In Version 1 Release
2 of z/OS®, a new set of functions
were added that superseded some functions from previous System SSL
releases. The functions that were superseded are referred to collectively
as "the deprecated SSL interface". It is suggested that new application
programs do not use the deprecated SSL interface. For application
programs that currently use the deprecated SSL interface, this topic
describes how to migrate to the most recent interface.
Note: When migrating from the deprecated SSL interface, the entire
System SSL application must be migrated. The application must not
contain a mixture of deprecated and superseding APIs.
- Replace manually initializing the gsk_init_data structure
with gsk_environment_open(), plus a number of gsk_attribute_set_buffer(), gsk_attribute_set_enum() and gsk_attribute_set_numeric_value() functions
(as needed) to set attributes.
- Replace gsk_get_cipher_info() with a call to gsk_attribute_get_buffer() to
get the list of available ciphers. This call must be done after a
successful gsk_environment_open() call. The ciphers returned
always represent the high security ciphers.
- Replace gsk_initialize() with gsk_environment_init().
- Replace manually initializing the gsk_soc_init_data structure
with gsk_secure_socket_open(), plus a number of gsk_attribute_set_buffer(), gsk_attribute_set_enum() and gsk_attribute_set_numeric_value() functions
(as needed) to set attributes.
- Replace manually initializing the gsk_soc_init_data structure
with the addresses of your I/O callback routines with gsk_attribute_set_callback().
You specify the address of a gsk_iocallback structure that
contains the addresses of the callback routines. The gsk_iocallback structure
is defined in gskssl.h. Note that an additional parameter
must be added to the function declarator for your existing callback
routines.
- Replace gsk_user_set() with gsk_attribute_set_callback() for
defining the address of your get peer ID callback routine. You specify
the address of an gsk_iocallback structure that contains the
address of the callback routine. The gsk_iocallback structure
is defined in gskssl.h. Note that an additional parameter must
be added to the function declarator for your existing callback routine.
- Replace gsk_user_set() with gsk_attribute_set_callback() for
defining the address of your session ID cache callback routines. You
specify the address of a gsk_sidcache_callback structure that
contains the address of the callback routines. The gsk_sidcache_callback structure
is defined in gskssl.h.
- Replace gsk_get_dn_by_label() with gsk_get_cert_by_label().
- Replace gsk_secure_soc_init() with gsk_secure_socket_init().
- Replace gsk_secure_soc_read() with gsk_secure_socket_read().
Note that gsk_secure_socket_read() has an extra parameter to
return the length of the data read.
- Replace gsk_secure_soc_write() with gsk_secure_socket_write().
Note that gsk_secure_socket_write() has an extra parameter
to return the length of the data written.
- To notify your partner application that you are done sending data
on the secure connection, a call to gsk_secure_socket_shutdown should
be issued before the gsk_secure_socket_close call.
- Replace gsk_secure_soc_close() with gsk_secure_socket_close().
- Be sure that every gsk_secure_socket_open() is matched
with a gsk_secure_socket_close() even if there is an error
on gsk_secure_socket_init(). Normal sequence is open, init, close.
So, if init gets an error return code, you still must do the close.
- Be sure that every gsk_environment_open() is matched with
a gsk_environment_close() even if there is an error on gsk_environment_init().
Normal sequence is open, init, close. So, if init gets
an error return code, you still must do the close.
- A method is provided to display certificates after gsk_secure_socket_init() is
issued. You may use gsk_attribute_get_cert_info(), if you prefer.
- Note that all of the error return values are renamed and renumbered.
Program logic must be changed accordingly.
- There is a gsk_strerror() debug routine that returns a
text string (in English only) when an error number is passed to it.