1.1 Security Enforcement

This release introduces the following updates of security capabilities to ensure secure Tuxedo Mainframe Adapter (TMA) deployment by default.

• Enforcing and hardening security by making TLS 1.2 the default protocol for communications between SNA gateway and CRM.

Compatibility

The new changes require you to take action in terms of configuration and security settings. The following backward compatibility option is available to you, who wish to maintain the old behavior present in TMA SNA 12.2.2.

• TM_ALLOW_NOTLS is set: No SSL connection is used. LLE (GPE) is allowed to be enabled and the behavior is the same as in TMA SNA 12.2.2.

By default TLS 1.2 is used. For compatibility with the older versions of Tuxedo, you can include TLS 1.0 or 1.1 versions through the environment variable TM_TLS_FORCE_VER.

Following is a list of supported cipher suites by default:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

If you want to use other cipher suites for use cases like interoperation between older versions of Tuxedo, then you can use the TM_CIPHERSUITES environment variable.

RSA requires a minimum key length of 2048. During the loading of the key/certificate, Tuxedo detects the key length and fails if it is less than 2048 characters. If you want to use a shorter key length, then you can use the TM_MIN_PUB_KEY_LENGTH environment variable.