard) 186-1 Stan-

dard.

• System SSL of RSA Private Keys Stored in ICSF: With

z/OS 1.4, support is introduced that is designed to allow

a certifi cate’s private key to reside in ICSF thus lifting

a restriction where the private key had to reside in the

RACF database.

• Failover LDAP provides greater availability: You can

now specify a list of Security Server-LDAP servers to be

used for storing certifi cate revocation lists (CRLs). When

certifi cate validation is being performed, this list will be

used to determine which LDAP server to connect to for

the CRL information.

• Simplifi ed administration with the ability to export

and import certifi cate chains using PKCS#7 format

fi les.defi ned length of time.

LDAP

z/OS provides industry-standard Lightweight Directory Pro-

tocol (LDAP) services supporting thousands of concurrent

clients. Client access to information in multiple directories

is supported with the LDAP protocol. The LDAP server

supports thousands of concurrent clients, increasing the

maximum number of concurrently connected clients by an

order of magnitude.

Enhancements

• Mandatory Authentication Methods (required by IETF

RFC 2829) are supported in z/OS 1.4: The CRAM-MD5

and DIGEST-MD5 authentication methods have been

added. The methods avoid fl owing the user’s password

over the connection to the server. The LDAP Server, the

C/C++ APIs, and the utilities are updated with this sup-

port. Interoperability is improved for any applications

that make use of these methods.

• TLS: z/OS LDAP now provides support for TLS (Trans-

port Layer Security) as defi ned in IETF RFC 2830 as an

alternative to SSL support. It also provides support, via

an LDAP extended operation, that allows applications to

selectively activate TLS for certain LDAP operations at

the application’s discretion.