Security

Phase IJBCRLIB is responsible for ensuring the best possible random number generator available on the given hardware is used. With z/VSE 5.1, you can get random numbers using:

• A crypto coprocessor card (CEX2C, CEX3C or CEX4C), which is the best possibility because a crypto card returns true random numbers independent of any seed value.
• The CP Assist for Cryptographic Functions (CPACF)-provided Pseudo Random Number Generator (PRNG), which needs a seed value; this seed can be obtained from various sources of randomness in the system. The PRNG function is available on System z10 and later.
• A pure software-based random number generator in case the first two alternatives aren’t available.

Run-Time Variables

Two variables control how OpenSSL behaves on z/VSE. You can turn crypto hardware on and off via parameter SSL$ICA:

// SETPARM SSL$ICA = [ ‘YES’ | ‘NO’ ]

You can control the debug trace via variable SSL$DBG:

// SETPARM SSL$DBG = [ ‘YES’ | ‘NO’ ]

Creating Keystores

OpenSSL uses the Privacy-Enhanced Mail (PEM) format to store keys and certificates. PEM files may contain an RSA key pair, an SSL certificate or both, and may or may not be password-protected. While other keystore formats are just binary, the PEM file content is base-64 encoded.

You can create a PEM file containing an RSA key pair with OpenSSL-Light on Windows using the following code:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.pem
-out myreq.pem

The –nodes parameter stands for “no DES encryption” and allows you to create the PEM file without a password. While OpenSSL on z/VSE supports password-protected PEM keystores, they aren’t currently exploited by any vendor.

The created certificate request must be signed by a Certificate Authority (CA) to obtain an SSL certificate. For testing purposes, this signing can occur with the Keyman/VSE utility you can download free from the z/VSE homepage.

Converting Keystores Between Different Formats

Sometimes, you will need to convert a given keystore into another format. For example:

• Using SSL client authentication and an SSL client requires a different keystore format than PEM.
• The VSE Connector Client requires a Public-Key Cryptography Standards version 12 (PKCS-12) file (PFX) or Java Key Store (JKS) keystore
• Web browser clients are usually able to import PFX files into their internal keystores.

4 Pages