Creating Certificates with Hardware Encrypted Private Keys for use with CCISSLGW

Document ID : KB000054704
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

You are using CCI TCP/IP Gateway task (CCITCPGW) to connect your mainframe LPARS and you now want to change to using the CCISSLGW task to establish SSL connections.

 

Background:

In September 2007 the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) validated IBM's eServer Cryptographic Coprocessor Security Module as compliant with the Federal Information Processing Standards (FIPS) 140-2. FIPS 140-2 encompasses the federal Security Requirements for Cryptographic Modules. Hardware and software modules that are validated as conforming to this standard are accepted by the Governments of the United States and Canada for the protection of sensitive information.

The IBM FIPS 140-2 validation as of 25 September 2007 can be found at the following link:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2006.htm

Specifically, the validation applies to:
IBM eServer Cryptographic Coprocessor Security Module
(Hardware Version: P/Ns 12R6536, 12R8241, 12R8561, 41U0438, Model 4764-001;
Firmware Versions: 2096a16d and c16f4102)

(When operated in FIPS mode)

The configuration and operation of the hardware security module in FIPS mode is described in the following document:

http://cs-www.ncsl.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp661.pdf

The purpose of the Technical Note to follow is to provide customers guidance in creating
System SSL certificates with private keys encrypted by IBM Cryptographic Coprocessor products. CCISSLGW may then use these certificates for secure session validation over SSL links. The information provided herein should be of interest and assistance to customers with a need to approach the FIPS 140-2 arena. It is the responsibility of customer site security officers to comply with the hardware requirements for FIPS mode enablement as described in documents posted at the above links.

 

The Technical Note:
Creating certificates with hardware encrypted keys for use between CCISSLGW systems involves many steps. There may be other variations of this process, however, this is the sequence of steps we have used to build certificates that incorporate hardware encrypted private keys and can be used to validate SSL links between CCISSLGW systems.

We will first describe the process and then we will provide examples using the CA-Top Secret command interface.

 

Instructions:

Please refer to attached document for details about "The Process".

File Attachments:
TEC468126.zip