gtpm2m33 | Migration Guide: Program Update Tapes |
The following section discusses the migration considerations for SSL support.
See the APEDIT for APAR PJ27863 for information about prerequisite APARs.
The SSL protocol, which was originally developed for Web browsers, is a set of rules governing authenticated and encrypted communication between Transmission Control Protocol/Internet Protocol (TCP/IP) clients and servers. SSL is widely used on the Internet by an increasing number of varied applications, especially for interactions that involve exchanging confidential information such as credit card numbers. SSL evolved into the Transport Layer Security (TLS) version 1standard.
SSL is positioned as a protocol layer between the TCP layer and the application to form a secure connection between clients and servers so that they can communicate in a secure manner over a Transmission Control Protocol/Internet Protocol (TCP/IP) network by providing:
Figure 11 shows an example of a TCP/IP network using SSL.
Figure 11. TCP/IP Network Using SSL
This type of secure connection ensures that all data exchanged between clients and servers is encrypted, and is therefore not readable by a third party on the Internet. SSL has gained popularity in the Internet industry primarily because of its use of public-key certificates as a means of authenticating principals. The public-key certificates are a type of security exchange to secure the TCP connection between clients and servers. The exchange occurs after the TCP connection is established and an SSL session is started.
To establish the connection, SSL requires a server certificate, at a minimum. As part of the initial SSL handshake process, the server presents its certificate to the client to authenticate the server's identity. The authentication process uses public-key encryption and digital signatures to confirm that the server is, in fact, who the server claims to be (that is, that the server's certificate is valid). Once the server has been authenticated (that is, the client determines that the server's certificate is valid), the client and server use techniques of symmetric-key encryption to encrypt all the information they exchange for the remainder of the SSL session and message digests to detect any tampering that may have occurred. A different key is created for each client and server connection. As a result, even if unauthorized users intercept and decrypt a session key (which is unlikely), they cannot use it to monitor later SSL sessions.
SSL support on the TPF 4.1 system, which is based on the OpenSSL version 0.9.6 open source package, supports the following:
The OpenSSL open source package is available at http://www.openssl.org. This code was modified to work with the TPF 4.1 system. Therefore, it is important that you use the code modified and shipped by IBM.
There are no changes.
There are no changes.
The following section summarizes interface changes.
The following section summarizes C/C++ language changes. This information is presented in alphabetic order by the type of C/C++ language information. See the TPF C/C++ Language Support User's Guide and TPF Application Programming for more information about the C/C++ language.
There are no changes.
There are no changes.
Table 1107 summarizes the general use C/C++ language header file changes. This information is presented in alphabetic order by the name of the general use C/C++ language header file.
General use means these header files are available for your
use.
Table 1107. Changes to General Use C/C++ Language Header Files for SSL Support
C/C++ Language Header File | New, Changed, or No Longer Supported? | Do You Need to Recompile Segments? | Segments to Recompile |
---|---|---|---|
asn1.h | New | No | Not Applicable |
bio.h | New | No | Not Applicable |
blowfish.h | New | No | Not Applicable |
bn.h | New | No | Not Applicable |
buffer.h | New | No | Not Applicable |
cast.h | New | No | Not Applicable |
comp.h | New | No | Not Applicable |
crypto.h | New | No | Not Applicable |
des.h | New | No | Not Applicable |
dh.h | New | No | Not Applicable |
dsa.h | New | No | Not Applicable |
e_os2.h | New | No | Not Applicable |
evp.h | New | No | Not Applicable |
lhash.h | New | No | Not Applicable |
md2.h | New | No | Not Applicable |
md4.h | New | No | Not Applicable |
md5.h | New | No | Not Applicable |
mdc2.h | New | No | Not Applicable |
obj_mac.h | New | No | Not Applicable |
objects.h | New | No | Not Applicable |
opensslconf.h | New | No | Not Applicable |
opensslv.h | New | No | Not Applicable |
pem.h | New | No | Not Applicable |
pem2.h | New | No | Not Applicable |
pkcs7.h | New | No | Not Applicable |
rc2.h | New | No | Not Applicable |
rc4.h | New | No | Not Applicable |
ripemd.h | New | No | Not Applicable |
rsa.h | New | No | Not Applicable |
safestack.h | New | No | Not Applicable |
sha.h | New | No | Not Applicable |
ssl.h | New | No | Not Applicable |
ssl2.h | New | No | Not Applicable |
ssl23.h | New | No | Not Applicable |
ssl3.h | New | No | Not Applicable |
stack.h | New | No | Not Applicable |
synhacks.h | New | No | Not Applicable |
tls1.h | New | No | Not Applicable |
x509.h | New | No | Not Applicable |
x509_vfy.h | New | No | Not Applicable |
There are no changes.
There are no changes.
Table 1108 summarizes changes to the link-edited modules shipped by
IBM, which should go into a data set with attributes
DCB=(RECFM=U,LRECL=80,BLKSIZE=1200). This information is presented in
alphabetic order by the name of the link-edited module.
Table 1108. Changes to Link-Edited Modules for SSL Support
Link-Edited Module | New, Changed, or No Longer Supported? | Description of Change |
---|---|---|
CRYP | New | Created for SSL support. |
CRY1 | New | Created for SSL support. |
CRY2 | New | Created for SSL support. |
CSSL | New | Created for SSL support. |
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
The following section summarizes the macro changes. This information is presented in alphabetic order by the type of macro.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
Table 1109 summarizes the system initialization program (SIP) skeleton
and internal macro changes. This information is presented in alphabetic
order by the name of the SIP skeleton and internal macro. If the SIP
skeleton and internal macro (inner macro) is changed, you must reassemble the
SIP Stage I deck and run the appropriate job control language (JCL) jobs from
the SIP Stage II deck.
Table 1109. Changes to SIP Skeleton and Internal Macros for SSL Support
SIP Skeleton and Internal Macro | New, Changed, or No Longer Supported? |
---|---|
SPPGML | Changed |
There are no changes.
Table 1110 summarizes system initialization program (SIP) Stage II
macro changes. This information is presented in alphabetic order by the
name of the SIP Stage II macro. If IBMPAL is changed, you must run the
system allocator (SALO) and load the new program allocation table
(PAT) to the TPF 4.1 system.
Table 1110. Changes to SIP Stage II Macros for SSL Support
SIP Stage II Macro | New, Changed, or No Longer Supported? |
---|---|
IBMPAL | Changed |
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
There are no changes.
Table 1111 summarizes changes to the publications in the TPF
library. This information is presented in alphabetic order by the
publication title. See the TPF Library Guide
for more information about the TPF library.
Table 1111. Changes to TPF Publications for SSL Support
Publication Title | Softcopy File Name | Description of Change |
---|---|---|
TPF Migration Guide: Program Update Tapes | GTPMG205 | Updated with migration considerations for SSL support. |
TPF Transmission Control Protocol/Internet Protocol | GTPCLW0B | Added the APIs for SSL support. |
SSL for the TPF 4.1 System: An Online User's Guide | Not Applicable | Created for the delivery of information for SSL support on the TPF 4.1 system. |
There are no changes.
SSL support provides several new APIs. Table 1112 lists these APIs in alphanumeric order.
To view information about these APIs, go to SSL for the TPF
4.1 System: An Online User's Guide.
Table 1112. APIs for SSL Support
SSL_accept | SSL_free | SSL_set_verify |
SSL_check_private_key | SSL_get_cipher | SSL_shutdown |
SSL_connect | SSL_get_error | SSL_use_certificate_file |
SSL_CTX_check_private_key | SSL_get_peer_certificate | SSL_use_PrivateKey_file |
SSL_CTX_free | SSL_get_verify_result | SSL_use_RSAPrivateKey_file |
SSL_CTX_load_verify_locations | SSL_get_version | SSL_write |
SSL_CTX_new | SSL_library_init | SSLv2_client_method |
SSL_CTX_set_cipher_list | SSL_load_client_CA_file | SSLv2_server_method |
SSL_CTX_set_client_CA_list | SSL_new | SSLv23_client_method |
SSL_CTX_set_default_passwd_cb_userdata | SSL_pending | SSLv23_server_method |
SSL_CTX_set_verify | SSL_read | SSLv3_client_method |
SSL_CTX_use_certificate_chain_file | SSL_set_cipher_list | SSLv3_server_method |
SSL_CTX_use_certificate_file | SSL_set_client_CA_list | TLSv1_client_method |
SSL_CTX_use_PrivateKey_file | SSL_set_fd | TLSv1_server_method |
SSL_CTX_use_RSAPrivateKey_file |
There are no changes.
There are no changes.
There are no changes.
Use the following procedure to install APAR PJ27863, which contains SSL support, on your TPF 4.1 system.