Please download to get full document.

View again

of 63

Securing RXSOCKET applications with TLS

Securing RXSOCKET applications with TLS Presenters: Perry Ruiter Dave Jones 2019 VM Workshop 1 Abstract VM 6.4 included support for securing IUCV based sockets with TLS. Sadly 6.4 did not enhance Rexx
33 views63 pages
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Documenttranscript
Securing RXSOCKET applications with TLS Presenters: Perry Ruiter Dave Jones 2019 VM Workshop 1 Abstract VM 6.4 included support for securing IUCV based sockets with TLS. Sadly 6.4 did not enhance Rexx Sockets to exploit that support. Now that 7.1 has shipped (still) without TLS support in Rexx Sockets, customers are forced to take matters into their own hands. Attend this session for an overview of z/vm's SSL/TLS support, what was new in 6.4, the changes done to add TLS support to Rexx Sockets and finally, we will review a popular Rexx Sockets application that has been secured with TLS 2019 VM Workshop 2 Agenda Introduction SSL Configuration in z/vm Create in Internal z/vm Certificate Database Update z/vm TCP/IP Configuration RXSOCKET Updates Examples 2019 VM Workshop 3 Trade Marks Trademarks: IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at IBM copyright and trademark information - United States ( Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates VM Workshop 4 Introduction This document provides practical information for the configuration of secured (encrypted) communications with a z/vm 7.1 system, based on the Secure Socket Layer/Transport Layer Security (SSL/TLS) technology. Once z/vm SSL/TLS application servers are configured and started with TCP/IP, z/vm TCP/IP applications servers can participate in SSL/TLS connections. SSL == old protocol; TLS = =new protocol In addition, z/vm TCP/IP supports Dynamic Secured Socket Layer/Transport Layer Security (Dynamic SSL/TLS) connections. In such connections, application servers themselves control the level of acceptance of SSL and the digital certificate to be used. This presentation focuses on the configuration of z/vm RSCLIENT/RSSERVER and IPGATE application server for SSL/TLS connections, and provides client secure configuration examples. It is assumed that the reader has a good understanding of z/vm TCP/IP server configuration, SSL/TLS concepts and digital certificates. For a complete information on the SSL implementation in z/vm, refer to z/vm documentation: TCP/IP Planning and Customization, SC xx 2019 VM Workshop 5 SSL CONFIGURATION IN z/vm Topics z/vm SSL implementation global picture SSL connection principles SSL session general processing steps Static SSL connection Dynamic SSL connection SSL server environment in z/vm Concept of «pool» Hardware cryptographic support 2019 VM Workshop 6 SSL CONFIGURATION IN z/vm z/vm SSL implementation global picture TCPIP Standard Ports Secured Ports 2 3 B SSL Server (SSL0001) SSL Server (SSL0001) Server (SSL0001) C IPGATE SSLDCSSM DCSS Management BFS Keys & Certificates GSKADMIN (gskkyman) A FTP Server 1 Static SSL IPGATE FTP Client Dynamic SSL 2019 VM Workshop 7 SSL CONFIGURATION IN z/vm Secured vs. Standard ports Example: PORT : 80 TCP HTTPSD ; Web server Standard port : 81 TCP HTTPSD2 SECURE label ; Secure server Secured port : 2019 VM Workshop 8 SSL CONFIGURATION IN z/vm SSL connection principles A SSL session consists in the following steps (phases): 1) CONNECT 2) HANDSHAKE 3) DATA TRANSMISSION 4) CLOSE These steps are described below VM Workshop 9 SSL CONFIGURATION IN z/vm SSL session general processing steps CONNECT step: In this initial phase, a remote client is requesting a connection with an application server (IPGATE, FTP...). An SSL server is designated to handle the secure connection. Two separate connections are established in the SSL session, depending on whether a static or dynamic SSL connection is requested. The differences are explained in the next section 2019 VM Workshop 10 SSL CONFIGURATION IN z/vm SSL session general processing steps HANDSHAKE step: The client initiates a handshake protocol to produce the cryptographic parameters for the session. The SSL server (on behalf of the application server) presents the server certificate to the client. If a certificate validation is required by the client, the certificate signature is validated using the issuer Certificate Authority (CA) certificate, which must be available to the client. After validation, the server and the client: Agree on cryptographic parameters (protocol, algorithms) Generate shared secrets Generate symmetric key from the shared secrets, used to encrypt/decrypt the data in the connection 2019 VM Workshop 11 SSL CONFIGURATION IN z/vm SSL session general processing steps DATA TRANSMISSION step: Encrypted data is produced on the client and transmitted to the server over the network Inbound encrypted data received from the remote client is first decrypted by the SSL servers, then forwarded in clear to the application server (IPGATE, FTP) Outbound unencryted data received from the application server is encrypted by the SSL server, transmitted to the remote client over the network and decrypted locally VM Workshop 12 SSL CONFIGURATION IN z/vm SSL session general processing steps CLOSE step: When a close request is received from either the client or the application server, the SSL server sends a close request to the other party and cleans up the connection VM Workshop 13 SSL CONFIGURATION IN z/vm Static SSL connection The secure SSL attribute is granted as soon as the session is initially established (connect phase) z/vm TCP/IP application servers (IPGATE, FTP...) are SSL unaware which means that SSL encryption/decryption is completely handled by the TCP/IP and SSL servers. the application server configuration remains unchanged, but secure listening ports are defined in the TCP/IP server configuration and specified in the client configuration as well In the figure above the green solid line marked with A, B, and C represents a static SSL connect phase for the IPGATE server 2019 VM Workshop 14 SSL CONFIGURATION IN z/vm Dynamic SSL connection Both the server and the client are able to control the acceptance and the establishment of the secure SSL attribute for the session The z/vm application server is SSL aware and will itself handle the communication with the SSL server by mean of a set of specialized APIs and the use of appropriate digital certificate accessible by the SSL server, Secure ports are no longer required with dynamic SSL/TLS, as the application servers will continue to listen on their standard ports. In the figure above the red dashed solid line marked with 1, 2, and 3 represents a dynamic SSL connect phase for the IPGATE server 2019 VM Workshop 15 SSL CONFIGURATION IN z/vm SSL server environment in z/vm A z/vm SSL/TLS server environment consists of the following components: One TCP/P VM server configured to enable SSL/TLS connections One (or more) pools of SSL/TLS servers associated with that TCP/IP server that implement the actual SSL TLS encryption/decryption algorithms. One DCSS Management Agent virtual machine maintaining SSL/TLS server cache information in a z/vm shared segment, for the SSL/TLS server(s) associated to the TCP/IP server Multiple SSL server environments can be defined in the same z/vm, running independently from each other 2019 VM Workshop 16 SSL CONFIGURATION IN z/vm SSL server environment in z/vm At z/vm 7.1 installation, a default SSL/TLS server environment is created with the following components TCP/IP server TCPIP SSL servers SSL0000 n ( n =1 to 5) DCSS agent SSLDCSSM The SSL environments rely on certificates defined in Certificate and key databases. The databases and certificates management tasks (create, deletion, certificates exports and imports) are performed from the GSKADMIN virtual machine, by mean of a utility program called gskkyman. A single database can be used by all SSL server environments. A single certificate in a database can be used by all the SSL server environments sharing that database VM Workshop 17 SSL CONFIGURATION IN z/vm Concept of «pool» z/vm has had for a long time the concept of a pool of virtual machines, all configured to work on the same type of workload, say, performing SSL/TS encryption. A pool is defined in the USER DIRECT file via either a USER or IDENTITY statement followed by the POOL statement. An example: IDENTITY SSL LBYONLY 160M 256M G POOL LOW 1 HIGH 5 PROFILE TCPSSLU Creates a set of 5 virtual machines (SSL SSL00005), all having common characteristics (class G, 160M memory, surrogate logon only, and based on the TCPSSLU profile). The default SSL server pool (5 servers shown above) is designed to serve a maximum of 3000 connections, with a maximum of 600 sessions per server VM Workshop 18 SSL CONFIGURATION IN z/vm Hardware cryptographic support z/vm SSL is supporting both forms of cryptographic hardware: CPACF CP-Assisted Cryptographic Facility. This is a no charge feature built in the IBM Z or Linux One cores, designed to accelerate the use of symmetric algorithms (AES, DES) or hash functions (SHA-1, SHA-256). No configuration is required as the SSL/TLS server makes use of this feature automatically. Crypto Express card. Used to accelerate asymmetric algorithms such as clear-key RSA. When available to the z/vm LPAR, a crypto express card can be used by the SSL/TLS server, providing that a CYPTO APVIRTUAL statement is coded in the SSL server z/vm profile (e.g. TCPSSLU) VM Workshop 19 CREATE INTERNAL z/vm CERTIFICATE DATABASE Topics GSKADMIN and gskkyman Create the database Grant read access Create the Self-signed CA certificate Create the CA-signed server certificate Display certificate information 2019 VM Workshop 20 CREATE INTERNAL z/vm CERTIFICATE DATABASE GSKADMIN and gskkyman To create and manage the database, the z/vm user id GSKADMIN is available. The utility program gskkyman is used to perform management tasks against the certificate database. The GSKADMIN user owns both the BFS file space where the key database resides and the BFS file space used as SSL server temporary work space. GSKADMIN also serves as the SSL server administrative user ID, as well VM Workshop 21 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the database The following information is required to create the database: database name use Database.kdb database password user defined password expiration 365 days (one year) database record length use default value 5000 Comply to FIPS 6 standard enter VM Workshop 22 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the database gskkyman Database Menu 1 - Create new database 2 - Open database 3 - Change database password 4 - Change database record length 5 - Delete database 6 - Create key parameter file 7 - Display certificate file (Binary or Base64 ASN.1 DER) 0 - Exit program 2019 VM Workshop 23 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the database Enter option number: 1 Enter key database name (press ENTER to return to menu): Database.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): 365 Enter database record length (press ENTER to use 5000): Enter 1 for FIPS mode database or 0 to continue: 1 Key database /etc/gskadm/database.kdb created. The database has now been created VM Workshop 24 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the database Once the database has been created, the database password must be stored to allow the SSL server to work with the database with automatic login. On the main menu, select option 10: Expiration: 2020/06/18 10:30:29 Type: FIPS 1 - Manage keys and certificates 2 - Manage certificates 3 - Manage certificate requests 4 - Create new certificate request 5 - Receive requested certificate or a renewal certificate 6 - Create a self-signed certificate 7 - Import a certificate 8 - Import a certificate and a private key 9 - Show the default key 10 - Store database password 11 - Show database record length 0 - Exit program Enter option number (press ENTER to return to previous menu): 10 Database password stored in /etc/gskadm/database.sth. Press ENTER to continue VM Workshop 25 CREATE INTERNAL z/vm CERTIFICATE DATABASE Grant read access First, Select option 0 to exit from the GSKKYMAN program. The POSIX statement in the TCPSSLU profile used to generate the default SSL pool sets the SSL server group ownership to security. At this point, only the GSKADMIN user has access to the files in r/w mode. We want users from the same group (security) be able to access the files in read mode. The SSL servers are part of of the security group. Execute the following openvm commands to grant the read authority for the security group to the kdb and sth files: Ready; openvm permit /etc/gskadm/database.kdb rw- r Ready; openvm permit /etc/gskadm/database.sth rw- r VM Workshop 26 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the Self-signed CA certificate (note: This is just an example for the sake of showing how it s done. In most cases, you will be using a certificate created by an external CA.) Logged on as the GSKADMIN user id, start the gskkyman program: gskkyman Database Menu 1 - Create new database 2 - Open database 3 - Change database password 4 - Change database record length 5 - Delete database 6 - Create key parameter file 7 - Display certificate file (Binary or Base64 ASN.1 DER) 0 - Exit program Enter option number: 2 Enter key database name (press ENTER to return to menu): Database.kdb Enter database password (press ENTER to return to menu): 2019 VM Workshop 27 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the Self-signed CA certificate (cont) 1 - Manage keys and certificates 2 - Manage certificates 3 - Manage certificate requests 4 - Create new certificate request 5 - Receive requested certificate or a renewal certificate 6 - Create a self-signed certificate 7 - Import a certificate 8 - Import a certificate and a private key 9 - Show the default key 10 - Store database password 11 - Show database record length 0 - Exit program Enter option number (press ENTER to return to previous menu): 6 Certificate Usage 1 - CA certificate 2 - User or server certificate Select certificate usage (press ENTER to return to menu): VM Workshop 28 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the Self-signed CA certificate (cont) RSA Key Size bit key bit key bit key Select RSA key size (press ENTER to return to menu): 2 Signature Digest Type 1 - SHA SHA SHA SHA SHA-512 Select digest type (press ENTER to return to menu): VM Workshop 29 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the Self-signed CA certificate (cont) Enter label (press ENTER to return to menu): ZVMCA Enter subject name for certificate Common name (required): zvmca Organizational unit (optional): ITC Organization (required): ITC City/Locality (optional): State/Province (optional): Country/Region (2 characters - required): US Enter number of days certificate will be valid (default 365): 365 Enter 1 to specify subject alternate names or 0 to continue: 0 Please wait... Certificate created VM Workshop 30 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the CA-signed server certificate From the Key Management Menu, select option 1 - Manage keys and certificates 1 - Manage keys and certificates 2 - Manage certificates 3 - Manage certificate requests 4 - Create new certificate request 5 - Receive requested certificate or a renewal certificate 6 - Create a self-signed certificate 7 - Import a certificate 8 - Import a certificate and a private key 9 - Show the default key 10 - Store database password 11 - Show database record length Exit program 2019 VM Workshop 31 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the CA-signed server certificate (cont) Then select 1 for ZVMCA Enter option number (press ENTER to return to previous menu): Key and Certificate List Database: /etc/gskadm/database.kdb 1 - ZVMCA 0 - Return to selection menu Enter label number (ENTER to return to selection menu, p for previous list): VM Workshop 32 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the CA-signed server certificate (cont) Key and Certificate Menu Label: ZVMCA 1 - Show certificate information 2 - Show key information 3 - Set key as default 4 - Set certificate trust status 5 - Copy certificate and key to another database 6 - Export certificate to a file 7 - Export certificate and key to a file 8 - Delete certificate and key 9 - Change label 10 - Create a signed certificate and key 11 - Create a certificate renewal request 0 - Exit program Enter option number (press ENTER to return to previous menu): VM Workshop 33 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the CA-signed server certificate (cont) Then select option 2 2 Certificate Usage 1 - CA certificate 2 - User or server certificate Select certificate usage (press ENTER to return to menu): 2019 VM Workshop 34 CREATE INTERNAL z/vm CERTIFICATE DATABASE Create the CA-signed server certificate (cont) Then, following the same steps used in creating the CA certificate, enter the following data for the server certificate: Key algorithm RSA Key size 2048 Label SMBSSI Common name smbssi Organizational unit (leave blank) Organization ITC City Locality (leave blank) State/Province (leave blank) Country US Validity 720 Alternate names VM Workshop 35 CREATE INTERNAL z/vm CERTIFICATE DATABASE Display certificate information Information about certificates stored in the database can be displayed using Option 1 from the menu: Key and Certificate Menu Label: ZVMCA 1 - Show certificate information 2 - Show key information 3 - Set key as default 4 - Set certificate trust status 5 - Copy certificate and key to another database 6 - Export certificate to a file 7 - Export certificate and key to a file 8 - Delete certificate and key 9 - Change label 10 - Create a signed certificate and key 11 - Create a certificate renewal request 0 - Exit program Enter option number (press ENTER to return to previous menu): VM Workshop 36 CREATE INTERNAL z/vm CERTIFICATE DATABASE Display certificate information Certificate Information Label: ZVMCA Record ID: 11 Issuer Record ID: 11 Trusted: Yes Version: 3 Serial number: 5d0a8f Issuer name: zvmca ITC ITC US Subject name: zvmca ITC ITC US Effective date: 2019/06/19 Expiration date: 2020/06/18 Signature algorithm: sha512withrsaencryption Issuer unique ID: None Subject unique ID: None Public key algorithm: rsaencryption Public key size: 2048 Public key: A A1 26 8F 88 5F EC 6C E6 2B DF 31 3D 7C C9 CE 31 EE 32 4B D 7F 77 F6 FC 97 B5 79 2B C9 BB E FA C2 C B A0 0E 61 BB 50 CA BA B A7 71 C3 DD E F B8 67 B0 BC BF FE DF F A 70 DE CE 6F C7 E1 EA 69 0D C7 C2 27 EB A7 81 A1 14 9A EE C7 C6 1D CE E1 1A B 46 9F E2 6B 97 EE CB F F1 B2 57 8C 26 BA 55 3E 4C 3D F D D DD 3B 28 B1 04 3A EB 8D 36 1D C2 6B 0F F7 EF 5A 64 DE C A C A9 E0 B1 F7 4B FC 68 D0 E6 F3 D5 72 E2 4E 54 A6 5F A1 4E BE 87 2E 17 C6 FE 83 A0 BC D7 C5 8C 73 A8 A6 BB F5 AA CE 47 F8 7C CE E 8F DF AB F4 B4 5F C 3B A5 31 A3 9F BA BE VM Workshop 37 CREATE INTERNAL z/vm CERTIFICATE DATABASE Display certificate information 10 FD 4B 08 DF D5 CF 36 A Number of extensions: 4 Enter 1 to display extensions, 0 to return to menu: 1 Certificate Extensions List 1 - subjectkeyidentifier 2 - authoritykeyidentifier 3 - keyusage (critical) 4 - basicconstraints (critical) Enter extension number (press ENTER to return to previous menu): 1 49 DA C1 22 5E D6 FB 60 E3 74 C4 0D FE F D 9B 47 Press ENTER to continue. Certificate Extensions List 1 - subjectkeyidentifier 2 - authoritykeyidentifier 3 - keyusage (critical) 4 - basicconstraints (critical) Enter extension number (press ENTER to return to previous menu): 2 Key identifier: 49 DA C1 22 5E D6 FB 60 E3 74 C4 0D FE F D 9B 47 Press ENTER to continue VM Workshop 38 UPDATE z/vm TCP/IP CONFIGURATION Topics Update the SYSTEM DTCPARMS file Update the PROFILE TCPIP file Restart TCPIP Check log file QUERY NAMES 2019 VM Workshop 39 UPD
Advertisement
MostRelated
View more
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x