Title

IBM z/VM TCP/IP must be configured to use encryption. (Cat II impact)

Discussion

The Secure Socket Layer (SSL) server, provides processing support for secure (encrypted) communication between remote clients and z/VM TCP/IP application servers that are configured for secure communications The TCP/IP (stack) server routes requests for secure connections to an SSL server, which interacts with a client on behalf of an application server to perform handshake operations and the exchange of cryptographic parameters for a secure session. The SSL server then manages the encryption and decryption of data for an established, secure session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.

Check Content

Examine the “SSLSERVERID” statement in the TCP/IP server configuration file. If the “SSLSERVERID” statement identifies at least one User ID for an SSL server, this is not a finding.

Fix Text

Configure the “SSLSERVERID” statement to force auto logging of an SSL server before all other servers in the “AUTOLOG” list.

Additional Identifiers

Rule ID:

Vulnerability ID: IBMZ-VM-001050

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.