Beginning on April 20th, 2021, the OpenJDK releases of Java 8, Java, 11, and Java 16 are shipped with TLS v1.0 and TLS v1.1 disabled. If you are using one of these updated OpenJDK Java releases with IBM i Access Client Solutions, this change may cause issues when attempting to connect securely to systems running older operating systems. In particular, while IBM i 7.1 did gain TLS v1.2 support at TR6, the SSL Control system values only enable TLS 1.0 by default. Connecting to one of these systems will produce an error in ACS:
MSGSSL002 -“IBMi server application is not trusted for secure socket connection.”
If you need to establish an ACS connection using TLS 1.0 or TLS 1.1, these protocols can be re-enabled by altering a Java configuration file. First, make sure all Java instances are closed, then locate the Java security file deep inside the Java installation directory, under conf > security > java.security. The file can be edited in Notepad or any other text editor. Search for the jdk.tls.disabledAlgorithms property and remove TLSv1 and/or TLSv1.1 from the list, save the file, then restart ACS.
Keep in mind that the reason that these protocols have been disabled is because they are now insecure by modern standards. Re-enabling them means you are intentionally using an unsecure connection method, so if you need to do this to get connected to your systems then it is time to review the security on your system.
More from this month:
- Why Sharing the /QDLS Directory in NetServer Should Be Avoided
- What Do I Need To Do Full System FlashCopy Backups?
- 4 Disaster Recovery Services That Can Improve your IBM i Recoverability
- iPOWER Hour Episode 29: What’s Going On With All The Ransomware Attacks?
- IBM i Security Resource Page
- iTech iTip Videos
- Sips & Tricks: Coffee with iTech
- iBasics: IBM i Education for the Beginner System Administrator
- Upcoming Events
- IBM i, FSP, and HMC release levels and PTFs (May 2021)