Rule ID
SV-251656r1212354_rule
Version
V2R2
CCIs
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. The data owner is responsible for assessing the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. For detailed information, refer to NIST FIPS Publication 140-3, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS compliant.
Verify that connection to IDMS is FIPS compliant.
1. For ODBC and JDBC Type 2 connections:
a. Configure the Data Source to enable the DTS-JCLI logging option.
b. Perform a connection test using the "Test" function on the administrator.
c. View the generated log entries to determine the TLS version, cipher algorithm, and certificate employed.
2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) successful!
2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) connection attempts: 1
2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) TLS version TLSv1.2
2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) cipher TLS_RSA_WITH_AES_256_CBC_SHA256 (this should be one or more of the accepted ciphers)
Cipher Specifications
What TLS cipher suites are allowed in the FIPS 140-3 standard?
The following suites are allowed for the TLS 1.3 protocol:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
The following suites are allowed for the TLS 1.2 protocol:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Connection is not verified this is a finding.
2. For all connection types: IBM provides configuration options for multiple SSL components to force FIPS-140 compliance.
a. System SSL: The environment variable GSK_FIPS_STATE specifies GSK_FIPS_STATE_ON in the envar file in the GSKSRVR home directory or message "GSK01057I SSL server starting in FIPS mode" is in the JES log.
b. ICFS: Review the JES log for the ICSF region to verify the following message is issued on startup:
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
If either of the above is true, this is not a finding.
If none of the above is true, this is a finding.Contact the appropriate system administrators to make the needed changes to allow the use of AT-TLS and the associated software. Refer to Broadcom Techdocs for further information on: - Configuring Secure Sockets. Refer to IBM's z/OS Communications Server bookshelf for information on: - Configuring AT-TLS. Refer to IBM's z/OS Cryptographic Services System bookshelf for information on: - Algorithms and key sizes. - System SSL. - ICSF Services.