Radoslaw, It depends who is doing the ICSF calls. If you are running the TN3270 version of encryption then the calls will be from your session I think. If you are running AT-TLS then the calls will be from the TCPIP address space.
I am not familiar with Omegamon, sorry. Lennie -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 27 January 2022 19:54 To: [email protected] Subject: Re: TCPIP and ICSF. And RMF Lennie, I did start the GSKSRVR. Its command (DISPLAY CRYPTO) shows which algorithms are hardware assisted. However it is not a proof that TCPIP family really use crypto hardware. I tried to trace is by using AUDIT(ALL) for CSFSERV profiles on some tech/sandbox LPAR - and the results show some users like me (I ran some simple programs using ICSF services) or MQ, but no clue about TCPIP. I also tried to use Omegamon TEP, however the views are obsolete and I cannot reconfigure it. And still no trace of TCPIP. Regards -- Radoslaw Skorupka Lodz, Poland W dniu 21.01.2022 o 16:50, Lennie Dymoke-Bradshaw pisze: > Radolslaw, > > There are 2 parts to TLS encryption, the handshake and the data encryption. > (Others may argue there are more.) These are the handshake and the data > transfer. The handshake uses asymmetric encryption (RSA key pairs typically, > but also Elliptic Curve key pairs), while the data transfer uses symmetric > encryption. > > TLS will use CPACF for the data encryption if it is physically available and > the encryption mechanism is supported by CPACF. > TLS will use Crypto Express 2 device for the handshake if it can. This may > depend again on the encryption mechanism requested in the Cipher suite > specified. > > TLS will use software where it cannot use the hardware. > TLS also uses hashing. This too is usually handled using CPACF, if available. > Also I think that the z15 CPACF has some asymmetric support which can also be > invoked. > > You have to make sure that the Cipher Suite you choose is supported by the > hardware. > > There are RMF reports showing Crypto usage, but I have only seen these in > batch reports. Maybe they are available on panels and others can help you. > > You will probably find it useful to run the SSL started task, GSKSRVR. This > will give you information about sessions using TLS and SSL. It is an optional > address space. It is documented in Chapter 11 of > Cryptographic Services System Secure Sockets Layer Programming SC14-7495-50. > > Depending on the 3270 client you are using there will usually be a way to see > what is being used. For example on Vista 3270 you can click the little upward > arrow in the bottom left of the screen. This shows you the crypto services > being used. > > Regards > Lennie > Lennie Dymoke-Bradshaw > https://rsclweb.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf Of > Radoslaw Skorupka > Sent: 21 January 2022 13:11 > To: [email protected] > Subject: TCPIP and ICSF. And RMF > > How to reconfigure TCPIP family members (TCPIP, TN3270, FTP, etc.) to start > using ICSF services for things requiring cryptography? > And how to check whether they use/don't use ICSF? > > Another question: is there any RMF screen showing current utilization of > crypto HW? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
