How To
Summary
The JVM on z/OS can make use of the the following cryptographic providers for encryption, decryption and SSL operations.
IBMJCE (software provider)
IBMJCECCA (hardware provider)
IBMJCEHYBRID (hybrid provider)
The JVM ships with the IBMJCE provider enabled by default.
Objective
and to provide failover from hardware to software providers when running in a Liberty for z/OS server.
When using the IBMJCECCA provider, the certificate's private key can be stored in either RACF, ICSF, or PKDS and the IBMJCECCA provider can be enabled to use the crypto express hardware to assist with off-loading public key operations during SSL handshaking via ICSF.
If the personal certificate's private key is stored in ICSF or PKDS, the IBMJCECCA provider is needed in order to allow ICSF to access the certificate's private key.
Steps
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.11=sun.security.provider.Sun
The providers above come from JAVA_HOME/lib/security/java.security file and are included in the list after IBMJCECCA and IBMJCE providers.
<feature>ssl-1.0</feature>
location="safkeyring:///LibertyKeyring"
password="password" type="JCERACFKS"/>
location="safkeyring:///LibertyKeyring"
password="password" type="JCERACFKS"/>
location="safkeyringhw:///LibertyKeyring"
password="password" type="JCECCARACFKS"/>
location="safkeyringhw:///LibertyKeyring"
password="password" type="JCECCARACFKS"/>
For example the certificate might show a private key of type ICSF or a private key with a PKDS label.
PKDS Label: IRR.DIGTCERT.Liberty_ID.xxx.nnnnnnnnnn
The following RACF command can be used to determine if CSFSERV is active under "ACTIVE CLASSES"
The following RACF command can be used to determine which ICSF callable services in the CSFSERV class are defined.
PERMIT CSFDSV CLASS(CSFSERV) ID(Liberty_ID) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH
security.provider.2=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.6=com.ibm.security.jgss.IBMJGSSProvider
security.provider.7=com.ibm.security.cert.IBMCertPath
security.provider.8=com.ibm.security.sasl.IBMSASL
security.provider.9=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.10=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.12=sun.security.provider.Sun
Additional Information
In jvm.options add:
Search on all cases of "SEVERE" or "reason code" to identify permission problems.
For example:
For example:
Review
This trace requires a restart of the Liberty for z/OS server to enable and disable.
3. In the server.xml add the Liberty SSL traceSpecification to the logging tag:
Alternatively the Liberty trace can also be enabled dynamically to limit trace output by issuing the MVS console command
F JOBNAME,LOGGING='SSL=all'
F JOBNAME,LOGGING='SSLChannel=all'
Where JOBNAME is the Liberty Application Server region jobname.
Recreate the problem
Then reset the trace back to what the server started with (ie. *=info)
F JOBNAME,LOGGING=RESET
4. For production environments where it's too difficult to obtain traces by restarting the server,
or if there are too many SSL requests for a dynamic trace, the following JVM keytool/hwkeytool
commands can be used to confirm if certificates are accessible by the JVM.
The user must be logged in to OMVS shell or USS with the same ID the Liberty for z/OS id runs under.
If your Liberty userid does not have a password, the USS commands below can be copied into a shell script, and run from JCL with the "USER=Liberty_ID" specified in the JCL.
//Indicate to the JVM where your java.security file is located with the security providers
export IBM_JAVA_OPTIONS=-Djava.security.properties=/WebSphere/Liberty/servers/defaultServer/java.security
//If your certificate keys are in software, use the keytool command to list the certificates on the Liberty keyring
keytool -list -v -storetype JCERACFKS -keystore safkeyring:///LibertyKeyring
-J-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
//If your keys are in hardware, use the hwkeytool command to list the certificates on the Liberty keyring
hwkeytool -list -storetype JCECCARACFKS -keystore safkeyring:///LibertyKeyring
-J-Djava.protocol.handler.pkgs=com.ibm.crypto.hdwrCCA.provider
The keytool command and hwkeytool command should list the certificates on the keyring for the user logged in to the OMVS shell (ie. Liberty_ID).
If not, this is an indication that there is a problem accessing the certificate from the keyring and the
-Djava.security.auth.debug=all can be added to keytool or hwkeytool to determine the reason.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
25 January 2023
UID
ibm16209109