Abstract for Cryptographic Services System Secure Sockets Layer Programming
z/OS Version 2 Release 1 summary of changes
Introduction
Software dependencies
Installation information
System SSL parts shipped in the UNIX System Services file system
System SSL parts shipped in PDS and PDSE
How System SSL works for secure socket communication
Using System SSL on z/OS
System SSL application overview
Using cryptographic features with System SSL
Guidelines for using hardware cryptographic features
Overview of hardware cryptographic features and System SSL
Random byte generation support
Elliptic Curve Cryptography support
Diffie-Hellman key agreement
RACF CSFSERV resource requirements
PKCS #11 and Setting CLEARKEY resource within CRYPTOZ class
PKCS #11 Cryptographic operations using ICSF handles
System SSL and FIPS 140-2
Algorithms and key sizes
Random byte generation
Diffie-Hellman key agreement
Certificates
SSL/TLS protocol
System SSL module verification setup
Performance guideline
Certificate stores
SAF key rings and PKCS #11 tokens
Key database files
Application changes
SSL started task
Sysplex session ID cache
Writing and building a z/OS System SSL application
Writing a System SSL source program
Create an SSL environment
System SSL server program
System SSL client program
Building a z/OS System SSL application
Running a z/OS System SSL application
System SSL application programming considerations
Non-Blocking I/O
Non-Blocking socket primer
Affected SSL functions
Enable/disable non-blocking mode
Differences in SSL and unsecured non-blocking mode
Client authentication certificate selection
I/O routine replacement
Callback routine for I/O
Use of user data
Session ID (SID) cache
Session ID (SID)
Session ID cache replacement
Format
Callbacks
Parameters
Session renegotiation notification
TLS extensions
Setting server side extensions
Setting client side extensions
Suite B cryptography support
Migrating from deprecated SSL interfaces
API reference
gsk_attribute_get_buffer()
gsk_attribute_get_cert_info()
gsk_attribute_get_data()
gsk_attribute_get_enum()
gsk_attribute_get_numeric_value()
gsk_attribute_set_buffer()
gsk_attribute_set_callback()
gsk_attribute_set_enum()
gsk_attribute_set_numeric_value()
gsk_attribute_set_tls_extension()
gsk_environment_close()
gsk_environment_init()
gsk_environment_open()
gsk_free_cert_data()
gsk_get_all_cipher_suites()
gsk_get_cert_by_label()
gsk_get_cipher_suites()
gsk_get_ssl_vector()
gsk_get_update()
gsk_list_free()
gsk_secure_socket_close()
gsk_secure_socket_init()
gsk_secure_socket_misc()
gsk_secure_socket_open()
gsk_secure_socket_read()
gsk_secure_socket_shutdown()
gsk_secure_socket_write()
gsk_strerror()
Certificate Management Services (CMS) API reference
gsk_add_record()
gsk_change_database_password()
gsk_change_database_record_length()
gsk_close_database()
gsk_close_directory()
gsk_construct_certificate()
gsk_construct_private_key()
gsk_construct_private_key_rsa()
gsk_construct_public_key()
gsk_construct_public_key_rsa()
gsk_construct_renewal_request()
gsk_construct_self_signed_certificate()
gsk_construct_signed_certificate()
gsk_copy_attributes_signers()
gsk_copy_buffer()
gsk_copy_certificate()
gsk_copy_certificate_extension()
gsk_copy_certification_request()
gsk_copy_content_info()
gsk_copy_crl()
gsk_copy_name()
gsk_copy_private_key_info()
gsk_copy_public_key_info()
gsk_copy_record()
gsk_create_certification_request()
gsk_create_database()
gsk_create_database_renewal_request()
gsk_create_database_signed_certificate()
gsk_create_renewal_request()
gsk_create_self_signed_certificate()
gsk_create_signed_certificate()
gsk_create_signed_certificate_record()
gsk_create_signed_certificate_set()
gsk_create_signed_crl()
gsk_create_signed_crl_record()
gsk_decode_base64()
gsk_decode_certificate()
gsk_decode_certificate_extension()
gsk_decode_certification_request()
gsk_decode_crl()
gsk_decode_import_certificate()
gsk_decode_import_key()
gsk_decode_name()
gsk_decode_private key()
gsk_decode_public key()
gsk_delete_record()
gsk_dn_to_name()
gsk_encode_base64()
gsk_encode_certificate_extension()
gsk_encode_ec_parameters()
gsk_encode_export_certificate()
gsk_encode_export_key()
gsk_encode_export_request()
gsk_encode_name()
gsk_encode_private_key()
gsk_encode_public_key()
gsk_encode_signature()
gsk_export_certificate()
gsk_export_certification_request()
gsk_export_key()
gsk_factor_private_key()
gsk_factor_private_key_rsa()
gsk_factor_public_key()
gsk_factor_public_key_rsa()
gsk_fips_state_query()
gsk_fips_state_set()
gsk_free_attributes_signers()
gsk_free_buffer()
gsk_free_certificate()
gsk_free_certificates()
gsk_free_certificate_extension()
gsk_free_certification_request()
gsk_free_content_info()
gsk_free_crl()
gsk_free_crls()
gsk_free_decoded_extension()
gsk_free_name()
gsk_free_private_key()
gsk_free_private_key_info()
gsk_free_public_key()
gsk_free_public_key_info()
gsk_free_record()
gsk_free_records()
gsk_free_string()
gsk_free_strings()
gsk_generate_key_agreement_pair()
gsk_generate_key_pair()
gsk_generate_key_parameters()
gsk_generate_random_bytes()
gsk_generate_secret()
gsk_get_certificate_algorithms()
gsk_get_certificate_info()
gsk_get_cms_vector()
gsk_get_default_key()
gsk_get_default_label()
gsk_get_directory_certificates()
gsk_get_directory_crls()
gsk_get_directory_enum()
gsk_get_ec_parameters_info()
gsk_get_record_by_id()
gsk_get_record_by_index()
gsk_get_record_by_label()
gsk_get_record_by_subject()
gsk_get_record_labels()
gsk_get_update_code()
gsk_import_certificate()
gsk_import_key()
gsk_make_content_msg()
gsk_make_data_content()
gsk_make_data_msg()
gsk_make_encrypted_data_content()
gsk_make_encrypted_data_msg()
gsk_make_enveloped_data_content()
gsk_make_enveloped_data_content_extended()
gsk_make_enveloped_data_msg()
gsk_make_enveloped_data_msg_extended()
gsk_make_enveloped_private_key_msg()
gsk_make_signed_data_content()
gsk_make_signed_data_content_extended()
gsk_make_signed_data_msg()
gsk_make_signed_data_msg_extended()
gsk_make_wrapped_content()
gsk_mktime()
gsk_modify_pkcs11_key_label()
gsk_name_compare()
gsk_name_to_dn()
gsk_open_database()
gsk_open_database_using_stash_file()
gsk_open_directory()
gsk_open_keyring()
gsk_perform_kat()
gsk_query_crypto_level()
gsk_query_database_label()
gsk_query_database_record_length()
gsk_rdtime()
gsk_read_content_msg()
gsk_read_data_content()
gsk_read_data_msg()
gsk_read_encrypted_data_content()
gsk_read_encrypted_data_msg()
gsk_read_enveloped_data_content()
gsk_read_enveloped_data_content_extended()
gsk_read_enveloped_data_msg()
gsk_read_enveloped_data_msg_extended()
gsk_read_signed_data_content()
gsk_read_signed_data_content_extended()
gsk_read_signed_data_msg()
gsk_read_signed_data_msg_extended()
gsk_read_wrapped_content()
gsk_receive_certificate()
gsk_replace_record()
gsk_set_default_key()
gsk_set_directory_enum()
gsk_sign_certificate()
gsk_sign_crl()
gsk_sign_data()
gsk_validate_certificate()
gsk_validate_certificate_mode()
gsk_validate_hostname()
gsk_validate_server()
gsk_verify_certificate_signature()
gsk_verify_crl_signature()
gsk_verify_data_signature()
Deprecated Secure Socket Layer (SSL) APIs
gsk_free_memory()
gsk_get_cipher_info()
gsk_get_dn_by_label()
gsk_initialize()
gsk_secure_soc_close()
gsk_secure_soc_init()
gsk_secure_soc_read()
gsk_secure_soc_reset()
gsk_secure_soc_write()
gsk_srb_initialize()
GSKSRBRD
GSKSRBWT
gsk_uninitialize()
gsk_user_set()
Certificate/Key management
Introduction
gskkyman Overview
Setting up the environment to run gskkyman
Key database files
z/OS PKCS #11 tokens
gskkyman interactive mode descriptions
Database menu
Key/Token management
Key Management menu/Token management menu
Manage Keys and Certificates
Manage certificates
Manage certificate requests
Create new certificate request
Receive requested certificate or a renewal certificate
Create a self-signed certificate
Import a certificate
Import a certificate and a private key
Show the default key
Store database password
Show database record length
gskkyman interactive mode examples
Starting gskkyman
Creating, opening, and deleting a key database file
Changing a key database password
Storing an encrypted key database password
Creating, opening, and deleting a z/OS PKCS #11 token
Creating a self-signed server or client certificate
Creating a certificate request
Sending the certificate request
Receiving the signed certificate or renewal certificate
Managing keys and certificates
Showing certificate/key information
Marking a certificate (and private key) as the default certificate
Copying a certificate (and private key) to a different key database or z/OS PKCS #11 token
Copying a certificate without its private key
Copying a certificate with its private key
Copying a certificate and its private key from a key database on the same system
Copying a certificate and its private key from a z/OS PKCS #11 token on the same system
Removing a certificate (and private key)
Changing a certificate label
Creating a signed certificate and key
Creating a signed ECC certificate and key
Creating a certificate to be used with a fixed Diffie-Hellman key exchange
Creating a certificate renewal request
Importing a certificate from a file as a trusted CA certificate
Importing a certificate from a file with its private key
Using gskkyman to be your own certificate authority (CA)
Migrating from key database files to z/OS PKCS #11 token
Migrating key database files to RACF key rings
gskkyman command line mode syntax
gskkyman
gskkyman command line mode examples
gskkyman command line mode displays
SSL started task
GSKSRVR environment variables
Configuring the SSL started task
Server operator commands
Sysplex session cache support
Component trace support
Hardware cryptography failure notification
Obtaining diagnostic information
Obtaining System SSL trace information
Capturing trace data through environment variables
Component trace support
Capturing component trace data
Displaying the trace data
Event trace records for System SSL
Capturing component trace data without an external writer
Messages and codes
SSL function return codes
1
Deprecated SSL function return codes
1
ASN.1 status codes (014CExxx)
014CE001
CMS status codes (03353xxx)
03353001
SSL started task messages (GSK01nnn)
GSK01001I
Utility messages (GSK00nnn)
GSK00001E
Environment variables
Sample C++ SSL files
Cipher suite definitions
Object identifiers