Generating DH parameters
The first task for setting up Diffie-Hellman is
to generate a set of DH parameters that consist of two numbers p (a
large prime number) and g (the generator value,
which is always 2 for OpenSSL). Parameter generation is CPU expensive,
and is therefore normally done once in advance.
You have two options
for generating the parameters:
- Using OpenSSL on your workstation.
- Using the Keyman/VSE tool.
Note: For security
reasons, OpenSSL on z/VSE requires a minimum DH parameter length of
1024 bits.
Using OpenSSL on your workstation
The following OpenSSL command generates a .pem file that contains the new DH parameters:openssl dhparam -out dhparam.pem 1024
The
parameters are stored in Base64-encoded text form and look similar
to the following example:D:\>type dhparam.pem
-----BEGIN DH PARAMETERS-----
MIGHAoGBANclzZUHl2R0NYH5D4cIHcfM8ATuk75NeO2iaV3FhcAAfs9ljlOuJaVn
UDH9qdl9A4YrDi3VPm55r/YHA4v3wx42Xaq4YfbljeGOKfT6HuhIVS9/n3ZjwNFe
2IAJeiV4VCRAmjVrgZcUodpEK+jEH4tULNS3NO3p6BbvU/6gyCQLAgEC
-----END DH PARAMETERS-----
To enable the DHE-RSA-based
SSL cipher suites on VSE, just copy and paste this text form to the
end of your .pem file. Using the Keyman/VSE tool
The Keyman/VSE tool provides an even more convenient method of creating DH parameters and adding them to your .pem file. Keyman/VSE provides a tool bar button for generating the DH parameters as shown in Figure 1. If you click Generate new DH Params the dialog box Figure 2 is displayed.It is a restriction in Java that the maximum key length for DH parameter generation is 1024 bits for all Java versions before Java 8. If you need a longer key length, you must either use Java 8 or OpenSSL directly on your workstation, and import them by using the clipboard.
It does not matter whether you create, or import, the DH parameters before or after the RSA key and your SSL certificates. Figure 3 shows a complete set of items: RSA key, CA root certificate, SSL server certificate, and DH parameters.
When you upload the .pem file
to VSE, you can include the DH parameters into your .pem file
as shown in Figure 5-11. This enables the use of the DHE-RSA-based
cipher suites on VSE. Select File ⇒ Save
as PEM file on VSE.
Clicking Upload uploads all items into
a new .pem file on VSE. The .pem file
can either be a VSE/Librarian member or a VSAM file. Make sure that
the VSE Connector Server is started. The DH parameters are added at
the end of the .pem file on VSE as shown in Figure 5.
Note: You must only include DH parameters in your .pem file,
if VSE is the server. If VSE is the client (for example, as LDAP or
FTP client), the remote server is responsible for providing the DH
parameters during the session setup, and OpenSSL on VSE uses DHE-RSA
transparently, if required by the server.