June 2022

To:           XCOM^™ Data Transport® for z/OS Customers

From:      Broadcom’s XCOM Data Transport for z/OS Product Team

Subject:  Risk Mitigation through Stronger Encryption Security 

To minimize security risks and reduce the need for maintenance upgrades, XCOM for z/OS added support for System SSL in 2014, and later AT-TLS.  This action was also designed to keep XCOM for z/OS aligned with the current technology provided by the operating system.

At this time, to avoid the security risks associated with XCOM for z/OS transfers that are still using OpenSSL, we are completely removing OpenSSL support from XCOM for z/OS.  In order to continue using encrypted file transfers, you must switch to System SSL or AT-TLS, which are more secure and minimizes the risk to your environments.  This feature deprecation action is slated to take place on October 1, 2022.

Note, this notification is for z/OS only, and will not affect any other platform. 

To help you with this transition, here are our recommended procedures for switching security protocols. We encourage you to proactively make these changes as soon as possible.

To switch to AT-TLS:

1. Define the AT-TLS rule set using the XCOM samples that are provided in CBXGSAMP(XCOMTKDB) and hlq.CBXGSAMP(XCOMTRNG).
2. Update the XCOM CONFIG member as follows:
   • Specify AT-TLS and AT-TLS_PORTS with the appropriate values.
   • Set SSL to NONE.

To switch to System SSL:

1. Customize the provided SYSconfigSSL.cnf file. You can find detailed instructions here.
2. Migrate the certificates to a KDB data set, or add them to an appropriate KEYRING in the security service.
3. Update the XCOM CONFIG member as follows:
   • Specify XCOM_CONFIG_SSL with the appropriate file path and name.
   • Change the SSL_VERSION parameter to SYSTEM. If SSL_VERSION is still set to OPEN, the transfer will not execute successfully.

If you need assistance with these steps, contact Broadcom Support.