Checking the cryptographic setup
The next step is to check the cryptographic setup and verify that everything works as expected.
To do this, access an application on the IBM HTTP server (IHS) - IBM WebSphere Application Server (WAS) combination using SSL.
For example, do a sniff test with a server data transfer tool such as curl. Restart IHS and the application server so that all previous modifications become active.
The following example uses the IHS default SSL port 443 to access the benchmark application DayTrader, which has already been installed. The TLS handshake process succeeds and the AES-256 cipher is used.
Sample command: using curl for accessing DayTrader via internal IHS standard SSL port
# curl -k -v https://wasnode1.net:443/daytrader
* About to connect() to wasnode1.net port 443 (#0)
* Trying 10.x.x.x... connected
* Connected to wasnode1.net (10.x.x.x) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
…
Check the output of the lszcrypt command. The request count for any active Crypto Express3 (CEX3) features now shows some requests. In this case a CEX3 Coprocessor, whereas the other cards are offline.
Sample output: lszcrypt showing processed requests on a CEX3C
# lszcrypt -VV
card00: CEX3C online hwtype=9 depth=8 request_count=100
card01: CEX3A offline hwtype=8 depth=8 request_count=0
card02: CEX3C offline hwtype=9 depth=8 request_count=19
card03: CEX3A offline hwtype=8 depth=8 request_count=0
Check the output of the icastats command. The ciphers from the selected WAS cipher suite display counts in the hardware column.
Sample command: icastats statistics showing requests in the hardware column
# icastats
function | # hardware | # software
----------+------------+------------
SHA-1 | 120 | 0 ← SHA-1 (CPACF)
SHA-224 | 0 | 0
SHA-256 | 0 | 0
SHA-384 | 0 | 0
SHA-512 | 0 | 0
RANDOM | 211 | 0 ← RANDOM functions (CEX3C)
MOD EXPO | 68 | 0
RSA CRT | 10 | 0 ← RSA (CEX3C)
DES ENC | 0 | 0
DES DEC | 0 | 0
3DES ENC | 0 | 0
3DES DEC | 6 | 0
AES ENC | 30 | 0 ← AES-256 encryption (CPACF)
AES DEC | 30 | 0 ← AES-256 decryption (CPACF)
CMAC GEN | 0 | 0
CMAC VER | 0 | 0