The Print SSL Trace Data (PRTSSLTRC) command

I think the most common reason for investigating a server’s SSL connections and the protocol version associated with these connections is tightly related to audit and compliance. The type of encryption applied to your SSL traffic can be more or less vulnerable, depending on the cipher algorithms involved.

In general you have two considerations to weigh out: The older the encryption algorithm is, the more vulnerable. Either weaknesses have been identified in the algorithm itself, or newer more powerful CPUs are able to perform brute force attacks against it. On the other hand, only allowing the newest and strongest algorithms might prevent you from connecting to servers not yet at your sophisticated algorithm level.

On the System i there are three system values to configure and enforce the SSL attributes of your server:

System
Value       Type     Description
QSSLCSL     *SEC     Secure sockets layer cipher specification list
QSSLCSLCTL  *SEC     Secure sockets layer cipher control
QSSLPCL     *SEC     Secure sockets layer protocols

The QSSLCSL system value defines and orders the cipher algorithms applied by your system when SSL connections are initiated. The QSSLCSLCTL system value specifies whether or not the QSSLCSL system value is controlled by the system or by you. The QSSLPCL system value specifies the SSL protocol versions supported by your system. The SSL protocol version defines the sets (or generations) as well as the order of the cipher algorithms accepted by your system.

The default values for these system values are release dependent, the 7.2 values are more aggressive than 7.1. Auditors are therefore interested in: a) What are the accepted SSL protocol versions on your server (as defined by the system values mentioned) – and b) what protocol levels and cipher suites are actually applied to the SSL connections run on your system. As for the latter there are the two options discussed in my earlier e-mail: The SSLCONFIG option in Service Tools, giving you the total number of connections per SSL protocol version, and the more recent facility introduced per PTF, employing the Trace Internal (TRCINT) command’s *SCKSSL trace type, which will provide detailed information for each SSL connection, identifying the job, cipher suite and application involved.

The PRTSSLTRC command will allow you to produce reports based on the output file created by the TRCINT command, and based on the selection criteria supported by the PRTSSLTRC command you can tailor these reports to meet specific needs, as dictated by your auditors’ questionnaires – or your own proactive curiosity, in case for example you want to perform changes to the aforementioned system values and wants to assess and manage the impact beforehand.

The trace records formatted and queried by the PRTSSLTRC command are produced by the TRCINT (Trace Internal command) and for the required *SCKSSL trace option to work, the following PTF must be applied for the appropriate release:

                                                               
Release  PTF: 
610-     MF59767
611-     MF59784
710-     MF59800
720-     MF59777

Please refer to the following IBM on-line technote documentation for more details:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594

Once you have installed the PTF you can trace all SSL protocol versions by issuing the following command to start the trace:

  TRCINT SET(*ON)
         TRCTBL('SSL-1700x')
         SIZE(512 *MB)
         TRCTYPE(*SCKSSL)
         SLTTRCPNT((17000 17009))

Wait the desired period of time for new SSL connections to establish and end the trace with the command to output trace data to a spooled file:

  TRCINT SET(*OFF)
         TRCTBL('SSL-1700x')
         OUTPUT(*PRINT)

Or, in order to employ the PRTSSLTRC command to format and query the trace data, output the trace data to a physical file:

  TRCINT SET(*OFF)
         TRCTBL('SSL-1700x')   
         OUTPUT(*OUTFILE) 
         OUTFILE(QGPL/SSL1700X) 
         OUTMBR(*FIRST *REPLACE) 

The above command will produce a trace output file by the name of SSL1700X in library QGPL. The qualified name of this file should be submitted as the primary parameter for the PRTSSLTRC command.
To clean up the above trace and release the associated resources, run the following command:

  TRCINT SET(*END) 
         TRCTBL('SSL-1700x')

Note that the above command will not delete the trace output file. The responsibility for this effort remains with you, at the point where you no longer require to process or retain the trace output file.
Here’s what the PRTSSLTRC command prompt looks like:

                        Print SSL Trace Data (PRTSSLTRC)

 Type choices, press Enter.

 Trace file . . . . . . . . . . .              Name
   Library  . . . . . . . . . . .    *LIBL     Name, *LIBL, *CURLIB
 Time period for trace output:
   Start time and date:
   Beginning time . . . . . . . .  *AVAIL      Time, *AVAIL
   Beginning date . . . . . . . .  *CURRENT    Date, *CURRENT, *BEGIN
   End time and date:
   Ending time  . . . . . . . . .  *AVAIL      Time, *AVAIL
   Ending date  . . . . . . . . .  *CURRENT    Date, *CURRENT, *END
 Protocol version . . . . . . . .  *ALL        *ALL, *TLSV1.2, *TLSV1.1..
                + for more values
 Include:
   Cipher suite . . . . . . . . .  *ALL
   IP address . . . . . . . . . .  *ALL
 Output queue . . . . . . . . . .  *JOB        Name, *JOB
   Library  . . . . . . . . . . .              Name, *LIBL, *CURLIB

As long as you retain the trace output file generated by the TRCINT SET(*OFF) command, you can keep creating reports from the data. To narrow the report to certain periods of time, protocol versions, IP addresses or cipher suites, specify the criteria defining the subset of interest as input to the corresponding command parameters.

The PRTSSLTRC command and all its parameters are documented in detail by the associated on-line help text panel group.

For more information on IBM i and SSL concepts please refer to:

SSL Concepts 7.2
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainconcepts.htm

SSL Concepts 7.1
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzain/rzainconcepts.htm

The SEC107T CL-program is a separate program that continuously outputs trace records to the trace output file, clears the trace table and restarts the trace.

If run on a daily basis this program keeps the trace table size down and ensures that the trace output file is reflecting the most recent SSL traffic on the system. The trace records are added to the trace output file, that will be accumulating the trace records and grow over time.

Depending on the volume of SSL traffic, be sure to keep track of the disk space consumed by the trace output file. To format and query the SSL trace data, use the Print SSL Trace Data (PRTSSLTRC) command.

The source members involved in creating the PRTSSLTRC command are listed below:

 
SEC107      RPGLE       Print SSL Trace Data
SEC107H     PNLGRP      Print SSL Trace Data - Help
SEC107V     RPGLE       Print SSL Trace Data - VCP
SEC107X     CMD         Print SSL Trace Data
SEC107M     CLP         Print SSL Trace Data - Build command
SEC107T     CLP         Print SSL Trace Data - Run trace continuously

The SEC107M CL program will create the utility provided that all sources have been copied to their respective default source files and you specify the source- (and utility-) library as the program’s only parameter.

Download the zip file containing the source code.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s