48135b8bf2
- Upgrade to version 4.2.2 (jsc#PED-3277, jsc#PED-3276)
- [UPDATE] syslog msgs only in error cases
- [UPDATE] don't count statistics in fips power-on self tests
- [PATCH] various fixes and some new tests
- Removed patches
* libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
* libica-sles15sp5-FIPS-hmac-key.patch
- Remove file /etc/libica/openssl3-fips.cnf - we don't support FIPS yet
- Prefix /etc/libica with %dir to ensure we don't package
unversioned files in libica4, as otherwise we violate SLPP.
- Add /etc/libica directory into %files section.
- Upgrade to version 4.2.1 (jsc#PED-2872)
- [PATCH] fix regression opening shared memory
- Upgrade to version 4.2.0 (jsc#PED-581, bsc#1202365).
- [FEATURE] Display build info via icainfo -v
- [FEATURE] New API function ica_get_build_version()
- [FEATURE] Display fips indication via icainfo -f
- [FEATURE] New API function ica_get_fips_indicator()
- [FEATURE] New API function ica_aes_gcm_initialize_fips()
- [FEATURE] New API function ica_aes_gcm_kma_get_iv()
- [FEATURE] New API function ica_get_msa_level()
- [PATCH] icainfo: check for malloc error when getting functionlist
- Upgrade to version 4.1.1 (jsc#PED-581, bsc#1202365).
v4.1.1
- [PATCH] Fix aes-xts multi-part operations
[PATCH] Fix make dist
v4.1.0
- [FEATURE] FIPS: make libica FIPS 140-3 compliant
[FEATURE] New API function ica_ecdsa_sign_ex()
[FEATURE] New icainfo output option -r
- [PATCH] Various bug fixes
- Removed the following obsolete files:
baselibs.conf
icaioctl.h
- Upgraded to version 4.0.3 (jsc#PED-581, jsc#PED-621, jsc#PED-629)
v4.0.3
- [PATCH] Reduce the number of open file descriptors
- [PATCH] Various bug fixes
v4.0.2
- [PATCH] Various bug fixes
v4.0.1
- [PATCH] Various bug fixes
- [PATCH] Compute HMAC from installed library
v4.0.0
- [UPDATE] NO_SW_FALLBACKS is now the default for libica.so
[UPDATE] Removed deprecated API functions including tests
[UPDATE] Introduced 'const' for some API function parameters
[FEATURE] icastats: new parm -k to display detailed counters
- Replaced libica-sles15sp2-FIPS-hmac-key.patch with an updated
version named libica-sles15sp5-FIPS-hmac-key.patch.
- Updated the libica-rpmlintrc file to suppress warnings about the
libica-cex hmac files being hidden.
- Updated the spec file to properly both obsolete and provide two
older versions of the package.
- Upgrade to version 3.9.0 (jsc#SLE-18454, jsc#SLE-18564)
- [FEATURE] Add support for OpenSSL 3.0
- [FEATURE] icainfo: new parm -c to display available EC curves
- Replaced the obsolete PreReq: %fillup_prereq
with Requires(post): %fillup_prereq
in the spec file.
- Update to version 3.8.0 (jsc#SLE-18334)
- [FEATURE] provide libica-cex module to satisfy special security requirements
- [FEATURE] FIPS: enforce the HMAC check
- Remove upstreamed patches:
- libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
- libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- libica-sles15sp2-Zeroize-local-variables.patch
- Remove patches obsoleted by upstrea developent:
* FIPS: Find libica from phdrs.
- libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
* FIPS: enforce the hmac check
- libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Fix up tests and hmac generation
+ libica-FIPS-make-it-possible-to-specify-fipshmac-binary.patch
- Remove obsolete attributes from filelists
- Upgraded to version 3.7.0 (jsc#SLE-13708)
* Version 3.7.0
- [FEATURE] FIPS: Add HMAC based library integrity check
- [PATCH] icainfo: bugfix for RSA and EC related info for software column.
- [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests
- [PATCH] FIPS: Fix DES and TDES key length
- [PATCH] icastats: Fix stats counter format
* Version 3.6.1
- [PATCH] Fix x25519 and x448 handling of non-canonical values
- Removed the following obsolete patches
* libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
* libica-sles15sp2-Build-with-pthread-flag.patch
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
* libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
- Fix lack of SHA3 KATs in "make check" processing (bsc#1175277)
* Added libica-sles15sp2-FIPS-add-SHA3-KATs-to-fips_powerup_tests.patch
* Added libica-sles15sp2-FIPS-skip-SHA3-tests-if-running-on-hardware-without-.patch
- Fix FIPS hmac check (bsc#1175356).
* Update FIPS support to upstream
- Refresh libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
from upstream.
- Add libica-sles15sp2-Build-with-pthread-flag.patch
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-addon.patch
- Add libica-sles15sp2-FIPS-HMAC-based-library-integrity-check-rename-variables.patch
- Add libica-sles15sp2-FIPS-use-full-library-version-for-hmac-filename.patch
* FIPS check should fail when hmac is missing
- Add libica-sles15sp2-FIPS-fix-inconsistent-error-handling.patch
- Create an hmac for the selftest
- Check that selftest fails without a hmac
- Hash libica.so.3 rather than libica.so.3.6.0
* Fix hmac key format. It should be hexadecimal, not ASCII
- Refresh libica-sles15sp2-FIPS-hmac-key.patch
- Fix Some internal variables used to store sensitive information
(keys) were not zeroized before returning to the calling application.
(bsc#1175357)
* Added libica-sles15sp2-Zeroize-local-variables.patch
- Updated libica-rpmlintrc to eliminate the warning about the HMAC file
being a hidden file. It is supposed to be hidden.
- Added the following patches for FIPS certification (bsc#1162533)
* libica-sles15sp2-FIPS-introduce-HMAC-based-library-integrity-check.patch
* libica-sles15sp2-FIPS-hmac-key.patch
- Added a BuildRequires for the fipscheck package.
- Made a couple of changes to the spec file based upon recommendations
by spec-cleaner.
- Added the following patches for FIPS certification.
* libica-sles15sp2-Fix-DES-and-TDES-key-length.patch
(bsc#1166071) Although a DES key has only 56 effective bits,
all 64 bits must be considered, because the parity bits are
spread over all 8 bytes of the key.
* libica-sles15sp2-FIPS-provide-output-iv-as-required-by-FIPS-tests.patch
(bsc#1166210) FIPS tests require the output iv to be the iv
resulting from decrypting the last block with a zero iv as input.
* libica-sles15sp2-icainfo-bugfix-for-RSA-and-EC-related-info-for-softw.patch
(bsc#1166224) The output from icainfo never shows 'yes' for
RSA ME, RSA CRT, ECDH, ECDSA sign, ECDSA verify, and ECKGEN,
due to the missing ICA_FLAG_SW flag in the icaList.
- Added libica-sles15sp2-x25519-x448-fix-handling-of-non-canonical-values.patch
(bsc#1156768)
- Upgraded to version 3.6.0 (jsc#SLE-7584)
* [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448
- Upgraded to version 3.5.0 (Fate#327840)
- [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify
- Reworked how libica-tools loads and unloads kernel modules to
avoid spurious error messages (bsc#1134004):
* Converted the boot.z90crypt sysV init script to a systemd unit
file.
* Removed any references to insserv in the spec file.
* Updated the z90crypt script itself to properly load and unload
the kernel modules as they exist today.
* Eliminated the obsolete libica-SuSE.tar.bz2 archive.
- Updated the README.SUSE file to reflect the change from sysV init
style script to systemd.
- Made numerous changes to the spec file, based on the output from
the spec-cleaner command.
- Run testsuite during build
- Upgraded to version 3.4.0 (Fate#325690)
* v3.4.0
[FEATURE] Add SHA-512/224 and SHA-512/256 support
- Dropped obsolete patch Add-non-executable-gnu-stack-markings-in-the-assembl.patch
- Made numerous updates to spec file based on spec-cleanup run.
- Upgraded to version 3.3.3 (Fate#325690)
* v3.3.3
[PATCH] Various bug fixes
* v3.3.2
[PATCH] Skip ECC tests if required HW is not available
[PATCH] Update spec file
* v3.3.1
[PATCH] Fix configure.ac to honour CFLAGS
* v3.3.0
[FEATURE] Add CEX supported elliptic-curve crypto interfaces
[FEATURE] Add SIMD supported multiple-precision arithmetic interfaces
[FEATURE] Add interface to enable/disable SW fallbacks
[FEATURE] Add 'make check' target, test-suite rework
* v3.2.1
[FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG.
[PATCH] Various bug fixes.
- Dropped obsolete patch increment-icastats-counter-for-aes-gcm.patch
- Removed COPYING from %files, since it is no longer in the tarball.
- Added Add-non-executable-gnu-stack-markings-in-the-assembl.patch
(bsc#1103493).
- Made multiple changes to the spec file based on the output of
spec-cleaner
- Added "Obsoletes: libica-2_3_0" to the libica-tools package to
fix a problem with upgrading from SLES12 SP2 to either SLES12
SP3/SP4, or SLES15. (bsc#1112655)
- Added "Obsoletes: libica2" to the libica-tools package to fix
a problem with upgrading from SLES12 SP2 to either SLES12
SP3/SP4, or SLES15. (bsc#1046435, bsc#1104638)
- Added increment-icastats-counter-for-aes-gcm.patch (bsc#1086756)
- Updated boot.z90crypt script to fix a problem with the modprobe
command not being found. (bsc#1040229).
- Added "Recommends: libica-tools" (bsc#1046435).
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- Added "--enable-fips" to the %configure parms (Fate#324115)
- Upgraded to version 3.2 (Fate#321517)
* v3.2.0
[FEATURE] New AES-GCM interface.
[UPDATE] Add symbol versioning.
* v3.1.1
[PATCH] Various bug fixes related to old and new AES-GCM implementations.
[UPDATE] Add SHA3 test cases. Improved and extended test suite.
* v3.1.0
[FEATURE] Add KMA support for AES-GCM.
[FEATURE] Add SHA-3 support.
[PATCH] Reject RSA keys with invalid key-length.
[PATCH] Allow zero output length for ica_random_number_generate.
[PATCH] icastats: Correct owner of shared segment when root creates it.
* Removed the following obsolete patches:
libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
libica-3.0.2-03-fix-aes-ctr.patch
libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- libica: AES-GCM/CCM sometimes compute wrong tag values (bsc#1058567)
- Added the following patches (bsc#1058567)
- libica-3.0.2-01-fix-old-aes-gcm-decrypt-code-path.patch
- libica-3.0.2-02-fix-aes-ccm-encrypt-code-path.patch
- libica-3.0.2-03-fix-aes-ctr.patch
- libica-3.0.2-04-fix-aes-gcm-to-allow-zero-pt-ct-length.patch
- baselibs.conf doesn't need any additional provides/conflicts for
libica3.
- Update baselibs.conf with proper name for library package name,
stop providing/obsoleting libica-2_1_0/libica-2_3-0.
- Upgraded to version 3.0.2 (Fate#322025).
- v3.0.2
- Fix locking callbacks for openSSL APIs.
- v3.0.1
- Fixed msa level detection on zEC/BC12 GA1 and predecessors.
- v3.0.0
- Added FIPS mode.
- Sanitized exported symbols.
- Removed deprecated APIs. Marked some APIs as deprecated.
- Adapted to OpenSSL v1.1.0.
- RSA key generation is thread-safe now.
- Removed the following obsolete patches:
- fix-initialization-of-s390-hardware-switches-1.patch
- fix-initialization-of-s390-hardware-switches-2.patch
- fix-msa-level-detection.patch
- fix-segfault-during-multithread-keygen.patch
- rng-performance.patch
- Made the following packaging changes:
- Implemented the shared library packaging guidelines.
- Consolidated double invocation of %setup into just one.
- Dropped redundant %ifarch, the package is already ExclusiveArch.
- Updated descriptions.
- Added an libica-rpmlintrc file.
- Added the following two patches:
- fix-segfault-during-multithread-keygen.patch (bsc#991485)
- fix-msa-level-detection.patch (bsc#1010927)
- Added rng-performance.patch (bsc#990850).
- Updated baselibs.conf to obsolete prior versions of the 32bit
package. (bsc#983897):
provides "libica-<targettype> = <version>"
obsoletes "libica-<targettype> < <version>"
provides "libica-2_1_0-<targettype> = <version>"
obsoletes "libica-2_1_0-<targettype> < <version>"
provides "libica-2_3_0-<targettype> = <version>"
obsoletes "libica-2_3_0-<targettype> < <version>"
- Added fix-initialization-of-s390-hardware-switches-1.patch and
fix-initialization-of-s390-hardware-switches-2.patch (bsc#980548)
- Upgraded to version 2.6.2 (FATE#319610).
- Renamed /etc/init.d/z90crypt to boot.z90crypt to conform to
naming standards.
- Found the original location of the icaioctl.h file and downloaded
it to replace what we had previously.
- Removed the unnecessary libica2.la file
- Removed unnecessary Requires for glibc-devel
- Added Requires libica2 to the -devel package
- Converted call to configure to %configure macro
- Removed obsolete and unnecessary INSROOT and bindir parameters
from the make install command
- Add Provides/Obsoletes for libica-2_3_0 so that the package from
SLE12 GA is replaced (bsc#953096).
- move the .so file to the mainpackage, the openssl-ibmca engine
will only load "libica.so" (bsc#952871)
- Update to libica v2.4.2 (FATE#318035)
- Removed outdated libica-aes_ccm-31-bit-compatibility.patch
- Moved init script into libica-SuSE.tar.bz2 archive
- sanitize release line in specfile
- Moved z90crypt out of useless libica-SuSE.tar.bz2 tarball to root
- Removed libica-SuSE.tar.bz2
- z90crypt now starts and stops ap kernel module (bnc#888943)
- libica-aes_ccm-31-bit-compatibility.patch: AES_CCM:
fixed 64/31 bit compatibility
- add obsoletes and provides for older libica versions
- update to 2.3.0 (fate#315342)
- obsolete/upstreamed patches:
libica-2_1_0-fix_temporary_buffer_allocation_in_ica_get_version.patch
libica-2_1_0-msa4-extension.patch
libica-2_1_0-synchronize_shared_memory_ref_counting.patch
- Added COPYING to %files
- Fixed build dependency errors by requiring autoconf, automake
and libtool
- Changed license to CPL-1.0
- Created devel package
- Support for MSA4 extension (bnc#794518, fate#314078)
- synchronize shared memory reference counting for library
statistics (bnc#719659)
- fix temporary buffer allocation in ica_get_version() (bnc#719660)
- update -> 2.1.0 (fate#311914)
- Moved icainfo into /usr/bin (bnc#448643)
- obsolete old -XXbit packages (bnc#437293)
- fix build on all platforms
- Added CPL license to include/z90crypt.h, removed GPL reference
(This patch is upstream)
- Changed package name to libica-1_3_9 to conform to rpmlint
requirements. (bnc#433432)
- Removed soname filter for rpmlint
- Several RPM fixes to help satisfy rpmlint
- Updated to libica 1.3.9
- added baselibs.conf file to build xxbit packages
for multilib support
- remove inclusion of linux/config.h
- z90crypt: handle errors (bug #247799)
- Add gcc-c++ to BuildRequires.
- fix build for the rest of platforms
- Update to libica 1.3.7 (#160036 - LTC22571)
- Increasing # of open handles with symmetric crypto support
(#165323 - LTC23095)
- converted neededforbuild to BuildRequires
- include string.h and unistd.h in icalinux.c
- Port package from SLES9 SP3
- Update to libica 1.3.6-rc3.
- Close all filehandles (#130060 - LTC19221).
- downgrade to libica 1.3.6-rc2 (contains AES software fallback,
bug #117336)
- Update to libica 1.3.6 (#117336)
- fix implicit declaration
- Changing the default value from 0 to -1 in rcz90crypt (#114371)
- Finally fix 'reload' messages (#81824 - LTC15733).
- Fix sigill patch.
- Remove printf output from sigill patch (#81829 - LTC15731).
- Use correct default value for z90crypt (#81825 - LTC15732).
- Fix messages for 'reload' (#81824 - LTC15733).
- Fixed SIGILL on z900 (#46422).
- Fixed range for 'domain' parameter in sysconfig.z90crypt (#42005).
- Fix module loading error (#42006).
- Add sysconfig variable to set the 'domain' parameter (#42005).
- update -> 1.3.5-3 (bug #42122)
- Update README.SuSE and correct name as well
- Use modprobe instead of insmod and fix module load error(#40526)
- Fix error checking for no hardware found case and hw error on load
- Update Readme again for the correct name (SUSE LINUX Server).
- Moved README.SuSE to README.SUSE.
- Update Readme to refer to the correct name (SUSE Linux Server).
- Update to 1.3.5-2 (#38511, #39693).
- Update Readme to refer to SUSE Linux Server instead of
SuSE Linux Enterprise Server.
- Update to 1.3.5
- export CFLAGS & CPPFLAGS for configure
- Exclude S/390-specific files for other archs (#37183)
- add "-I./include" to CFLAGS and use RPM_OPT_FLAGS
- fix build
- build as user
- update to 1.3.4
- update to 1.3.2
- update to 1.3.1:
now supports DES, TDES and SHA, as well as RSA.
- throw libica.patch away, since autoversion and Makefile.am have
similar changes now, and the renaming from _LINUX_S390_ to
__s390__ is not really necessary
- use %defattr
- checked that icaioctl.h is still current
- dump the bin-only z90crypt-2.4.7-s390-2.tar.gz which has gone
open source meanwhile and comes with the kernel sources
- added documentation how to set up crypto hardware support,
esp. S/390 and zSeries. (#16011, #22056)
- upgraded to version 1.2 as requested by IBM to make openCryptoki 1.5
actually work. (#20737)
- Correct PreReq
- fixed src/Makefile.am and ugly ./autoversion to honor %_lib and
to build on non-s390
- updated to current libica
- hacked in icaioctl.h for build, 'til we have the module in the
kernel.
- add %run_ldconfig
- fix for current automake/autoconf
- removed old fillup-template and START_ variable
- modified etc/init.d/z90crypt-script to report result at start.
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/1088514
OBS-URL: https://build.opensuse.org/package/show/security:tls/libica?expand=0&rev=9
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| libica-4.2.2.tar.gz | ||
| libica-rpmlintrc | ||
| libica.changes | ||
| libica.spec | ||
| README.SUSE | ||
| sysconfig.z90crypt | ||
| z90crypt | ||
| z90crypt.service | ||
The following information was provided to us courtesy of the IBM
testing team, who tested the functionality of apache with mod_ssl
on SUSE LINUX Enterprise Server 9 for S/390 and zSeries.
It thus refers to testing only from a certain point, and the
z90crypt part is of course specific to S/390 and zSeries.
-------------------------------------------------------------------
Installation and Configuration of S/390 HW Crypto
on SUSE Linux Enterprise Server 9 for S/390 and zSeries:
1) Installation of the driver packages openCryptoki and libica
The driver packages are installed during base install in the
default selection. If you installed only minimal system or
deinstalled the packages, install them now. If the installation
source is accessible, you can do it with a single command:
31bit:
yast sw_single openCryptoki openCryptoki-32bit
64bit:
yast sw_single openCryptoki openCryptoki-32bit openCryptoki-64bit
This will automatically install the necessary libica packages as
well if they are not installed yet.
2) Loading the z90crypt driver:
systemctl start z90crypt to load z90crypt
systemctl stop z90crypt to unload z90crypt
this command will be available only after installation of the
crypto driver packages.
To load the driver automatically at every system boot, integrate it
with the other boot scripts issuing
systemctl enable z90crypt
3) Checking if the z90crypt hardware driver can be accessed
Run this command:
openssl speed rsa1024 -engine ibmca -elapsed
If you get 'can't use that engine', as the first line
of output of the command look for the successive line
and check:
- if running "rcz90crypt restart" gives no error message
- the output of command "dmesg" for error messages from the driver
- the hardware is indeed available to this instance
4) Installation and Setup of mod_ssl and apache
a) ensure that mod_ssl and apache are installed during base
install. If the installation source is accessible,
the command
yast sw_single mod_ssl
will install apache and mod_ssl if they are not installed yet.
b) to activate the apache ssl support do the following:
if you did not use yast to install the packages, you have
to run manually: SuSEconfig --module apache
edit /etc/sysconfig/apache:
change HTTPD_START_TIMEOUT=2 to 20
change HTTPD_SEC_MOD_SSL=no to yes
edit httpd.conf in /etc/httpd:
in section 2: check that the ServerName and ServerMail in
the ServerAdmin section is ok.
in section 3: set inside <VirtualHost_default_: 443> the
ServerName to host name
add on section <IfModule mod_ssl.c>: SSLCryptoDevice ibmca
run: SuSEconfig --module apache
5) Crypto configuration of apache/mod_ssl:
a) create a certificate (Snake Oil) for the TEST --- THIS
CERTIFICATE IS NOT SECURE FOR PRODUCTION USE! IT IS FOR
TESTING PURPOSES ONLY! GET A PROPER CERTIFICATE FROM A
CERTIFICATION AUTHORITY FOR PRODUCTION USE.
go to: cd /usr/share/doc/packages/mod_ssl
run: ./certificate.sh
see following questions will come up. Give shown answers
and use the pass phrase:
der3gbe:/usr/share/doc/packages/mod_ssl # ./certificate.sh
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:R
STEP 1: Generating RSA private key (1024 bit) [server.key]
123006 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..++++++
.................++++++
e is 65537 (0x10001)
STEP 2: Generating X.509 certificate signing request
[server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:DE
2. State or Province Name (full name) [Snake Desert]:
<enter>
3. Locality Name (eg, city) [Snake Town]:
<enter>
4. Organization Name (eg, company) [Snake Oil, Ltd]:
<enter>
5. Organizational Unit Name (eg, section) [Webserver Team]:
<enter>
6. Common Name (eg, FQDN) [www.snakeoil.dom]:
<enter>
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:
<enter>
STEP 3: Generating X.509 certificate signed by Snake Oil CA
[server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=DE/ST=Snake Desert/L=Snake Town/O=Snake Oil,
Ltd/OU=Webserver
Team/CN=www.snakeoil.dom/Email=www@snakeoil.dom
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
/etc/httpd/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake
Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil
CA/Email=ca@snakeoil.dom
error 10 at 1 depth lookup:certificate has expired
OK
STEP 4: Enrypting RSA private key with a pass phrase for
security [server.key]
The contents of the server.key file (the generated private key)
has to be
kept secret. So we strongly recommend you to encrypt the
server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: Y
read RSA key
writing RSA key
Enter PEM pass phrase: <=== crypto
Verifying password - Enter PEM pass phrase: <=== crypto
Fine, you're using an encrypted RSA private key.
RESULT: Server Certification Files
o conf/ssl.key/server.key
The PEM-encoded RSA private key file which you
configure with the 'SSLCertificateKeyFile' directive
(automatically done when you install via APACI). KEEP
THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file
which you can send to an official Certificate Authority
(CA) in order to request a real server certificate
(signed by this CA instead of our demonstration-only
Snake Oil CA) which later can replace the
conf/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
der3gbe:/usr/share/doc/packages/mod_ssl #
6) Start Apache with SSL
a) start with pass phrase (Changes done to apache modul
described in item c)).
run: rcapache start
dev3fe01:~ # rcapache start
Starting httpd [ PERL PHP4 Python SSL ]Apache/1.3.26
mod_ssl/2.8.10 (Pass Phrase Dialog)
Some of your private key files are encrypted for security
reasons.
In order to read them you have to provide us with the pass
phrases.
Server dev3fe01.boeblingen.de.ibm.com:443 (RSA)
Enter pass phrase: crypto
Ok: Pass Phrase Dialog successful.
done
b) start without pass phrase when using apache without
ssl-support
remark: You need to change the apache modul (see
item c)). Set the HTTPD_SEC_MOD_SSL=no.
run: rcapache start
7) Check that ibmca is used and apache is working with http and https:
a) On a browser enter http://<server-host> or
https://<server-host>
b) with netstat or netstat -a on the apache server machine you
can see if https is used.
c) in the log /var/log/httpd/ssl_engine_log you can see if the
ibmca engine is started or not.
d) during siege test you can see with cat /proc/driver/z90crypt
if and what crypto HW is used
e) you can check a http connection with telnet <server-host>
http. Then enter
get / http/1.0
and you should get back some stuff after pressing enter
twice.
f) You can check if openssl works with the ibmca engine
a) Therefore you must create certificates:
cd /usr/share/ssl/misc
run: ./CA.sh -newcert
dev3fe01:/usr/share/ssl/misc # ./CA.sh -newcert
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
......................++++++
.++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: <== geheim
Verifying password - Enter PEM pass phrase: <== geheim
Verify failure
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
<== press enter
State or Province Name (full name) [Some-State]:
<== press enter
Locality Name (eg, city) []:
<== press enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<== press enter
Organizational Unit Name (eg, section) []:
<== press enter
Common Name (eg, YOUR name) []: <== press enter
Email Address []: <== press
enter
Certificate (and private key) is in newreq.pem
run: ./CA.sh -newca
dev3fe02:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)
newreq.pem
dev3fe02:
b) Use openssl as a Web-browser and use https connection:
openssl s_client \
-connect <ip-addr of webserver>:443 -state -debug
The machine were you start the client is working as
your 'browser' connecting to the webserver. You can
start commands from the client like get / http/1.0 .
c) Use openssl as a Web-server and use https connection:
openssl s_server \
-accept 443 -www -engine ibmca -cert newreq.pem
The machine is working like a small webserver with full
openssl functionality. You can start your browser to
this machine and a lot of info will be sent.
dev3fe01:/usr/share/ssl/misc # openssl s_server -accept 443
-www -cert newreq.pem -engine ibmca
engine "ibmca" set.
Using default temp DH parameters
Enter PEM pass phrase: <== geheim
ACCEPT
-------------------------------------------------------------------