tibemsSSLParams_System

Purpose

Set the cipher suites for IBM System SSL connections.

C Declaration

tibems_status tibemsSSLParams_System_SetCiphers(
    tibemsSSLParams SSLParams,
    const char* ciphers );

COBOL Call

CALL "tibemsSSLParams_System_SetCiphers"
     USING BY VALUE SSLParams,
           BY REFERENCE ciphers,
           RETURNING tibems-status
END-CALL.

Note: SSLParams has usage pointer.

Parameters

Parameter	Description
`SSLParams`	Set the value in this TLS parameter object.
`ciphers`	Specify the cipher suites that the client can use. Ciphers can be specified as a series of two or four character codes, or a series of short name string values, depending on the platform. The ciphers provided should conform to the cipher suite specifications for IBM System SSL: For a detailed description of these ciphers on z/OS, see the IBM Cryptographic Services, System Secure Sockets Layer Programing bookshelf. For a description of the ciphers on IBM i, refer to the IBM i Information Center, Communications, Socket Programming, Advanced socket concepts, Secure Sockets, Global Security Kit (GSKit) APIs. Note that on IBM i the system values `QSSLCSL`, `QSSLCSLCTL`, and `QSSLPCL` control the ciphers and protocols that are supported. Supported ciphers are listed below.

Parameter

Description

SSLParams

Set the value in this TLS parameter object.

ciphers

Specify the cipher suites that the client can use. Ciphers can be specified as a series of two or four character codes, or a series of short name string values, depending on the platform.

The ciphers provided should conform to the cipher suite specifications for IBM System SSL:

For a detailed description of these ciphers on z/OS, see the IBM Cryptographic Services, System Secure Sockets Layer Programing bookshelf.
For a description of the ciphers on IBM i, refer to the IBM i Information Center, Communications, Socket Programming, Advanced socket concepts, Secure Sockets, Global Security Kit (GSKit) APIs.
Note that on IBM i the system values QSSLCSL, QSSLCSLCTL, and QSSLPCL control the ciphers and protocols that are supported.

Supported ciphers are listed below.

Remarks

This parameter is connection-specific and can be specified for each connection. On z/OS, only the indicated CIPHERS are allowed in FIPS mode.

The following table lists ciphers which have been tested. However, many factors can affect the list of ciphers which work on a given site, so your list may be larger or smaller than this one.

2-Char Code	4-Char Code	Short Name	Description	Use On	FIPS
05	0005	`TLS_RSA_WITH_RC4_128_SHA`	128-bit RC4 encryption with SHA-1 message authentication and RSA key exchange.	z/OS IBM i	No
0A	000A	`TLS_RSA_WITH_3DES_EDE_CBC_SHA`	168-bit Triple DES encryption with SHA-1 message authentication and RSA key exchange.	z/OS IBM i	Yes
16	0016	`TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA`	168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
2F	002F	`TLS_RSA_WITH_AES_128_CBC_SHA`	128-bit AES encryption with SHA-1 message authentication and RSA key exchange.	z/OS IBM i	Yes
33	0033	`TLS_DHE_RSA_WITH_AES_128_CBC_SHA`	128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
35	0035	`TLS_RSA_WITH_AES_256_CBC_SHA`	256-bit AES encryption with SHA-1 message authentication and RSA key exchange.	z/OS IBM i	Yes
39	0039	`TLS_DHE_RSA_WITH_AES_256_CBC_SHA`	256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
3C	003C	`TLS_RSA_WITH_AES_128_CBC_SHA256`	128-bit AES encryption with SHA-256 message authentication and RSA key exchange.	z/OS	Yes
3D	003D	`TLS_RSA_WITH_AES_256_CBC_SHA256`	256-bit AES encryption with SHA-256 message authentication and RSA key exchange.	z/OS	Yes
67	0067	`TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`	128-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
6B	006B	`TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`	256-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
9C	009C	`TLS_RSA_WITH_AES_128_GCM_SHA256`	128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS.	z/OS	Yes
9D	009D	`TLS_RSA_WITH_AES_256_GCM_SHA384`	256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS.	z/OS	Yes
9E	009E	`TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`	128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
9F	009F	`TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`	256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate.	z/OS	Yes
	C011	`TLS_ECDHE_RSA_WITH_RC4_128_SHA`	128-bit RC4 encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	No
	C012	`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`	168-bit Triple DES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C013	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`	128-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C014	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`	256-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C027	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`	128-bit AES encryption with SHA-256 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C028	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`	256-bit AES encryption with SHA-384 message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C02F	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`	128-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes
	C030	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`	256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate.	z/OS	Yes

On both z/OS and IBM i the ciphers may be specified as a string of two-character codes with no spaces or other delimiters. For example "2F0535".

On z/OS the ciphers may also be specified as a string of four-character codes with no spaces or other delimiters. For example "C012003D003C".

On IBM i the ciphers may alternately be specified as a string of comma-delimited string values containing no spaces. For example, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA".

Contents

Index

Search Results

tibemsSSLParams_System_SetCiphers

Purpose

C Declaration

COBOL Call

Parameters

Remarks

See Also