ICSF will work on the z800 without crypto hardware. From the document mentioned below: "ICSF is a software component of z/OS providing cryptographic support either in its own software routines or through access to the cryptographic hardware available on the platform." We used ICSF's software routines for AES encryption, back when the crypto hardware only supported DES.
See "ICSF Version and FMID Cross Ref_110909.pdf" from this webpage: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD103782. On Fri, Dec 16, 2011 at 9:26 AM, Finch, Steve (ES - Mainframe) < steve.fi...@hp.com> wrote: > David Booher wrote: > > >I have a z800 with no cryptographic processor installed. I'm attempting > to > > use the SECURE SSL port on DB2 to establish a connection. I've pretty much > > stepped thru the entire RedPaper on this. It seems the client (running > > IBM's gskit) doesn't want to negotiate a cipher to use with the mainframe. > > I know since I don't have a crypto processor, I'm a very limited in what I > > can support on the mainframe. By doing an SSLSCAN, I do see that the > > mainframe does offer two specific ciphers to be used, however the client > > doesn't want to negotiate those ciphers. > > > > Without a CCF (cryptographic processor) on a z800, you are very limited in > > what ciphers you can use. You can use 'NULL-SHA' and 'NULL-MD5' ciphers. > > That's it. Your client must be configured to accept and use one of these > two > > ciphers to connect with DB2's Secure SSL on your z800. > > > > However a "good" client would not support 'NULL-SHA' and 'NULL-MD5' > ciphers. > > They are not really secure. It's not doing encryption > > > > In short without a CCF (cryptographic processor) on your z800, you cannot > do > > "good" SSL. > > > > > > Steve Finch > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
