Downloading Crypto Express Network API for Secure Execution Enclaves Fix Pack

You can download the Fix Pack of Crypto Express Network API for Secure Execution Enclaves from IBM Fix Central.

To download the image from IBM Fix Central, complete the following steps:

1. Go to IBM Fix Central website.

2. Locate IBM Confidential Computing Container Runtime Fix pack either by entering IBM Confidential Computing Container Runtime on the Find product panel, or select IBM Confidential Computing Container Runtime under the Other Software product group on the Select product panel.

3. Select the version and platform, and then click Continue.

   Note: For Crypto-Express-API-for-SE-1.1.3.x, complete the following steps:
   • Specify IBM Confidential Computing Container Runtime as value for the Product field.
   • Select 2.2.3.2 as the value for the Installed Version field.
   • Select Linux390 64-bit, or Linux zSeries as the value for the Platform field.

4. Select the fix pack from the list on the Select fixes page, and then click Continue.

5. In the Identify fixes page, click Browse for fixes and then click Continue.

6. Select the fix pack you require and then click Continue.

7. Log in to IBM Fix Central site with your IBM ID and password as prompted, and then download the selected Fix Pack installation image.

8. Create a directory to store the image, change to the directory, and extract the compressed file by using the following commands:

   mkdir /opt/<installation_directory>
   cd /opt/<installation_directory>
   gunzip Crypto-Express-API-for-SE-1.1.3.x.tar.gz
   tar -xvf Crypto-Express-API-for-SE-1.1.3.x.tar
    

   You get the following files in the current directory:

   • Crypto-Express-API-for-SE-1.1.3.x.tar.gz, the image tar file, which contains the following files:
     • README-Crypto-Express-API-for-SE_1.1.3.x.txt, the readme file for your guidance.
     • Crypto-Express-API-for-SE_1.1.3.x.img.gz, the Crypto Express Network API for Secure Execution Enclaves image file.
     • grep11server-s390x_1.1.3.x.tar, the grep11server image file.
   • Cryp-Exp-API-for-SE-1.1.3.x.tar.gz.sig, the signature for build completeness verification.
   • Cryp-Exp-API-for-SE-1.1.3.x-public.pem.cer, the code signing certificate.
   • Cryp-Exp-API-for-SE-1.1.3.x-public.pem.chain, the code signing certificate chain.

9. Verify the integrity of the downloaded image file by running the following commands:

      #!/bin/bash -e
   
      release_version="1.1.3.x"
   
      release_package=Crypto-Express-API-for-SE-${release_version}.tar.gz
   
      release_package_signature=Cryp-Exp-API-for-SE-${release_version}.tar.gz.sig
   
      ibm_certificate=Cryp-Exp-API-for-SE-${release_version}-public.pem.cer
   
      ibm_certificate_chain=Cryp-Exp-API-for-SE-${release_version}-public.pem.chain
   
      publick_key=Cryp-Exp-API-for-SE-${release_version}-public.pem
    

10. Verify that the certificate is trustworthy.

       openssl verify -x509_strict -untrusted ${ibm_certificate_chain} ${ibm_certificate}
     

11. Export the public key from certificate.

       openssl x509 -in ${ibm_certificate} -pubkey -noout > ${publick_key}
     

12. Verify the signature by the exported public key.

   openssl dgst -sha256 -verify ${publick_key} -signature ${release_package_signature} ${release_package}