Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

FIPS 140-2 Compliant Cipher Suites

FIPS 140-2 Compliant Cipher Suites

During an SSL handshake, the client and server agree on a symmetric algorithm to use to encrypt data during the session. The client offers a list of cipher suites, and the server selects one from the list. For the PowerExchange network to be FIPS 140-2 compliant, the selected cipher suite must be FIPS 140-2 compliant.
On Linux, UNIX, or Windows clients or servers, PowerExchange uses the OpenSSL runtime engine. When a client and server are both using OpenSSL, the cipher suite that PowerExchange selects is FIPS 140-2 compliant.
On z/OS, AT-TLS manages SSL sessions. The order of cipher suites in the TTLSCipherParms statement in the AT-TLS policy file is important. The server selects the first cipher suite in the list that matches one offered by the client. In this process, ciphers are identified using hexadecimal cipher suite numbers.
To ensure that a z/OS server selects a FIPS 140-2 compliant cipher suite, verify that the first cipher suite in the TTLSCipherParms list matches one of the FIPS 140-2 compliant cipher suites that OpenSSL supports.
The following table is a partial list of FIPS 140-2 compliant cipher suites that OpenSSL and AT-TLS both support:
OpenSSL Cipher Suite Name
AT-TLS Cipher Suite Name
Hexadecimal Value
DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
39
DHE-DSS-AES256-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
38
AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA
35
EDH-RSA-DES-CBC3-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
16
EDH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
13
DES-CBC3-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
0A
DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
33
DHE-DSS-AES128-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
32
AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA
2F
For a complete list of algorithms that AT-TLS supports, see the AT-TLS documentation. For a complete list of algorithms that OpenSSL supports on your machine, run the PWXUSSL utility on Linux, Unix, and Windows. For a cimplete list of algorithms supported by your z/OS system, run the PWXUGSK utility. For more information about PWXUSSL and PWXUGSK, see the
PowerExchange Utilities Guide
.
The optional, no-charge CPACF feature available on IBM System z machines provides machine instructions to accelerate hashing algorithms and symmetric key encryption and decryption used with SSL. For performance reasons, you may wish to use only those cryptographic suites for which hardware assists are available. For example, CPACF supports AES-128 on z9 and later machines and AES-256 on z10 and z196 machines.

0 COMMENTS

We’d like to hear from you!