STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to CA IDMS Security Technical Implementation Guide

V-251656

CAT II (Medium)

CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.

Rule ID

SV-251656r961857_rule

STIG

CA IDMS Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-002450

Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.

Check Content

Verify that connection to IDMS is FIPS-compliant.

1. For ODBC and JDBC Type 2 connections:   
   a. Configure the Data Source to enable the DTS-JCLI logging option.  
   b. Perform a connection test using the "Test" function on the administrator.
   c. View the generated log entries to determine the TLS version, cipher algorithm, and certificate employed.  

2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) successful!
2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) connection attempts: 1 
2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) TLS version TLSv1.2 
2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) cipher TLS_RSA_WITH_AES_256_CBC_SHA256 (this should  be one or more of the accepted ciphers)
                                                                                                                                                                                                                                                          Cipher Specifications
                                                                                                                                                                                                                                                          3DES_SHA
                                                                                                                                                                                                                                                          AES_256_SHA
                                                                                                                                                                                                                                                          AES_128_SHA
If connection is not verified this is a finding.

2. For all connection types:  IBM provides configuration options for multiple SSL components, to force FIPS-140 compliance.   
    a. System SSL:  The environment variable GSK_FIPS_STATE specifies GSK_FIPS_STATE_ON in the envar file in the GSKSRVR home directory or message "GSK01057I SSL server starting in FIPS mode" is in the JES
        log.
    b. ICFS: Review the JES log for the ICSF region for the following message is issued on startup 
         CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.

If either of the above is true this is not a finding.
If none of the above is true this is a finding.

Fix Text

Contact the appropriate system administrators to make the needed changes to allow the use of AT-TLS and the associated software.
See Broadcom Techdocs for further information:      
- Configure Secure Sockets
See IBM's z/OS Communications Server bookshelf for information on:  
- Configuring AT-TLS
See IBM's z/OS Cryptographic Services System bookshelf for information on 
- Algorithms and key sizes
- System SSL 
- ICSF Services