We have it working, only one small problem, we needed to add the VM user profile statement: CRYPTO APVIRTUAL.
We did like this: Add in z/VM userid directory, for example just before ACCOUNT....line: NOT NEEDED anymore it's in a INCLUDED profile file used by all Linux users. * CRYPTO APVIRTUAL ACCOUNT xxxxxxx NICDEF ... Check that following is installed: - openssh (it is) - openssl (it is) - openssl-ibmca (this one you probably need to install) - libica (added when selecting the prev openssl-ibmca) libica-2.0.2 - z90crypt (exists inside kernel-default as .../kernel/drivers/s390/crypto/z90crypt.ko) openssl-ibmca 1.0.0-141.6.12 requires: libc.so.6()(64bit), libc.so.6(GLIBC_2.2)(64bit), libc.so.6(GLIBC_2.4)(64bit), librt.so.1()(64bit), libcrypto.so.0.9.8()(64bit), openssl, libica, libica-2.0.2.so()(64bit), /bin/sh, coreutils, diffutils, grep, fillup, sed, insserv Add following to /etc/ssl/openssl.cnf: ... ... # here starts the appended info to enable dynamic engine ibmca # OpenSSL example configuration file. This file will load the IBMCA engine # for all operations that the IBMCA engine implements for all apps that # have OpenSSL config support compiled into them. # # Adding OpenSSL config support is as simple as adding the following line to # the app: # # #define OPENSSL_LOAD_CONF 1 # # ##openssl_conf = openssl_def <-- move to top of file and remove comment mark [openssl_def] engines = engine_section [engine_section] foo = ibmca_section [ibmca_section] dynamic_path = /usr/lib64/engines/libibmca.so engine_id = ibmca default_algorithms = ALL #default_algorithms = RAND,RSA init = 1 Logoff and logon VM user to get everything activated. Check with: (as root) icainfo icastats openssl engine -c BR /Tore ___________________________________________ Tore Agblad Volvo Information Technology Infrastructure Mainframe Design & Development, Linux servers Dept 4352 DA1S SE-405 08, Gothenburg Sweden Telephone: +46-31-3233569 E-mail: [email protected] http://www.volvo.com/volvoit/global/en-gb/ -----Original Message----- From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Marcy Cortes Sent: den 4 september 2010 04:00 To: [email protected] Subject: Crypto on SLES 11 SP1 - ssl engine ibmca Has anyone tried it? Did I miss a needed package or something? SLES 11 SP 1 -------------- zlnx166:~ # openssl OpenSSL> speed rsa1024 Doing 1024 bit private rsa's for 10s: 3886 1024 bit private RSA's in 0.03s Doing 1024 bit public rsa's for 10s: 5208 1024 bit public RSA's in 0.04s OpenSSL 0.9.8h 28 May 2008 built on: Wed May 5 15:39:54 UTC 2010 options:bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) blowfish(ptr) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIO -O3 -Wall -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fomit-frame-pointer -fno-strict-aliasing -DTERMIO -Wall -fstack-protector -fprofile-use -DB_ENDIAN available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times sign verify sign/s verify/s rsa 1024 bits 0.000008s 0.000008s 129533.3 130200.0 OpenSSL> engine ibmca Error configuring OpenSSL 36842:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: 36842:error:2606906E:engine routines:ENGINE_add:internal list error:eng_list.c:288: 36842:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540: 36842:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1 error in engine OpenSSL> Doesn't seem to work for me. Its fine on sles 10 sp3. SLES 10 SP 3 --------------- ma...@ose-test1:~> openssl OpenSSL> engine ibmca (ibmca) Ibmca hardware engine support OpenSSL> speed rsa1024 Doing 1024 bit private rsa's for 10s: 3211 1024 bit private RSA's in 9.94s Doing 1024 bit public rsa's for 10s: 63560 1024 bit public RSA's in 9.87s OpenSSL 0.9.8a 11 Oct 2005 built on: Fri Mar 26 14:05:27 UTC 2010 options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -DNO_ASM -DMD32_REG_T=int -fmessage-length=0 -D_FORTIFY_SOURCE=2 -O2 -Wall -g -fomit-frame-pointer -fno-strict-aliasing -DTERMIO -Wall -fstack-protector -fbranch-probabilities -DB_ENDIAN -DNO_ASM available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times sign verify sign/s verify/s rsa 1024 bits 0.003096s 0.000155s 323.0 6439.7 On SLES 11 SP 1 zlnx166:~ # rpm -qa | grep open openslp-32bit-1.2.0-172.11.16 openCryptoki-32bit-2.3.0-0.7.21 openCryptoki-64bit-2.3.0-0.7.21 openslp-1.2.0-172.11.16 openssl-certs-0.9.8h-27.1.30 openCryptoki-2.3.0-0.7.21 openssl-ibmca-1.0.0-141.6.12 libopenssl0_9_8-0.9.8h-30.27.11 openssl-0.9.8h-30.27.11 libopenssl0_9_8-32bit-0.9.8h-30.27.11 openssl-ibmca-32bit-1.0.0-141.6.12 openldap2-client-2.4.20-0.5.1 On SLES 10 SP 3 ma...@ose-test1:~> rpm -qa | grep open openssl-32bit-0.9.8a-18.42.2 libopencdk-32bit-0.5.5-15.2 openssl-0.9.8a-18.42.2 opensc-0.9.6-17.12 openssl-ibmca-1.0.0-7.16 openhpi-2.14.0-0.4.47 openCryptoki-2.2.4-0.12.10 openCryptoki-32bit-2.2.4-0.12.10 nautilus-open-terminal-0.6-16.14.26 compat-openssl097g-0.9.7g-13.19.1 openslp-server-1.2.0-22.27.1 openslp-1.2.0-22.27.1 openct-32bit-0.6.6-16.4.1 libopencdk-0.5.5-15.2 opensc-32bit-0.9.6-17.12 openmotif-libs-32bit-2.2.4-21.17 openmotif-libs-2.2.4-21.17 openssh-askpass-4.2p1-18.40.35 openhpi-daemon-2.14.0-0.4.47 compat-openssl097g-32bit-0.9.7g-13.19.1 openct-0.6.6-16.4.1 openCryptoki-64bit-2.2.4-0.12.10 openldap2-client-2.3.32-0.36.91 openldap2-client-32bit-2.3.32-0.36.91 openslp-32bit-1.2.0-22.27.1 Marcy Cortes Operating Systems Engineer, z/VM and Linux on System z Enterprise Hosting Services, Mainframe/Midrange Services Wells Fargo Bank | 201 3rd Street | San Francisco, CA 94103 MAC A0187-050 Tel 415-477-6343 | Cell 415-517-0895 [email protected] This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
