If your looking to lock down your webserver (Apache) running on IBM i against issues found in SSL 2.0, SSL 3.0 or TLS 1.0 Here’s some things to look into:
Issues in SSL 2.0: http://tools.ietf.org/html/rfc6176
Issues in SSL 3.0 (POODLE attacks) : https://tools.ietf.org/html/rfc7568
TLS 1.0 (Cipher block chaining and Padding attacks): http://tools.ietf.org/html/rfc4346#section-1.1
- Go to your IBM Web Administration for i
- http://www.ReplaceWithIBMiDNS.com:2001/HTTPAdmin ->
- Selected Server Dropdown “ZENDSVR – APACHE”->
- “Manage” Tab, “HTTP Servers Tab”, “Server Properties” Tree open , “Security” link ->
- SSL Advanced tab
- Change “SSL version to negotiate:” from “All Versions” to “TLS Version 1.2 only” or
- Add “Ciphers available during negotiation” TLS v1.1 and TLS v1.2 remove any ciphers that are lower.
- Go to your Digital Certificate Manager (DCM)
- http://www.ReplaceWithIBMiDNS.com:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
- Select Certificate Store -> *SYSTEM
- Manage Applications – Update Application Definition
- Server
- QIBM_HTTP_SERVER_ZENDSVR
- Update Application Definition
- SSL protocols
- Change from *PGM to Define protocols supported: TLS 1.2, TLS 1.1
- Click Apply
Thanks to @jordiwes (http://www.iqwebdevelopment.ca/) for mentioning this could be done in DCM