On Wed, 1 Jun 2011 13:17:09 -0500, Stew Feuerstein <[email protected]> wrote:
>We are relative novices with crypto/ssl. In the past we have used >certificates with RSA and 1024 keys. We do not have a crypto card in our z9 >box. Now we are told that we must get keys >= 2048. Is it possible to use >RSA keys >1024 without a crypto card? Yes, it's possible to use RSA keys longer than 1024 bits without having a crypto card. > >We use the certificate for tn3270. Using TelnetParms, Secureport 23, and >Keyring SAF Telnetring. We use Top Secret for security. Top Secret >documentation seems to imply that we'd have to use DSA instead of RSA. Our >Certificate group (only knows about Unix) seems to insist that we have to >get an RSA based key Now you've changed the question, I think. It seems you're really asking "will Top Secret let us -create- (not use) a certificate that has an RSA key longer than 1024 bits and put it into a SAF keyring?" That's a question for CA to answer about Top Secret and how it creates certificates. SSL won't have any problems -using- the certificate (and you could create it using gskkyman, for example, and put it into a key database rather than into a Top Secret SAF keyring). By the way, you may not be aware that the z9 and z10 have built-in crypto capability via the CPACF feature, as well as crypto capability via optional crypto co-processor cards. With RACF you would need to have the CPACF feature of your z9 enabled to create a certificate with a 2048-bit RSA key, but you would not need a crypto card. Possibly Top Secret works the same way. Again, that's a question for you to ask of CA. It is likely that you do have CPACF enabled, though it's possible you don't, so you would also need to check on that. By the way, I'm told that you can't use certificates with DSA keys for SSL handshaking. You would need to configure the TN3270 server to use ephemeral Diffie-Hellman key exchange, as DSA certificates have only signing, not key-exchange, capabilities. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
