Checking the cryptographic setup

Edit online

The next step is to check the cryptographic setup and verify that everything works as expected.

To do this, access an application on the IBM HTTP server (IHS) - IBM WebSphere Application Server (WAS) combination using SSL.

For example, do a sniff test with a server data transfer tool such as curl. Restart IHS and the application server so that all previous modifications become active.

The following example uses the IHS default SSL port 443 to access the benchmark application DayTrader, which has already been installed. The TLS handshake process succeeds and the AES-256 cipher is used.

Sample command: using curl for accessing DayTrader via internal IHS standard SSL port

# curl -k -v https://wasnode1.net:443/daytrader 
* About to connect() to wasnode1.net port 443 (#0) 
*   Trying 10.x.x.x... connected 
* Connected to wasnode1.net (10.x.x.x) port 443 (#0) 
* successfully set certificate verify locations: 
*   CAfile: none 
  CApath: /etc/ssl/certs/ 
* SSLv3, TLS handshake, Client hello (1): 
* SSLv3, TLS handshake, Server hello (2): 
* SSLv3, TLS handshake, CERT (11): 
* SSLv3, TLS handshake, Server finished (14): 
* SSLv3, TLS handshake, Client key exchange (16): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSL connection using AES256-SHA

Check the output of the lszcrypt command. The request count for any active Crypto Express3 (CEX3) features now shows some requests. In this case a CEX3 Coprocessor, whereas the other cards are offline.

Sample output: lszcrypt showing processed requests on a CEX3C 

# lszcrypt -VV 
card00: CEX3C       online  hwtype=9  depth=8 request_count=100 
card01: CEX3A       offline hwtype=8  depth=8 request_count=0         
card02: CEX3C       offline hwtype=9  depth=8 request_count=19        
card03: CEX3A       offline hwtype=8  depth=8 request_count=0

Check the output of the icastats command. The ciphers from the selected WAS cipher suite display counts in the hardware column.

Sample command: icastats statistics showing requests in the hardware column 

# icastats 
 function | # hardware | # software 
----------+------------+------------ 
    SHA-1 |        120 |          0 	← SHA-1 (CPACF)
  SHA-224 |          0 |          0 
  SHA-256 |          0 |          0 
  SHA-384 |          0 |          0 
  SHA-512 |          0 |          0 
   RANDOM |        211 |          0 	← RANDOM functions (CEX3C)
 MOD EXPO |         68 |          0 
  RSA CRT |         10 |          0 	← RSA (CEX3C)
  DES ENC |          0 |          0 
  DES DEC |          0 |          0 
 3DES ENC |          0 |          0 
 3DES DEC |          6 |          0 
  AES ENC |         30 |          0 	← AES-256 encryption (CPACF) 	
  AES DEC |         30 |          0 	← AES-256 decryption (CPACF)
 CMAC GEN |          0 |          0 
 CMAC VER |          0 |          0