1.1 Security Enforcement
This release introduces the following updates of security capabilities to ensure secure Tuxedo Mainframe Adapter (TMA) deployment by default.
- Enforcing and hardening security by making TLS 1.2 the default protocol for communications between SNA gateway and CRM.
Compatibility
The new changes require you to take action in terms of configuration and security settings. The following backward compatibility option is available to you, who wish to maintain the old behavior present in TMA SNA 12.2.2.
TM_ALLOW_NOTLS
is set: No SSL connection is used. LLE (GPE) is allowed to be enabled and the behavior is the same as in TMA SNA 12.2.2.
By default TLS 1.2 is used. For compatibility with the older versions of Tuxedo, you
can include TLS 1.0 or 1.1 versions through the environment variable
TM_TLS_FORCE_VER
.
-
TLS_RSA_WITH_AES_256_CBC_SHA256
-
TLS_RSA_WITH_AES_256_GCM_SHA384
-
TLS_RSA_WITH_AES_128_CBC_SHA256
-
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
If you want to use other cipher suites for use cases like interoperation between
older versions of Tuxedo, then you can use the TM_CIPHERSUITES
environment variable.
RSA requires a minimum key length of 2048. During the loading of the
key/certificate, Tuxedo detects the key length and fails if it is less than 2048
characters. If you want to use a shorter key length, then you can use the
TM_MIN_PUB_KEY_LENGTH
environment variable.