Checking the cryptographic setup

Edit online

The next step is to check the cryptographic setup and verify that everything works as expected.

To do this, access an application on the IBM WebSphere Application Server (WAS) using SSL.

To verify the setup, access an application on the IBM WebSphere Application Server (WAS) using SSL.

For example, do a sniff test with a server data transfer tool such as curl. First restart the application server so that all previous modifications become active.

The following example uses the WAS default SSL port 9443 for internal HTTP transport to access the benchmark application DayTrader, which has already been installed. The TLS handshake process succeeds and the AES-256 cipher is used.

Sample command: using curl to access DayTrader via internal WAS HTTP port

# curl -k -v https://wasnode1.net:9443/daytrader 
* About to connect() to wasnode1.net port 9443 (#0) 
*   Trying 10.x.x.x... connected 
* Connected to wasnode1.net (10.x.x.x) port 9443 (#0) 
* successfully set certificate verify locations: 
*   CAfile: none 
  CApath: /etc/ssl/certs/ 
* SSLv3, TLS handshake, Client hello (1): 
* SSLv3, TLS handshake, Server hello (2): 
* SSLv3, TLS handshake, CERT (11): 
* SSLv3, TLS handshake, Server finished (14): 
* SSLv3, TLS handshake, Client key exchange (16): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA

Check the output of the lszcrypt command. The request count for any active CEX3 features should show some requests. In this case a CEX3 accelerator was used, whereas the other cards are offline.

Sample command: lszcrypt showing processed requests on a CEX3A 

# lszcrypt -VV 
card00: CEX3C       offline hwtype=9  depth=8 request_count=3         
card01: CEX3A       online  hwtype=8  depth=8 request_count=69        
card02: CEX3C       offline hwtype=9  depth=8 request_count=0         
card03: CEX3A       offline hwtype=8  depth=8 request_count=0

Check is the output of the icastats command. The ciphers from the selected WAS cipher suite should show counts in the hardware column.

Sample command: icastats statistics listing requests in the hardware column 

# icastats 
 function | # hardware | # software 
----------+------------+------------ 
    SHA-1 |         12 |          0 	← SHA-1 (CPACF)
  SHA-224 |          0 |          0 
  SHA-256 |          0 |          0 
  SHA-384 |          0 |          0 
  SHA-512 |          0 |          0 
   RANDOM |          1 |         35 	← not supported with CEX3A
 MOD EXPO |          7 |          0 
  RSA CRT |         62 |          0 	← RSA cipher (CEX3A) 
  DES ENC |          0 |          0 
  DES DEC |          0 |          0 
 3DES ENC |          0 |          0 
 3DES DEC |          0 |          0 
  AES ENC |         94 |          0 	← AES-256 encryption (CPACF)
  AES DEC |         93 |          0 	← AES-256 decryption (CPACF)
 CMAC GEN |          0 |          0 
 CMAC VER |          0 |          0