VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6...
Transcript of VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6...
![Page 1: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/1.jpg)
Copyright © 2013 Velocity Software, Inc. All Rights Reserved. Other products and company names mentioned herein may be trademarks of their respective owners.
Velocity Software Inc.196-D Castro StreetMountain View CA 94041650-964-8867
Velocity Software GmbHMax-Joseph-Str. 5D-68167 Mannheim Germany+49 (0)621 373844
zVWS and zSSLTopics in SSL on z/VM
Rick TrothVelocity Software<[email protected]>http://www.velocitysoftware.com/
VM and Linux Workshop 2013IUPUI
![Page 2: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/2.jpg)
2
Disclaimer
The content of this presentation is informational only and is not intended to be an endorsement by Velocity Software. (ie: I am speaking only for myself.) The reader or attendee is responsible for his/her own use of the concepts and examples presented herein.
In other words: Your mileage may vary. “It Depends.” Results not typical. Actual mileage will probably be less. Use only as directed. Do not fold, spindle, or mutilate. Not to be taken on an empty stomach. Refrigerate after opening.
In all cases, “If you can't measure it, I'm just not interested.”
![Page 3: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/3.jpg)
3
Agenda
Crypto ConceptsSSL BasicsPKI OverviewServer Certificates – zSSL and VM SSLClient Certificates – zSSLTools and ServicesRelated Topics
![Page 4: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/4.jpg)
Symmetric Crypto
Early ciphers Caesar Jefferson Enigma, Lorenz
Passwords One-time use
![Page 5: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/5.jpg)
Asymmetric Crypto
What if someone got the password? Rivest, Shamir, Adleman involves a public key and a private key hence … asymmetric
http://en.wikipedia.org/wiki/Public-key_cryptography
![Page 6: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/6.jpg)
Encryption plus Authentication
Encrypt with public key (of recipient)Decrypt with secret key
Sign with secret keyVerify with public key (of sender)
![Page 7: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/7.jpg)
Combo Crypto
Random “session key” symmetric (single)Encrypt that with asymmetric (dual)Encrypt payload with session keySend asym-encrypted session key and sym-encrypted payload
![Page 8: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/8.jpg)
8
Transport Layer Security
Handshake authenticates SSL provides a “channel” Compare to SSH Contrast with PGP/GPG (data at rest)
![Page 9: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/9.jpg)
9
SSL Handshake
Authenticate the server Establish a secure channel Uses existing network
Does not protect “data at rest”
![Page 10: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/10.jpg)
10
Public Key Infrastructure
CA certificate(s) pre-loadedWS admin requests assertionCA signs WS requestWS admin loads that ….....
Browser hits WS, compares signature chainBrowser/WS agree on session keys
![Page 11: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/11.jpg)
11
Got zVWS? Then install zSSL
Insallation process for zSSL automatically generates a key pair and creates a self-signed server certificate.
Also creates a certificate request which you can submit to your CA of choice.
![Page 12: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/12.jpg)
12
VSIMAINT – install zSSL
![Page 13: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/13.jpg)
13
VSIMAINT – configure zSSL
![Page 14: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/14.jpg)
14
VSIMAINT – configure zSSL
![Page 15: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/15.jpg)
15
VSIMAINT – X.509 data
![Page 16: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/16.jpg)
16
VSIMAINT – keys, cert, req
![Page 17: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/17.jpg)
17
Got zVWS? Then install zSSL
It's that easy!
Self-signed certificate is immediately ready.Certificate request is available too. Submit it to your CA of choice, if needed.
![Page 18: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/18.jpg)
18
Server with Self-Signed Cert
![Page 19: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/19.jpg)
19
Certificate Authorities – StartSSL
https://www.startssl.com/
![Page 20: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/20.jpg)
20
Certificate Authorities – DigiCert
http://www.digicert.com/ssl-certificate.htm
![Page 21: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/21.jpg)
21
Certificate Authorities – CACert
http://www.cacert.org/
![Page 22: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/22.jpg)
22
Certificate Authorities – VeriSign
http://www.verisign.com/
![Page 23: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/23.jpg)
23
VM SSL Key Management
Set up GSKADMIN and wire it into the stack
Sign onto GSKADMINUse 'gskkyman' command
![Page 24: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/24.jpg)
24
VM SSL Key Management
![Page 25: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/25.jpg)
25
VM SSL Key Management
Create a key database ... Option 1 Filename “Database.kdb” 3700 days = 10 years, 6 weeks Default record size
Fix file access ... openvm permit /etc/gskadm/Database.kdb rw- r-- ---
openvm permit /etc/gskadm/Database.sth rw- r-- ---
![Page 26: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/26.jpg)
26
VM SSL Key Management
![Page 27: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/27.jpg)
27
VM SSL Key Management
Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter a label, UPPER CASE Enter X.509 stuff
Apply that label to a “secured” TCP port
![Page 28: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/28.jpg)
28
VM SSL Key Management
Create new certificate request ... Option 4 Option 3, cert with 4096-bit RSA key Enter filename Enter a label, UPPER CASE again Enter X.509 stuff
File is PEM encoded; send to your CA
![Page 29: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/29.jpg)
29
Client Certificates
To use client certificates, or devices like common access cards, install a “CA bundle”.
CABUNDLE CRT ← in CONFIG directory
![Page 30: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/30.jpg)
30
CA Bundle file
a collection of “signing certificates”
Copy ca-bundle.crt (eg: from Apache)Create by hand (PEM encoded)Create from example
Sample CA bundle can be found at: http://curl.haxx.se/ca/cacert.pem
![Page 31: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/31.jpg)
31
Client Certificates
CGI variables
SSL_CLIENT_S_DN, SSL_CLIENT_I_DN,
SSL_CLIENT_M_VERSION, SSL_CLIENT_M_SERIAL,
SSL_CLIENT_V_START, SSL_CLIENT_V_END,
SSL_CLIENT_A_KEY, and SSL_CLIENT_A_SIG
![Page 32: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/32.jpg)
32
Crypto Concepts – Trust Models
Peer-to-Peer PGP style
Third Party / Centralized PKI style
Manual Assertion Self-signed certificates
Question: which works best for your business?
![Page 33: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/33.jpg)
33
Crypto Concepts – Proper Tools
SSL and TLS (PKI) originally for HTTPS, now many protocols third party trust X.509 certificates
SSH variable trust models keys
PGP/GPG peer-to-peer trust keys
![Page 34: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/34.jpg)
SSH
'ssh-keygen' command Generates pub (“.pub”) and sec, two files
Append pub to “authorized_keys” file of target user(s) on target system(s)
![Page 35: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/35.jpg)
PGP/GPG
Generate a key pair gpg --gen-key
Export your pub key, sign others gpg --armor --export
gpg --sign-key other-user's-key
Import signed keys and signatures gpg --import
![Page 36: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/36.jpg)
36
Validating Stuff
![Page 37: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/37.jpg)
37
DNSSEC
Domain Name System Security Extensions
Crypto Signing of Internet Domain Data
![Page 38: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/38.jpg)
38
Key Management – Seahorse
![Page 39: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/39.jpg)
39
Key Management – Seahorse
![Page 40: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/40.jpg)
Terms and Tools to Learn
Certificates identified by SDN, “subject distinguished name”
X.509 verbiage abounds
Need overview of BFS files (for VM SSL) x /etc/gskadm/mycert.crq (nam bfs
![Page 41: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/41.jpg)
41
What is a “subject”?
What is the “subject”? That which is “signed” by an “authority”
What is the “authority”? That which cryptographically signs the “subject”
![Page 42: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/42.jpg)
42
Entropy
maximum entropy, minimum energymaximum entropy, minimum “order”Entropy ==> Randomness
Strong encryption requires reliable randomness
![Page 43: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/43.jpg)
43
Water Cooler Leaks
Human factors remain the biggest risk Easy passwords Gullible to scams Easy-click assertion Profiled for info Unsecured hardware Lost hardware
![Page 44: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/44.jpg)
44
Back Channels?
![Page 45: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/45.jpg)
45
Security Audit
A security auditor for our servers has demanded the following within two weeks:
A list of current usernames and plain-text passwords for all user accounts on all servers
A list of all password changes for the past six months, again in plain-text
A list of "every file added to the server from remote devices" in the past six months
The public and private keys of any SSH keys An email sent to him every time a user changes their password,
containing the plain text password
We're running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.
![Page 46: VM and SSLautomatically generates a key pair ... Create a self-signed certificate ... Option 6 Option 7, server cert with 4096-bit RSA key Option 3, SHA-256 signature digest Enter](https://reader034.fdocuments.us/reader034/viewer/2022042305/5ed12294c91078260375507b/html5/thumbnails/46.jpg)
46
Summary
You need SSLApply SSL carefullyUnderstand the concepts
Be prepared:SSL is a moving target!