Phase IJBCRLIB is responsible for ensuring the best possible random number generator available on the given hardware is used. With z/VSE 5.1, you can get random numbers using:
• A crypto coprocessor card (CEX2C, CEX3C or CEX4C), which is the best possibility because a crypto card returns true random numbers independent of any seed value.
• The CP Assist for Cryptographic Functions (CPACF)-provided Pseudo Random Number Generator (PRNG), which needs a seed value; this seed can be obtained from various sources of randomness in the system. The PRNG function is available on System z10 and later.
• A pure software-based random number generator in case the first two alternatives aren’t available.
Two variables control how OpenSSL behaves on z/VSE. You can turn crypto hardware on and off via parameter SSL$ICA:
// SETPARM SSL$ICA = [ ‘YES’ | ‘NO’ ]
You can control the debug trace via variable SSL$DBG:
// SETPARM SSL$DBG = [ ‘YES’ | ‘NO’ ]
OpenSSL uses the Privacy-Enhanced Mail (PEM) format to store keys and certificates. PEM files may contain an RSA key pair, an SSL certificate or both, and may or may not be password-protected. While other keystore formats are just binary, the PEM file content is base-64 encoded.
You can create a PEM file containing an RSA key pair with OpenSSL-Light on Windows using the following code:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.pem -out myreq.pem
The –nodes parameter stands for “no DES encryption” and allows you to create the PEM file without a password. While OpenSSL on z/VSE supports password-protected PEM keystores, they aren’t currently exploited by any vendor.
The created certificate request must be signed by a Certificate Authority (CA) to obtain an SSL certificate. For testing purposes, this signing can occur with the Keyman/VSE utility you can download free from the z/VSE homepage.
Converting Keystores Between Different Formats
Sometimes, you will need to convert a given keystore into another format. For example:
• Using SSL client authentication and an SSL client requires a different keystore format than PEM.
• The VSE Connector Client requires a Public-Key Cryptography Standards version 12 (PKCS-12) file (PFX) or Java Key Store (JKS) keystore
• Web browser clients are usually able to import PFX files into their internal keystores.