Lennie,
I did start the GSKSRVR. Its command (DISPLAY CRYPTO) shows which
algorithms are hardware assisted.
However it is not a proof that TCPIP family really use crypto hardware.
I tried to trace is by using AUDIT(ALL) for CSFSERV profiles on some
tech/sandbox LPAR - and the results show some users like me (I ran some
simple programs using ICSF services) or MQ, but no clue about TCPIP.
I also tried to use Omegamon TEP, however the views are obsolete and I
cannot reconfigure it. And still no trace of TCPIP.
Regards
--
Radoslaw Skorupka
Lodz, Poland
W dniu 21.01.2022 o 16:50, Lennie Dymoke-Bradshaw pisze:
Radolslaw,
There are 2 parts to TLS encryption, the handshake and the data encryption.
(Others may argue there are more.) These are the handshake and the data
transfer. The handshake uses asymmetric encryption (RSA key pairs typically,
but also Elliptic Curve key pairs), while the data transfer uses symmetric
encryption.
TLS will use CPACF for the data encryption if it is physically available and
the encryption mechanism is supported by CPACF.
TLS will use Crypto Express 2 device for the handshake if it can. This may
depend again on the encryption mechanism requested in the Cipher suite
specified.
TLS will use software where it cannot use the hardware.
TLS also uses hashing. This too is usually handled using CPACF, if available.
Also I think that the z15 CPACF has some asymmetric support which can also be
invoked.
You have to make sure that the Cipher Suite you choose is supported by the
hardware.
There are RMF reports showing Crypto usage, but I have only seen these in batch
reports. Maybe they are available on panels and others can help you.
You will probably find it useful to run the SSL started task, GSKSRVR. This
will give you information about sessions using TLS and SSL. It is an optional
address space. It is documented in Chapter 11 of
Cryptographic Services System Secure Sockets Layer Programming SC14-7495-50.
Depending on the 3270 client you are using there will usually be a way to see
what is being used. For example on Vista 3270 you can click the little upward
arrow in the bottom left of the screen. This shows you the crypto services
being used.
Regards
Lennie
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Radoslaw Skorupka
Sent: 21 January 2022 13:11
To: [email protected]
Subject: TCPIP and ICSF. And RMF
How to reconfigure TCPIP family members (TCPIP, TN3270, FTP, etc.) to start
using ICSF services for things requiring cryptography?
And how to check whether they use/don't use ICSF?
Another question: is there any RMF screen showing current utilization of crypto
HW?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
