z/tpf OpenSSL Support Dan Yee IBM Software Engineer August 10, 2016

Transcription

1 z/tpf OpenSSL Support Dan Yee IBM Software Engineer August 10,

2 Disclaimer Any reference to future plans are for planning purposes only. IBM reserves the right to change those plans at its discretion. Any reliance on such a disclosure is solely at your own risk. IBM makes no commitment to provide additional information in the future. 2

3 Agenda OpenSSL Introduction OpenSSL Support on z/tpf z/tpf Shared SSL Support z/tpf CPACF and Crypto Express Support Generating public key pairs and certificates on z/tpf z/tpf SSL Demo 3

4 SSL Introduction SSL - Secure Sockets Layer Enables socket applications using TCP protocol to communicate in a secure manner over the TCP/IP network Netscape originally developed SSL protocol versions 2 and 3 in 1995 and Transport Layer Security (TLS) protocol versions TLS 1.0, 1.1, and 1.2 were developed in 1999, 2006, and OpenSSL became a popular implementation of the SSL and TLS protocols after its first release in OpenSSL was ported to TPF 4.1 in 2001, and OpenSSL 0.9.7c was included in z/tpf base in

5 OpenSSL Support on z/tpf OpenSSL 1.0.2e (APARs PJ42982 and PJ43537 on z/tpf PUT 13) supported January 2016 Dropped support of SSL versions 2 and 3 Dropped support of RC2 and RC4 encryption algorithms Supports TLS versions 1.0, 1.1, and 1.2 Supports SHA-256 hashing algorithm SSL performance enhanced (50% to 90% reduction in CPU usage) Vulnerability fixes from 2003 to 2015 improve security of z/tpf s support Fewer modifications to OpenSSL code, facilitating future OpenSSL ports Intention to port latest version of OpenSSL more often 5

6 How does z/tpf port OpenSSL? Download OpenSSL from Configure opensslconf.h with options not supported Support AES, DES, SHA1/SHA256 Error strings disabled Set compiler options in cssl.mak Add z/tpf modifications to OpenSSL Build CSSL and z/tpf SSL segments (if necessary) Load updated code to VM and native test systems Run internal SSL drivers and associated SSL middleware (HTTP server/client, MQ, FTP client) 6

7 z/tpf Shared SSL Support Unique to z/tpf Allows SSL sessions to be shared by multiple ECBs Shared SSL sessions managed by SSL daemon processes SSL daemon process contains multiple threads to process functions Increase number of SSL daemon processes and threads to improve scalability Number of processes and threads configurable 7

8 Configuring Shared SSL Modify SNAKEY macro SSLPROC parameter defines number of SSL daemon processes (0 to 16) SSLTHRD parameter defined number of thread ECBs per daemon process (0 to 32) SSL1052 parameter defined whether SSL daemon processes start in 1052 state (YES or NO) Reassemble and load CTK2 8

9 Managing SSL daemons SSL daemons started automatically If SSL1052-YES, SSL daemons started in 1052 state If SSL1052-NO, SSL daemons started in CRAS state ZSSLD STOP stops SSL daemon processes ZSSLD START starts SSL daemon processes after being stopped ZSSLD RECYCLE stops and starts SSL daemon processes ZSSLD DISPLAY displays statistical information about SSL daemon processes 9

10 ZSSLD DISPLAY example CSMP0097I CPU-B SS-BSS SSU-HPN IS-01 CSMP0099I B ZSSLD DISPLAY+ CSMP0097I CPU-B SS-BSS SSU-HPN IS-01 SSLD0007I CSSLZD - SSL STATISTICAL INFORMATION LAST MINUTE HIGH WATER MARK SESSIONS STARTED 2 5 SSL_WRITES ISSUED _ SSL_READS ISSUED MEGABYTES SENT MEGABYTES RECEIVED SSL ACTIVE MAX ACT CURRENT MAX HEAP AVAIL MAX HEAP DAEMON THREADS THREADS SESS SESS IN USE HEAP IN USE

11 Displaying/changing SSL shared support configuration ZNKEY SSLPROC Display number of SSL daemon processes Change number of SSL daemon processes (1 to 16) Takes effect on ZSSLD RECYCLE or ZSSLD STOP and ZSSLD START ZNKEY SSLTHRD Display number of thread ECBs per daemon process Change number of thread ECBs per daemon process (1 to 32) Takes effect on ZSSLD RECYCLE or ZSSLD STOP and ZSSLD START ZNKEY SSL1052 Display whether SSL daemon processes start in 1052 state Change whether SSL daemon processes start in 1052 state (YES/NO) Takes effect on ZSSLD RECYCLE or ZSSLD STOP and ZSSLD START 11

12 z/tpf unique SSL functions SSL_aor SSL_get_peer_certificate_subject_info SSL_get_peer_certificate_FQDN SSL_CTX_new_shared SSL_CTX_load_and_set_client_CA_file SSL_load_and_set_client_CA_file 12

13 z/tpf SSL_aor Function Enables caller s ECB to exit before data arrives to save on resources (similar to activate_on_receipt) Format SSL_aor(SSL *ssl, unsigned char *parm, unsigned char * pgm, unsigned int istream) When data arrives, program specified is activated. Application interface EBW004-EBW011 8 byte data passed from caller (*parm) EBW016-EBW019 socket descriptor EBW020 time-out flag EBW024-EBW031 - SSL token (SSL *ssl) Activated program issues SSL_read to read in data 13

14 INETD SSL Model Features Builds efficient SSL server for SSL shared applications Creates and manages CTX structure Sets up and completes SSL handshake Provides USSL user exit to perform initialization and cleanup tasks when server is started or stopped User tasks Provide SSL configuration file /etc/inetd/ssl/<servername.conf> Provide SSL application to read/write data, free SSL session, close SSL connection Code USSL user exit Starting/stopping INETD SSL model ZINET ADD S-S7500 PORT-7550 PGM-QSSZ MODEL-SSL STATE-CRAS ACT- AUTO PARM-S7500 ZINET START S-S7500 ZINET STOP S-S

15 INETD SSL Model Interface Application called by INETD during client connection Application interface EBW008-EBW011 - client connection socket. EBW016-EBW023 - parameter string specified with the PARM parameter of the ZINET ADD command. EBW024-EBW031 - SSL token associated with the new SSL session. 15

16 Sample SSL Server Application Program 1 (entered by INETD) setsockopt (set time-out and buffer sizes) SSL_aor exit Program 2 (activated by SSL_aor) SSL_read SSL_write SSL_aor (to program 2) exit 16

17 SAMPLE SSL CONFIGURATION FILE USESSL=YES VERSION=TLSv1_2 CIPHER=DES-CBC3-SHA,DES-CBC-SHA,AES256-SHA256 VERIFYPEER=NO CERTIFICATE=/certs/tpf7550_cert.pem CERTTYPE=PEM KEY=/tpfpubk/tpf7550.pem KEYTYPE=PEM 17

18 SSL Hardware Accelerator - CPACF Performs symmetric key encryption and calculates message digests in hardware faster than software z/tpf automatically detects and uses any available CPACF features Supports following algorithms SHA-1 for message integrity SHA-256 for message integrity DES for data encryption TDES for data encryption AES-128 for data encryption AES-256 for data encryption z/tpf invokes CPACF on I-stream cipher operation was requested. Use ZCPAC DISPLAY to obtain performance information for CPACF cipher algorithms 18

19 SSL Hardware Accelerator Crypto Express Performs Rivest-Shamir-Adelman (RSA) operations in hardware faster than software z/tpf automatically detects and uses any available Crypto Express cards z/tpf load balances RSA operations among defined Crypto Express cards z/tpf supports following Crypto Express cards: Crypto Express2 (z9) Crypto Express3 (z10) Crypto Express4S (EC12) Crypto Express5S (z13) Crypto Express card must be configured in accelerator mode. Crypto Express card is required to generate z/tpf public key pairs with ZPUBK GENERATE command Use ZCRYP DISPLAY command to obtain performance information for each Crypto Express card. 19

20 Generating public key pairs on z/tpf Public key pair and certificate required to start SSL session Enter ZPUBK GENERATE command to generate public key pair on z/tpf ZPUBK GENERATE KEYPAIR-KEYNAME1 CIPHER-RSA2048 (generate key) ZKEYS BACKUP PATH-/keys/backup.fil (back up the keystore) ZPUBK ACTIVATE KEYPAIR-KEYNAME1 (activate the key) Keypair saved in z/tpf keystore and can be reused for multiple SSL sessions Enter ZPUBK DISPLAY command to see keypairs saved in keystore 20

21 Creating self-signed certificates and certificate requests on z/tpf Use ZPUBK REQCERT command to create a create a self-signed certificate SSIGNED parameter creates self-signed certificate suitable for testing. Input key pair name, configuration file, and digest (SHA1/MD5) Output file to put certificate ZPUBK REQCERT PATH-/certs/certreq.fil KEYPAIR-KEYNAME1 CONFIG-/sslcfg/myssl.cfg DIGEST-SHA1 SSIGNED Use ZPUBK REQCERT command to create certificate request Omitting SSIGNED parameter creates a certificate request that can be sent to a certificate authority (CA) for signing ZPUBK REQCERT PATH-/certs/certreq.fil KEYPAIR-KEYNAME1 CONFIG-/sslcfg/myssl.cfg DIGEST-SHA1 21

22 References RFCs 2246 (TLS 1.0), 4346 (TLS 1.1), and 5246 (TLS 1.2) (link to z/tpf documentation in IBM Knowledge Center) z/tpf Security z/tpf C/C++ Language Support z/tpf Operations 22