TCP/IP for VM Secure Socket Layer (SSL) Server
Configuration Information and Requirements
for z/VM 540
| |
SSL Server for z/VM 5.4 - z/VM Requirements
|
With z/VM Version 5 Release 4.0 (540), the SSL server is
implemented as a CMS-based server for which the key database is
maintained in the z/VM Byte File System (BFS), and which is
managed via a stand-alone utility program, gskkyman.
More information about this level of the SSL server is available via the
Migration
Considerations page and TCP/IP Planning and Customization.
Important Notes:
-
PTF Requirements
The PTF for APAR PK65850 must
be installed to enable the SSL server. The PTF for this APAR
became available 12 December 2008.
Also, check the Service Updates
page for detailed information about service updates that are
available and necessary for running the z/VM SSL server.
-
Compatibility
Prior-level SSL server implementations cannot be used with z/VM
540, nor can the 540 level of the SSL server be used with prior
levels of z/VM.
A z/VM level 520 or 530 level certificate database cannot not be
relocated and used as-is by the z/VM 540 SSL server. To migrate
certificates (with private keys) from a 520 or 530 level certificate
database, to that used by the 540 level SSL server, the PTF for APAR PK75661 must be installed.
Note that this PTF is not yet available.
| |
SSL Server Certificate Management Considerations
|
-
z/VM Certificate Label Requirements
The labels for certificates that are to be used by the SSL server
(whether those certificates are server certificates or self-signed
certificates) must be no more than eight characters, and must be
comprised of only upper case, alphanumeric characters.
While these requirements are not enforced by the gskkyman utility
program, they still must be applied during the course of z/VM SSL
certificate management activities.
-
Initial Setup of the Key Database
In the SC24-6125-04 level of TCP/IP Planning and
Customization, Step 3 of Chapter 20: Configuring the SSL
Server refers one to these pages for information to setup the
initial certificate (key) database.
The steps for this process now are included in the SC24-6125-05
level of TCP/IP
Planning and Customization.
-
Certificate Import/Export
When certificates are exported from the key database to a BFS file
using a binary file format, via either of these gskkyman
export options:
1 - Binary PKCS #12 Version 1
3 - Binary PKCS #12 Version 3
the resulting file, when propagated to a minidisk, should be processed
with the OPENVM GETBFS command with the (BFSLINE NONE
option to maintain the binary nature of the file.
Conversely,
when certificates are exported from the key database to a BFS file
using a Base64 file format, via either of these gskkyman
export options:
2 - Base64 PKCS #12 Version 1
4 - Base64 PKCS #12 Version 3
the resulting file, when propagated to a minidisk, should be processed
with the OPENVM GETBFS command with the (BFSLINE NL option
to ensure the appropriate record structure is maintained.
Note that attempts to import an incorrectly exported certificate into another
certificate database likely will fail, and might be reported as one of
the following types of error conditions:
- The certificate password is not valid
- The certificate content is not valid
- The certificate length is not valid
| |
SSL Server Configuration Information and Performance Considerations
|
The SSL server virtual machine is limited to the use of a single CPU.
Given this constraint, be aware of the considerations listed here.
Additional considerations are discussed in the
CMS-Based SSL Server z/VM Performance Report.
MAXSESSION (MAXUSERS) Settings
When the SSL server MAXSESSIONS value is increased above its
default of 100, the following items should be given special
consideration:
-
To support a large number of concurrent connections, the virtual
storage defined for the SSL server likely will need to be increased
beyond the IBM-supplied default. Specific guidelines, regarding a
fixed virtual storage to number of connection ratio are not available.
Thus, appropriate local testing should be performed to confirm that a
given virtual machine definition can accommodate the number of
concurrent secure connections required for an installation.
-
As the MAXSESSIONS value is increased, a corresponding increase
in CPU utilization (per connection) by the SSL server can be expected,
regardless of whether additional connections are actually used. This
increase is associated with connection management processing and
cannot be avoided. It is advised that one take a conservative
approach when the MAXSESSIONS value is increased, so that the
resulting value is only as large as is absolutely required for a given
installation (with any "buffering" considerations kept to a minimum).
Cryptographic Key Sizes
While the use of larger key sizes will increase the security of
encryption keys used for protected communications, CPU usage for
handling such keys will also increase. For example, the most commonly
used key size is 1024 (1K). One can expect that CPU usage will
increase by a factor of 4.4 when this key size is doubled to 2048
(2K). The doubling of a 2K key size to 4096 (4K) will cause CPU
consumption to increase by a factor of 6.7.
Configuration and Usage Problems
Check the TCP/IP for z/VM
Service Hints and Tips page for suggested actions to resolve
certain SSL server configuration or usage problems.
|
