The fix is shipped as file IBM.HHOP910.UI32110
The fix has rework (build) date 2015289 (16 Oct 2015)
The following fixes are prerequisites for this fix:
These prerequisites can be downloaded from the Developer for System z Recommended Fixes page, if not included as file IBM.HHOP910.<prereq>.
Steps required to install the fix:
A sequential data set must be allocated on the z/OS system to receive the fix that you will upload from your workstation. You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//ALLOC EXEC PGM=IEFBR14 //* //UI32110 DD DSN=hlq.IBM.HHOP910.UI32110, // DISP=(NEW,CATLG,DELETE), // DSORG=PS, // RECFM=FB, // LRECL=80, // UNIT=SYSALLDA, //* VOL=SER=volser, //* BLKSIZE=6160, // SPACE=(TRK,(519,100)) //*
Upload the file in binary format from your workstation to the z/OS data set. On a Windows system, you can use FTP from a command prompt to upload the file. In the sample dialog shown below, commands or other information entered by the user are in bold, and the following values are assumed:
| User enters: | Values |
|---|---|
| mvsaddr | TC P/IP address of the z/OS system |
| tsouid | Your TSO user ID |
| tsopw | Your TSO password |
| d: | Your drive containing the fix files |
| hlq | High-level qualifier that you used for the data set that you allocated in the job above |
C:\>ftp mvsaddr Connected to mvsaddr. 220-FTPD1 IBM FTP CS %version% at mvsaddr, %time% on %date%. 220 Connection will close if idle for more than 60 minutes. User (mvsaddr:(none)): tsouid 331 Send password please. Password: tsopw 230 tsouid is logged on. Working directory is "tsouid.". ftp> cd .. 250 "" is the working directory name prefix. ftp> cd hlq 250 "hlq." is the working directory name prefix. ftp> binary 200 Representation type is Image ftp> put d:\IBM.HHOP910.UI32110 200 Port request OK. 125 Storing data set hlq.IBM.HHOP910.UI32110 250 Transfer completed successfully 28934800 bytes sent in 0.28 seconds ftp> quit 221 Quit command received. Goodbye.
++HOLD(UI32110) SYS FMID(HHOP910) REASON(ACTION) DATE(15289)
COMMENT
(By default Rational Developer for System z relies on System SSL
defaults for active cipher suites. System SSL enables some
ciphers that are now known to be insecure.
The DH, and DHE ciphers are (Logjam attack):
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (13 or 0013)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (32 or 0033)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (40 or 0040)
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (A4 or 00A4)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (38 or 0038)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (6A or 006A)
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (A3 or 00A3)
TLS_DHE_DSS_WITH_DES_CBC_SHA (12 or 0012)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (16 or 0016),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (33 or 0032)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (67 or 0067)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (9E or 009E)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (39 or 0039)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (6B or 006B)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (9F or 009F)
TLS_DHE_RSA_WITH_DES_CBC_SHA (15 or 0015)
The RC4 ciphers are (Bar Mitzvah attack):
TLS_RSA_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_WITH_RC4_128_MD5 ("04" or "0004")
TLS_RSA_WITH_RC4_128_MD5 ("05" or "0005")
TLS_ECDH_ECDSA_WITH_RC4_128_SHA ("C002")
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ("C007")
TLS_ECDH_RSA_WITH_RC4_128_SHA ("C00C")
TLS_ECDHE_RSA_WITH_RC4_128_SHA ("C011")
The RSA-EXPORT ciphers are (FREAK attack):
TLS_RSA_EXPORT_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ("06" or "0006")
Rational Developer for System z has two components that utilize
System SSL:
* RSE, which is used when a client connects to the host.
Applying this service will disable the listed ciphers.
* Debug Manager, by means of an AT-TLS policy.
You must create a file holding the GSK_V3_CIPHER_SPECS
environment variable and reference it via the Envfile keyword
in the TTLSGroupAdvancedParms section of the policy.
You can explicitly disable the usage of the listed ciphers by
adding the GSK_V3_CIPHER_SPECS environment variable to
rsed.envvars and the AT-TLS policy, ensuring that the
environment variable character string does not include
"12", "13", "15", "16", "32", "33", "38", "39", "40", "67",
"6A", "6B", "9E", "9F", "A3", or "A4".
Notes:
* The RSED started task must be recycled for changes in
rsed.envvars to be picked up.
* The AT-TLS policy must be re-activated for the update to be
picked up.
****************************************************************
* Affected function: RSE daemon *
****************************************************************
* Description: PARMLIB(IFAPRDxx) update *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: sys1.parmlib(IFAPRDxx) *
****************************************************************
After applying this fix, Rational Developer For System z will
register with z/OS during startup. If registration fails, for
example because RDz is disabled in SYS1.PARMLIB(IFAPRDxx),
startup of RDz will fail also.
If you purchased Developer for System z as part of product code
5697-CDT, IBM Enterprise COBOL Suite for z/OS, V1.1 (or later),
and have not already done so for another program in product code
5697-CDT, include an entry in the IFAPRDxx parmlib member to
enable the related programs.
Define PROD=xx in the IEASYSxx parmlib member to specify which
IFAPRDxx parmlib member should be used during IPL.
Specify the following in IFAPRDxx to define Enterprise COBOL
Suite for z/OS (product code 5697-CDT):
PRODUCT OWNER('IBM CORP')
NAME('IBM COBOL SUITE')
ID(5697-CDT)
VERSION(*) RELEASE(*) MOD(*)
FEATURENAME(*)
STATE(ENABLED)
Alternatively and optionally, if you purchased Developer for
System z separately (NOT part of Enterprise COBOL Suite for
z/OS), you may include an entry in the IFAPRDxx parmlib member
for Developer for System z using the stand-alone product code,
5724-T07:
PRODUCT OWNER('IBM CORP')
NAME('IBM RDZ')
ID(5724-T07)
VERSION(*) RELEASE(*) MOD(*)
FEATURENAME(*)
STATE(ENABLED)
After the IFAPRDxx parmlib member is updated, it can be
activated dynamically (until the next IPL) with the following
console command:
SET PROD=xx
****************************************************************
* Affected function: console messages *
****************************************************************
* Description: changed message, FEK120E *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
This maintenance introduces a new console message
FEK120E
REGISTRATION HAS BEEN DENIED FOR PRODUCT WITH {0} DUE TO {1}
****************************************************************
* Affected function: Integrated Debugger *
****************************************************************
* Description: block insecure ciphers in AT-TLS *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: n/a *
****************************************************************
By default Rational Developer for System z relies on System SSL
defaults for active cipher suites. System SSL enables some
ciphers that are now known to be insecure.
The DH, and DHE ciphers are (Logjam attack):
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (13 or 0013)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (32 or 0033)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (40 or 0040)
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (A4 or 00A4)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (38 or 0038)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (6A or 006A)
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (A3 or 00A3)
TLS_DHE_DSS_WITH_DES_CBC_SHA (12 or 0012)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (16 or 0016),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (33 or 0032)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (67 or 0067)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (9E or 009E)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (39 or 0039)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (6B or 006B)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (9F or 009F)
TLS_DHE_RSA_WITH_DES_CBC_SHA (15 or 0015)
The RC4 ciphers are (Bar Mitzvah attack):
TLS_RSA_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_WITH_RC4_128_MD5 ("04" or "0004")
TLS_RSA_WITH_RC4_128_MD5 ("05" or "0005")
TLS_ECDH_ECDSA_WITH_RC4_128_SHA ("C002")
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ("C007")
TLS_ECDH_RSA_WITH_RC4_128_SHA ("C00C")
TLS_ECDHE_RSA_WITH_RC4_128_SHA ("C011")
The RSA-EXPORT ciphers are (FREAK attack):
TLS_RSA_EXPORT_WITH_RC4_40_MD5 ("03" or "0003")
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ("06" or "0006")
Rational Developer for System z has two components that utilize
System SSL:
* RSE, which is used when a client connects to the host.
Applying this service will disable the listed ciphers.
* Debug Manager, by means of an AT-TLS policy.
You must create a file holding the GSK_V3_CIPHER_SPECS
environment variable and reference it via the Envfile keyword
in the TTLSGroupAdvancedParms section of the policy.
You can explicitly disable the usage of the listed ciphers by
adding the GSK_V3_CIPHER_SPECS environment variable to
rsed.envvars and the AT-TLS policy, ensuring that the
environment variable character string does not include
"12", "13", "15", "16", "32", "33", "38", "39", "40", "67",
"6A", "6B", "9E", "9F", "A3", or "A4".
Notes:
* The RSED started task must be recycled for changes in
rsed.envvars to be picked up.
* The AT-TLS policy must be re-activated for the update to be
picked up.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: pre-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updates the sample rsed.envvars by making the
following directives not customizable:
_RSE_HOST_CODEPAGE=Cp1047
Th_RSE_HOST_CODEPAGE directive is used for internal server
processing, and the Cp1047 value is required for Java J8.0
support.
****************************************************************
* Affected function: RSE *
****************************************************************
* Description: new environment variables *
****************************************************************
* Timing: post-APPLY *
****************************************************************
* Part: /usr/lpp/rdz/samples/rsed.envvars *
* [/etc/rdz/rsed.envvars] *
****************************************************************
This fix updated sample file rsed.envvars.
Redo your customizations, if any, after applying this
maintenance.).
SMP/E ACCEPT the prerequisites to facilitate an easy backout of the fix, if required. Note that once accepted, you cannot backout the accepted prerequisites.
This step can be skipped if there are no prerequisites, or if there is a reason to not make a prerequisite permanent.
You can accept the prerequisites by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//*
//* Change #globalcsi to the data set name of your global CSI.
//* Change #dzone to your CSI distribution zone name.
//*
//ACCEPT EXEC PGM=GIMSMP,REGION=0M
//SMPCSI DD DISP=OLD,DSN=#globalcsi
//SMPCNTL DD *
SET BOUNDARY(#dzone) .
ACCEPT SELECT(
UI26082
UI23762
) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR).
//*
SMP/E RECEIVE and APPLY the fix.
You can do this by submitting the job below. Add a job card and modify the parameters to meet your site's requirements before submitting.
//* //* Change hlq to the high level qualifier used to upload the fix. //* Change (2x) #globalcsi to the data set name of your global CSI. //* Change #tzone to your CSI target zone name. //* //RECEIVE EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPPTFIN DD DISP=SHR,DSN=hlq.IBM.HHOP910.UI32110 //SMPCNTL DD * SET BOUNDARY(GLOBAL) . RECEIVE SELECT(UI32110) SYSMODS LIST . //* //APPLY EXEC PGM=GIMSMP,REGION=0M //SMPCSI DD DISP=OLD,DSN=#globalcsi //SMPCNTL DD * SET BOUNDARY(#tzone) . APPLY SELECT(UI32110) REDO COMPRESS(ALL) BYPASS(HOLDSYS,HOLDERROR). //*
Restart started tasks to activate changes.