From z/OS RACF STIG
Part of ITNT0050
Associated with IA controls: DCCS-1, DCCS-2, ECTM-1, ECMT-2
During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client. This algorithm is used to encrypt the data that subsequently flows between the two. However, the level or strength of encryption can vary greatly. Certain configuration options can allow no encryption to be used and others can allow a relatively weak 40-bit algorithm to be used. Failure to properly enforce adequate encryption strength could result in the loss of data privacy.
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0050) If the following items are in effect for the configuration specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If an INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. NOTE: FIPS 140-2 minimum encryption is the accepted level of encryption and will override this requirement if greater. ___ The TELNETGLOBALS block that specifies an ENCRYPTION statement states one or more of the below cipher specifications. ___ Each TELNETPARMS block that specifies the SECUREPORT statement, specifies an ENCRYPTION statement states one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA
The IAO will ensure the system programmer will review the SECUREPORT and TELNETPARMS ENCRYPTION statements and/or the TELNETGLOBALS statement in the PROFILE.TCPIP file. Ensuring that they conform to the requirements specified below. The TELNETGLOBALS block may specify an ENCRYPTION statement that specifies one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, an ENCRYPTION statement is coded with one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. To prevent the use of non FIPS 140-2 encryption, the TELNETGLOBALS block and/or each TELNETPARMS block that specifies an ENCRYPTION statement will specify one or more of the following cipher specifications: Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA Note: Always check for the minimum allowed in FIPS 140-2.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer