Friday, April 27, 2012

SSL Support in IPv6/VSE

SSL Support in IPv6/VSE

Barnard Software, Inc. is pleased to announce that their IPv6/VSE product now provides SSL (Secure Socket Layer) support! Our new SSL support became available with GA Build 252. GA Build 252 is now available on our download page.

The initial release of IPv6/VSE did not contain any cryptographic facilities. During the 2011 GSE conference last October, in Berlin Germany,. BSI made a Statement of Direction indicating the SSL and IPSec features would be added to IPv6/VSE. 

IPv6/VSE SSL facilities will be released in two phases. 

Phase One will provide the BSI SSL Proxy Server that runs in a z/VSE partition. The BSTTPRXY server application will provide support for telnets (TN3270E over SSL), SMTPS (SMTP over SSL), HTTPS (HTTP over SSL) and FTPS (Implicit FTP over SSL) and more. IPv6/VSE also provides the SSL GSK API for use by customer and 3rd party vendor software. The GSK API is available using EZASOKET/EZASMI or LE/C interfaces. The only restriction is that this API is currently only available to LE batch applications. 

For IPv6/VSE users running on z/VSE 5.1 (or higher) support is provided for CPACF hardware cryptographic instructions and Crypto-Express adapters to improve performance.

Phase Two will remove the LE requirement providing support for both batch and CICS applications We also plan to provide explicit (Built in) SSL support for BSTTVNET (TN3270E server), BSTTMTPC (SMTP Client), BSTTFTPS (FTP server) and BSTTFTPC (batch FTP client).

Phase One of IPv6/VSE's SSL support is now available!

System Requirements

IPv6/VSE's Secure Sockets Layer (SSL) support uses the IBM z/VSE OpenSSL1.0.0 port. The IBM OpenSSL port was done using z/VSE C/VSE compiler permitting support for back level versions of z/VSE and VSE/ESA. The OpenSSL port became available with z/VSE 5.1. BSI IPv6/VSE customers have special options to enable IPv6/VSE's SSL support on back level releases of VSE/ESA and z/VSE. 

CPACF

The IBM OpenSSL port will take advantage of the System z's CP Assist for Cryptographic Function (CPACF) when running under z/VSE 5.1 (or higher). These CP Assists dramatically reduce CPU overhead involved when using cryptographic functions. Users of the z890, z990, z9, z10, z114, z196 (and newer processors) should have the no-charge enablement feature installed. This feature must be ordered to enable CPACF. z/VSE systems without CPACF will use system CPU resources to perform cryptographic functions.

Crypto Express Adapters

The IBM OpenSSL port will take advantage of the System z Crypto Express adapters supported by z/VSE 5.1 (or higher). Usage of Crypto Express adapters dramatically reduces the amount of CPU required to establish a secure socket connection. z/VSE 51 (or higher) systems without Crypto Express adapters  (or back level systems) will use system CPU resources to establish a secure socket connection.

Restrictions

Currently the IPv6/VSE SSL suport is in Phase One. Any application can make use the IPv6/VSE SSL Proxy server. This includes both batch and CICS, LE and non-LE applications. Also, any user or 3rd party LE conforming batch application can use the EZASOKET/EZASMI or LE/C GSK SSL API provided by IPv6/VSE. Non-LE based batch applications, CICS/VSE and CICS TS applications are currently not supported by the Phase I GSK SSL API. This restriction will be removed in a future build.


BSTTPRXY SSL Proxy Server

The BSTTPRXY SSL proxy server allows non-SSL server applications running in z/VSE to accept connections from SSL based client applications. Or, BSTTPRXY will allow non-SSL client applications to connect to SSL based server applications.



Proxy Types

Source Destination
Accept clear text connection Proxy to clear text connection
Accept SSL connection Proxy to SSL conneIPv6/VSE SSL Supportction
Accept clear text connection Proxy to SSL connection
Accept SSL connection Proxy to clear text connection




Accept IPv4 or IPv6 connection Proxy to IPv4 or IPv6 connection



Proxy Examples

Accept a clear text connection from BSTTMTPC on port 25 and proxy the connection to an SMTP server listening on SSL port 465. This type of connection is commonly called smtps.

Accept an SSL connection on port 443 and proxy the connection to CICS TS Web Services on clear text port 80. This type of connections commonly called https.

Accept an SSL connection on port 992 and proxy the connection to the BSTTVNET TN3270E server on clear text port 23. This type of connection is commonly called telnets.

Accept a clear text connection from BSTTFTPC on port 21 and proxy the connection to an FTP server listening on SSL port 990. This type of connection is commonly called ftps.

Accept an SSL connection on port 990 and proxy the connection to the BSTTFTPS FTP server on clear text port 21. This type of connection is commonly called ftps.

IPv6/VSE SSL Support

There you have it. IPv6/VSE SSL support is now available and supports SSL sockets for virtually any z/VSE application.