SLES 11 SP 1 ships with dynamic engine support disabled. To enable it, you must modify the OpenSSL configuration file after installing all required software packages. A sample openssl.cnf.sample file is provided with the openssl-ibmca package and contains settings to enable ibmca. To customize OpenSSL to enable ibmca:
- Make a backup copy of openssl.cnf.
- Append the content of sample file /usr/share/doc/packages/openssl-ibmca/openssl.cnf.sample to the existing openssl.cnf.
- Move the line “openssl_conf = openssl_def” from the appended part to the top of the configuration file. The new configuration file should resemble Figure 4.
- Check the value of the “dynamic_path” variable and change it as necessary to the correct path for libibmca.so (this path varies, depending on the Linux distribution in use).
To verify whether dynamic engine support for ibmca is enabled, use the “openssl engine -c" command as shown in Figure 5, which will show ibmca status and a list of supported algorithms. To disable dynamic engine loading of ibmca, comment out the “openssl_conf = openssl_def” line at the top of openssl.cnf. Once dynamic engine loading of ibmca engine is enabled, any OpenSSH activity will automatically use any available hardware cryptographic support.
Verify CPACF Usage
To verify whether CPACF is used for a Linux server on System z, use the icastats tool, which shows the number of executed encryption requests the libica library handled. It distinguishes between requests CPACF executes and those executed by software fallback.
Figure 6 shows an example of icastats output. Here, CPACF executed AES and SHA requests; since no Crypto Express was available, RSA handshakes were executed in software.
Using OpenSSH With Hardware Crypto Support
Transferring large files using SCP shows the influence of using dynamic engine loading support of OpenSSL on OpenSSH, as SCP uses OpenSSH under the covers.