Security

The ability to port OpenSSL to z/VSE is beneficial to IBM customers and vendors. This article reviews those benefits and offers insight on:

• How OpenSSL on z/VSE is both similar to and different from OpenSSL on other platforms
• What’s involved in creating random numbers and keystores
• How the IPv6/VSE product from IBM/Barnard Software, Inc. (BSI) uses OpenSSL to support the Secure Sockets Layer (SSL) for applications. 

Why Port OpenSSL to z/VSE?

Written in C and available for many operating systems and hardware platforms, OpenSSL is an open source project providing an SSL implementation and key management utilities. You can learn more at www.openssl.org/. Porting OpenSSL to z/VSE:

• Provides SSL for those IP stacks that currently don’t have an SSL implementation—IPv6/VSE and Linux Fast Path (LFP)
• Means that vendors already providing SSL for their stack can now give their customers another alternative such as TCP/IP for VSE/ESA.

On z/VSE 5.1, OpenSSL is part of a new system component, VSE CryptoServices 5686-CF9-17, CLC=51S. It’s installed in PRD1.BASE and includes:

• IJBSSL phase, which is the OpenSSL implementation
• SPEEDTST phase, which invokes the built-in OpenSSL speed test
• NOTICES.Z, which provides license information
• IJBSLVSE.OBJ, which provides access to the Application Program Interfaces (APIs) and must be linked to your application
• IJBSSL.H, which provides function prototypes.

What’s Unique on z/VSE?

Two unique features are available only on z/VSE:

• A z/OS-compatible SSL API. This is described in z/OS Cryptographic Services, SSL Programming (SC24-5901). All existing SSL applications on z/VSE, such as CICS Web Support, VSE Connector Server and WebSphere MQ for z/VSE, can use this feature. Wrapping the native OpenSSL functions with the z/OS SSL API lets existing z/VSE SSL applications run unchanged with OpenSSL.
• Support for IBM System z cryptographic hardware.

Although OpenSSL can perform all encryption algorithms with all key lengths in software, performance is dramatically improved by using hardware cryptographic support. Moreover, hardware functionality can be used that isn’t available in software, such as hardware-based generation of random numbers.    

Creating Random Numbers

Creating random numbers is a sensitive task in every crypto system. In OpenSSL, there are various source modules that use platform-dependent functionality for providing random numbers for all supported operating systems. A new source module for VSE uses the API phase IJBCRLIB to obtain random bytes. The Encryption Facility for z/VSE also uses this function to create encryption keys.

4 Pages