For VSE
to participate in a secure e-business strategy,
the platform must provide for message integrity, authentication,
and confidentiality. We use data encryption, digital signatures,
PKI certificates, and secure hash functions to prevent messages
from being camouflaged, passwords from being hacked, and transactions
from being denied. The services are provided in the Connectivity
Systems product line by the Secure Sockets Layer (SSL) feature
of TCP/IP for VSE. SSL for VSE is an optional product that
is fully integrated into TCP/IP for VSE and provides a complete
set of services to secure e-business transactions. SSL
for VSE implements both the SSL 3.0 and TLS 1.0 standards for
e-business security. Although SSL has been officially renamed
to TLS for all future releases, we use SSL as a generic name
for both SSL and TLS.
At the core of e-business security are the concepts of public
keys, private keys, and key exchange algorithms. When a
client wants to establish a secure connection with an application
running on VSE, it negotiates various parameters for the connection. The
parameters include the algorithms used for key exchange, data
encryption, and message authentication. A VSE site that
wants to use SSL must first obtain a certificate from a certificate
authority such as VeriSign or Thawte. This certificate
is sent as part of the session negotiation so that the client
knows that the VSE system is who the VSE system claims to be. The
certificate contains the public key of the VSE server. The
client uses the public key to securely encrypt a secret random
value. The secret random value is used to create keys for
encrypting and authenticating data that flows over the connection. No
past or new connections ever use or reuse the same key values. The
keys, randomly generated and unique to the one session, are used
for the life of the connection. SSL for VSE implements
the protocols required for the key exchange, data encryption,
and message authentication. It also provides utilities
to install certificates, a daemon to transparently enable secure TN3270 applications
to SSL, and APIs to natively implement SSL or cryptography or
both into your applications.
 Protocols
SSL for VSE relies on a number of integrated
components, including PKI (Public Key Infrastructure) for identification,
RSA for key exchange algorithms, DES for data encryption, MD5
and SHA-1 for message hashing, and HMAC for message authentication. SSL
for VSE is the VSE implementation of numerous industry protocols
including RFC2246 (Transport Layer Security), RFC1321 (MD5 message-digest
algorithm), RFC2104 (HMAC), and RFC2459 (X.509v3 PKI certificates). By
using industry standard algorithms, you are assured of compatibility
with a wide variety of SSL-enabled applications.
back
to top
Applications
SSL for VSE is integrated with TN3270 and the TCP/IP for VSE
web server to provide security for these applications. Customers
can encrypt session traffic for these applications by using SSL-enabled
clients and by defining an SSL daemon on VSE.
Installations that have unique security and encryption applications
can use the SSL for VSE API. This interface is compatible
with the OS/390 SSL API.
back
to top |
|
|
|
