If your looking to lock down your webserver (Apache) running on IBM i against issues found in SSL 2.0, SSL 3.0 or TLS 1.0 Here’s some things to look into:

Issues in SSL 2.0: http://tools.ietf.org/html/rfc6176
Issues in SSL 3.0 (POODLE attacks) : https://tools.ietf.org/html/rfc7568
TLS 1.0 (Cipher block chaining and Padding attacks): http://tools.ietf.org/html/rfc4346#section-1.1

  1. Go to your IBM Web Administration for i
  2. http://www.ReplaceWithIBMiDNS.com:2001/HTTPAdmin ->
  3. Selected Server Dropdown “ZENDSVR – APACHE”->
  4. “Manage” Tab, “HTTP Servers Tab”, “Server Properties” Tree open , “Security” link ->
  5. SSL Advanced tab
  6. Change “SSL version to negotiate:” from “All Versions” to “TLS Version 1.2 only” or
  7. Add “Ciphers available during negotiation” TLS v1.1 and TLS v1.2 remove any ciphers that are lower.

 

  1. Go to your Digital Certificate Manager (DCM)
  2. http://www.ReplaceWithIBMiDNS.com:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
  3. Select Certificate Store -> *SYSTEM
  4. Manage Applications – Update Application Definition
  5. Server
  6. QIBM_HTTP_SERVER_ZENDSVR
  7. Update Application Definition
  8. SSL protocols
  9. Change from *PGM to Define protocols supported: TLS 1.2, TLS 1.1
  10. Click Apply

Thanks to @jordiwes (http://www.iqwebdevelopment.ca/) for mentioning this could be done in DCM