The IBM i 7.2 release is absolutely loaded with new System SSL capabilities. There are a couple major new features only available starting with the 7.2 release. There is also a subset of the 7.2 capabilities that escaped from the Rochester development lab last year as part of 7.1 TR6. The early content was baked into 7.2 before it found its way to 7.1. February’s System SSL blog remains relevant as the discussion turns to the 7.2 release. What you’ll notice for that content is how and when the new function is enabled has changed with the 7.2 release boundary.
All of the various changes were made to improve network security as it relates with IBM i. We’re all familiar with the overall data security built into the IBM i architecture, however protecting the data as it enters and leaves the system is equally as important.
Many of the shiny new System SSL features are enabled and activated automatically on a 7.2 system to improve the security attributes for all users without requiring any of them take an explicit action. Maintaining a high degree of backward and forward compatibility has always been a calling card for IBM i since the first day the AS/400 rolled off the dock. When discussing security, backward compatibility can often be spelled “weakest link.” Regardless of how many new security capabilities are enabled, the system security strength is determined by the oldest and weakest enabled abilities. Many of you experience that firsthand each time a security audit of the system spits out its weekly report of recommendations.
Transport Layer Security (TLS) version 1.2 is now enabled and activated with the 7.2 release by default for almost all System SSL applications. That is not true for TLSv1.2 in 7.1 TR6. Another significant change is that SSLv3 is disabled by default on all 7.2 systems that haven’t modified the system value (QSSLPCL) that controls the protocols.
Elliptic Curve Cryptography (ECC) is a major new capability available for the first time with 7.2 System SSL. The big players in Internet content delivery are quickly moving to ECC. ECC is enabled and activated by default for most IBM i servers however it’s not likely to be negotiated without administrator intervention. With ECC being so new to the IBM i ecosystem, it’s tactical to have administrators to play a role with transitioning the network traffic to use ECC. There will be administrators that make ECC the primary algorithm used on their 7.2 systems.
I have only scratched the surface in regards to what is new for System SSL with the 7.2 release.
Application developers can dig into even more new goodies, such as Online Certificate Status Protocol (OCSP) and Server Name Indication (SNI), by reading Knowledge Center or GSKit API documentation.
This blog post was edited to fix broken links on April 12, 2020.
This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.