IBM i and POODLE
I am sure you are all sick and tired of all this security stuff surrounding this latest ‘big thing’. The world of security has continued to be ‘fun’. For several of the security issues IBM i impact was relatively minimal. Well, with POODLE (which stands for Padding Oracle On Downgraded Legacy Encryption ) security concerns, the IBM i was affected. The fixes for this on IBM i have now all been approved. I don’t normally write much on these security issues, but for this one, I think we need to make sure you understand what is going on and how to make sure your system is safe from POODLE and ensure your applications still continue to work.
First, I want to start with a list of important links. There are a number of key places to get information.
- • IBM i Security Bulletin – (I will update the link once published) This bulletin contains details and links for all aspects of IBM i including:
- o Core IBM i Operating System
- o Java on IBM i
- o IBM HTTP Server for i
- o Domino
- o Traveler
- o Sametime
- o Access Client Solutions & iAccess for Windows
- • Java updates –
- • Service – Java POODLE FAQ
- • IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3556) This is the general IBM Java information.
http://www-01.ibm.com/support/docview.wss?uid=swg21688165 OK, if you actually get through all of those, I am impressed! Lots of details for this mess.
To help with the short version lets cover the basics. First, there is NO fix for the POODLE security vulnerability in SSLv3. Yea, that seems harsh, but that is the reality. So, what do you do to not be affected? Easy, don’t use SSLv3. It’s time to move to one of the newer options available when it comes to SSL. This is where the newer TLS options come into play.
The IBM i Operating Systems includes SSL as part of the base support. The System SSL is accessible to application developers form the following programing interfaces and JSSE implementation:
- Global Security Kit (GSKit) APIs
- Integrated IBM i SSL_ APIs
- Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider)
Since SSL is provided at the system level it can also be controlled through the use of the correct system values. The system values can be used to ensure that from a system perspective you are using the correct type of SSL. i.e. Not using SSLv3 but rather using TLS support for example. Here is where things get a little sticky, for IBM i 7.2 the default for the system is to not use SSLv3, that is a good thing. But, for IBM i 7.1 and IBM i 6.1 that is not the case. For these releases if you want to ensure SSLv3 is not used you need to change the system value to turn it off.
When you turn SSLv3 off completely, be aware applications on your system may stop working!! There are often applications that are explicitly using SSLv3 and will not work until you take and update the applications to use a new version of SSL. So don’t be overly surprised if you run into difficulties! It’s best to read the details in the security bulletin, but for those that just hate reading (so why again are you reading this then??) Here are the shortcuts to the commands to update the system values to turn SSLv3 off.
USE THESE WITH CAUTION.
CHGSYSVAL SYSVAL(QSSLCSLCTL) VALUE(*OPSYS)
CHGSYSVAL SYSVAL(QSSLPCL) VALUE('*TLSV1')
There are specific updates for the world of Java. The big one is a change in default behavior. In the past (before SSLv3 was consider so evil), the default for Java was to use SSLv3 if it was available and configured. Well, that is no longer the case. With the PTFs that have been created for this issue, the IBM Java team has changed the default for all versions of Java. This means that the latest updates to IBM Java on ALL platforms (IBM i included) will now not allow the use of SSLv3 by default. You will need to follow the instructions detailed in the IBM Java security bulletin to explicitly enable SSLv3 for the application. This is another one of those cases where after you install the latest Java PTF Group, your Java applications ‘may’ stop working. If that happens, it means you need to update your application to use TLS or you need to explicitly update to allow SSLv3 ( of course, this means you are running with a potential security vulnerability)
Here may be one of the good things this POODLE mess caused. I have been asked by our Domino community many times for when we would be able to support TLS for Domino. Well, the answer is NOW!! With the POODLE mess, the Domino team took the correct actions and now support TLS. Details on what you need to do to enable TLS are all found at the Domino security links. These can be found in the IBM i Security Bulletin.
Bottom line, it’s time to get your systems updated to use the latest SSL support that is secure. While it may cause you some difficulties in the short term, be aware that as new version of Browsers become available, there is going to be a time in the near term where SSLv3 may be completely blocked by the browser! I do strongly recommend spending some time reading the Security Bulletins and get started on this new path.