Generating DH parameters

The first task for setting up Diffie-Hellman is to generate a set of DH parameters that consist of two numbers p (a large prime number) and g (the generator value, which is always 2 for OpenSSL). Parameter generation is CPU expensive, and is therefore normally done once in advance.
You have two options for generating the parameters:
  • Using OpenSSL on your workstation.
  • Using the Keyman/VSE tool.
Based on these parameters, different temporary session keys are created for your SSL connections.
Note: For security reasons, OpenSSL on z/VSE requires a minimum DH parameter length of 1024 bits.

Using OpenSSL on your workstation

The following OpenSSL command generates a .pem file that contains the new DH parameters:
openssl dhparam -out dhparam.pem 1024
The parameters are stored in Base64-encoded text form and look similar to the following example:
D:\>type dhparam.pem
-----BEGIN DH PARAMETERS-----
MIGHAoGBANclzZUHl2R0NYH5D4cIHcfM8ATuk75NeO2iaV3FhcAAfs9ljlOuJaVn
UDH9qdl9A4YrDi3VPm55r/YHA4v3wx42Xaq4YfbljeGOKfT6HuhIVS9/n3ZjwNFe
2IAJeiV4VCRAmjVrgZcUodpEK+jEH4tULNS3NO3p6BbvU/6gyCQLAgEC
-----END DH PARAMETERS-----
To enable the DHE-RSA-based SSL cipher suites on VSE, just copy and paste this text form to the end of your .pem file.

Using the Keyman/VSE tool

The Keyman/VSE tool provides an even more convenient method of creating DH parameters and adding them to your .pem file. Keyman/VSE provides a tool bar button for generating the DH parameters as shown in Figure 1.
Figure 1. Generate DH Parameters in Keyman/VSE
The screen shot is explained in the surrounding text.
If you click Generate new DH Params the dialog box Figure 2 is displayed.
Figure 2. Generate Diffie-Hellman Parameters dialog box in Keyman/VSE
The screen shot is explained in the surrounding text.

It is a restriction in Java that the maximum key length for DH parameter generation is 1024 bits for all Java versions before Java 8. If you need a longer key length, you must either use Java 8 or OpenSSL directly on your workstation, and import them by using the clipboard.

It does not matter whether you create, or import, the DH parameters before or after the RSA key and your SSL certificates. Figure 3 shows a complete set of items: RSA key, CA root certificate, SSL server certificate, and DH parameters.

Figure 3. Complete set of items in Keyman/VSE
The screen shot is explained in the surrounding text.
When you upload the .pem file to VSE, you can include the DH parameters into your .pem file as shown in Figure 5-11. This enables the use of the DHE-RSA-based cipher suites on VSE. Select FileSave as PEM file on VSE.
Figure 4. Upload PEM file to VSE
The screen shot is described in the surrounding text.
Clicking Upload uploads all items into a new .pem file on VSE. The .pem file can either be a VSE/Librarian member or a VSAM file. Make sure that the VSE Connector Server is started. The DH parameters are added at the end of the .pem file on VSE as shown in Figure 5.
Figure 5. PEM file with DH parameters on VSE
DITTO/ESA for VSE LE - Library Member Edit

Member DHPARMS.PEM 			Library CRYPTO.KEYRING 			Col 1 			Format CHAR
																											SYSIPT data NO
1...5...10....5...20....5...30....5...40....5...50....5...60....5...70..
00066 9w0BAQUFAAOCAQEAlWLl5WIoiWGfS90yJaSJmcMKsUNujXSMnH2cSm8jnIuCwCKb
00067 vKBaYOeiX3QAJdW9z0NO68E7nDgEQ8IPrWz4bOj2EhffFPLZfNTwgX0iUj/AImhd
00068 cqoRVaQgmWAjj6qMY9FZWNK6RNb310umEexZVPas35wIUIOZtjrXAhpo0c9nMWrd
00069 4QVnc7Nx4JYK1Z1h8mKDc5UeSCpdIfa/+OnMXw9SbjoYTt9Hm2LpbqaQr0D3Z6Ur
00070 9FUaUSUcnBOOYLeUiO5iWofy4p2A3EOj4nuEIch+wwrf4E7GwoeniE/wCAAGiwxg
00071 dJa0lPAL2QLudmDs94L2RvgOpV36cBLEl0XmJw==
00072 -----END CERTIFICATE-----
00073 -----BEGIN DH PARAMETERS-----
00074 MIGHAoGBANclzZUHl2R0NYH5D4cIHcfM8ATuk75NeO2iaV3FhcAAfs9ljlOuJaVn
00075 UDH9qdl9A4YrDi3VPm55r/YHA4v3wx42Xaq4YfbljeGOKfT6HuhIVS9/n3ZjwNFe
00076 2IAJeiV4VCRAmjVrgZcUodpEK+jEH4tULNS3NO3p6BbvU/6gyCQLAgEC
Chapter 5. OpenSSL 183
00077 -----END DH PARAMETERS-----
00078 **** End of data ****
Note: You must only include DH parameters in your .pem file, if VSE is the server. If VSE is the client (for example, as LDAP or FTP client), the remote server is responsible for providing the DH parameters during the session setup, and OpenSSL on VSE uses DHE-RSA transparently, if required by the server.