I think the most common reason for investigating a server’s SSL connections and the protocol version associated with these connections is tightly related to audit and compliance. The type of encryption applied to your SSL traffic can be more or less vulnerable, depending on the cipher algorithms involved.
In general you have two considerations to weigh out: The older the encryption algorithm is, the more vulnerable. Either weaknesses have been identified in the algorithm itself, or newer more powerful CPUs are able to perform brute force attacks against it. On the other hand, only allowing the newest and strongest algorithms might prevent you from connecting to servers not yet at your sophisticated algorithm level.
On the System i there are three system values to configure and enforce the SSL attributes of your server:
System Value Type Description QSSLCSL *SEC Secure sockets layer cipher specification list QSSLCSLCTL *SEC Secure sockets layer cipher control QSSLPCL *SEC Secure sockets layer protocols
The QSSLCSL system value defines and orders the cipher algorithms applied by your system when SSL connections are initiated. The QSSLCSLCTL system value specifies whether or not the QSSLCSL system value is controlled by the system or by you. The QSSLPCL system value specifies the SSL protocol versions supported by your system. The SSL protocol version defines the sets (or generations) as well as the order of the cipher algorithms accepted by your system.
The default values for these system values are release dependent, the 7.2 values are more aggressive than 7.1. Auditors are therefore interested in: a) What are the accepted SSL protocol versions on your server (as defined by the system values mentioned) – and b) what protocol levels and cipher suites are actually applied to the SSL connections run on your system. As for the latter there are the two options discussed in my earlier e-mail: The SSLCONFIG option in Service Tools, giving you the total number of connections per SSL protocol version, and the more recent facility introduced per PTF, employing the Trace Internal (TRCINT) command’s *SCKSSL trace type, which will provide detailed information for each SSL connection, identifying the job, cipher suite and application involved.
The PRTSSLTRC command will allow you to produce reports based on the output file created by the TRCINT command, and based on the selection criteria supported by the PRTSSLTRC command you can tailor these reports to meet specific needs, as dictated by your auditors’ questionnaires – or your own proactive curiosity, in case for example you want to perform changes to the aforementioned system values and wants to assess and manage the impact beforehand.
The trace records formatted and queried by the PRTSSLTRC command are produced by the TRCINT (Trace Internal command) and for the required *SCKSSL trace option to work, the following PTF must be applied for the appropriate release:
Release PTF: 610- MF59767 611- MF59784 710- MF59800 720- MF59777
Please refer to the following IBM on-line technote documentation for more details:
Once you have installed the PTF you can trace all SSL protocol versions by issuing the following command to start the trace:
TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(512 *MB) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009))
Wait the desired period of time for new SSL connections to establish and end the trace with the command to output trace data to a spooled file:
TRCINT SET(*OFF) TRCTBL('SSL-1700x') OUTPUT(*PRINT)
Or, in order to employ the PRTSSLTRC command to format and query the trace data, output the trace data to a physical file:
TRCINT SET(*OFF) TRCTBL('SSL-1700x') OUTPUT(*OUTFILE) OUTFILE(QGPL/SSL1700X) OUTMBR(*FIRST *REPLACE)
The above command will produce a trace output file by the name of SSL1700X in library QGPL. The qualified name of this file should be submitted as the primary parameter for the PRTSSLTRC command.
To clean up the above trace and release the associated resources, run the following command:
TRCINT SET(*END) TRCTBL('SSL-1700x')
Note that the above command will not delete the trace output file. The responsibility for this effort remains with you, at the point where you no longer require to process or retain the trace output file.
Here’s what the PRTSSLTRC command prompt looks like:
Print SSL Trace Data (PRTSSLTRC) Type choices, press Enter. Trace file . . . . . . . . . . . Name Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB Time period for trace output: Start time and date: Beginning time . . . . . . . . *AVAIL Time, *AVAIL Beginning date . . . . . . . . *CURRENT Date, *CURRENT, *BEGIN End time and date: Ending time . . . . . . . . . *AVAIL Time, *AVAIL Ending date . . . . . . . . . *CURRENT Date, *CURRENT, *END Protocol version . . . . . . . . *ALL *ALL, *TLSV1.2, *TLSV1.1.. + for more values Include: Cipher suite . . . . . . . . . *ALL IP address . . . . . . . . . . *ALL Output queue . . . . . . . . . . *JOB Name, *JOB Library . . . . . . . . . . . Name, *LIBL, *CURLIB
As long as you retain the trace output file generated by the TRCINT SET(*OFF) command, you can keep creating reports from the data. To narrow the report to certain periods of time, protocol versions, IP addresses or cipher suites, specify the criteria defining the subset of interest as input to the corresponding command parameters.
The PRTSSLTRC command and all its parameters are documented in detail by the associated on-line help text panel group.
For more information on IBM i and SSL concepts please refer to:
The SEC107T CL-program is a separate program that continuously outputs trace records to the trace output file, clears the trace table and restarts the trace.
If run on a daily basis this program keeps the trace table size down and ensures that the trace output file is reflecting the most recent SSL traffic on the system. The trace records are added to the trace output file, that will be accumulating the trace records and grow over time.
Depending on the volume of SSL traffic, be sure to keep track of the disk space consumed by the trace output file. To format and query the SSL trace data, use the Print SSL Trace Data (PRTSSLTRC) command.
The source members involved in creating the PRTSSLTRC command are listed below:
SEC107 RPGLE Print SSL Trace Data SEC107H PNLGRP Print SSL Trace Data - Help SEC107V RPGLE Print SSL Trace Data - VCP SEC107X CMD Print SSL Trace Data SEC107M CLP Print SSL Trace Data - Build command SEC107T CLP Print SSL Trace Data - Run trace continuously
The SEC107M CL program will create the utility provided that all sources have been copied to their respective default source files and you specify the source- (and utility-) library as the program’s only parameter.