>>> On 9/1/2017 at 12:48 PM, Michael MacIsaac <[email protected]> wrote: > Hi, > > If I believe the marketing, I should get crypto magically when switching > from HTTP to HTTPS using Apache under zLinux, just by buying a z14. > > Well we don't have any z14s and I'm not sure I believe the hype. Does > anyone know of a HOWTO on this? > > I did write up a "recipe" (26.4 Hardware cryptographic support for OpenSSH) > in a Cookbook years ago on using the library openssl/engines/libibmca.so - > but I am under the impression this process is for OpenSSH, not Apache HTTPS.
We don't have a z14 either, but switching to HTTPS does result in encrypted communications between the two endpoints in the transaction. That's always been true, regardless of machine type or the software being used. The more important question, and the one I _think_ you're asking is "will IBM Z crypto hardware be used automagically for this?" Of course, the two possibilities are the CPACF "stuff" built into the CPUs. I've never really dug into whether or not any of those get used by anything in the Apache "stack". The other possibility is the openssl-ibmca package which acts as the interface to the crypto card. Personally, I would have to believe that until we, or any other Linux distributor, starts shipping Apache and openSSL with that already configured, you're not going to be using the crypto card for HTTPS. Now, the z14 marketing would indicate that the whole time your data and communications is inside a z14 it will be encrypted by the hardware. How all that magic works is something I haven't seen anything on. (I didn't get a chance at SHARE to attend any sessions that got into the actual details.) Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
