API reference
This topic describes the set of application programming interfaces (APIs) that z/OS System SSL supports for performing secure sockets layer (SSL/TLS) communication.
These APIs were introduced in z/OS Version 1 Release 2 and beyond and supersede the APIs from prior releases. Only the APIs in this topic should be used for writing new application programs. Existing application programs should be recoded if possible to use the new APIs. See Migrating from deprecated SSL interfaces for more information about updating your application programs.
The deprecated APIs included in Deprecated Secure Socket Layer (SSL) APIs are for reference only. When creating new application programs, you must not include any of the deprecated APIs; you should use only the APIs in this topic.
These provide more information about X.509 certificates and the Secure Sockets Layer protocol.
System SSL only supports the PKCS versions that are indicated in the following list. Make sure that
you select the appropriate version of the document on the website.
Note: Copies of ANSI standards can
be purchased from the American National Standards Institute (ANSI).
- ANSI X9.31 - 1998 Digital Certificates Using Reversible Public Key Cryptography for the Financial Services Industry
- ANSI X9.62 - Elliptic Curve Digital Signature Algorithm
- FIPS 186-2: Digital Signature Standard (DSS) - 1024-bit and less
- FIPS 186-3: Digital Signature Standard (DSS) - 1024-bit and greater
- PKCS #1, Version 2.1: RSA Encryption Standard
- PKCS #3, Version 1.4: Diffie-Hellman Key Agreement Standard
- PKCS #5, Version 2.0: Password-based Encryption
- PKCS #7, Version 1.5 and 1.6: Cryptographic Message Syntax
- PKCS #8, Version 1.2: Private Key Information Syntax
- PKCS #10, Version 1.7: Certification Request
- PKCS #12, Version 1.0: Personal Information Exchange
- RFC 2246: The TLS Protocol Version 1.0 (RFC 2246)
- RFC 2253: UTF-8 String Representation of Distinguished Names (RFC 2253)
- RFC 2279: UTF-8, a transformation format of ISO 10646 (RFC 2279)
- RFC 2459: Internet x.509 Public Key Infrastructure Certificate and CRL Profile (RFC 2459)
- RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP (RFC 2560)
- RFC 2587: PKIX LDAP Version 2 Schema (RFC 2587)
- RFC 2631: Diffie-Hellman Key Agreement Method (RFC 2631)
- RFC 3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) (RFC 3268)
- RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 3280)
- RFC 3852: Cryptographic Message Syntax (CMS) (RFC 3852) - Key transport only
- RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1 (RFC 4346)
- RFC 4366: Transport Layer Security (TLS) Extensions (Server Name Indication, Maximum Fragment Length and Truncated HMAC) (RFC 4366)
- RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) (RFC 4492)
- RFC 5116: An Interface and Algorithms for Authenticated Encryption (RFC 5116)
- RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 (RFC 5246)
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280)
- RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS (RFC 5288)
- RFC 5289: TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)) (RFC 5289)
- RFC 5430: Suite B Profile for Transport Layer Security (TLS) (RFC 5430)
- RFC 5480: Elliptic Curve Cryptography Subject Public Key Information (RFC 5480)
- RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension (RFC 5746)
- RFC 5759: Suite B Certificate and Certificate Revocation List (CRL) Profile (RFC 5759)
- RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions (RFC 6066)
- RFC 6460: Suite B Profile for Transport Layer Security (TLS) (RFC 6460)
- RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP (RFC 6960)
- RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks (RFC 7507)
This is a list of APIs. Use these APIs when creating new application programs. If possible, recode your existing application programs to use these APIs as well:
- gsk_attribute_get_buffer() (see gsk_attribute_get_buffer())
- gsk_attribute_get_cert_info() (see gsk_attribute_get_cert_info())
- gsk_attribute_get_data() (see gsk_attribute_get_data())
- gsk_attribute_get_enum() (see gsk_attribute_get_enum())
- gsk_attribute_get_numeric_value() (see gsk_attribute_get_numeric_value())
- gsk_attribute_set_buffer() (see gsk_attribute_set_buffer())
- gsk_attribute_set_callback() (see gsk_attribute_set_callback())
- gsk_attribute_set_enum() (see gsk_attribute_set_enum())
- gsk_attribute_set_numeric_value() (see gsk_attribute_set_numeric_value())
- gsk_attribute_set_tls_extensions() (see gsk_attribute_set_tls_extension())
- gsk_environment_close() (see gsk_environment_close())
- gsk_environment_init() (see gsk_environment_init())
- gsk_environment_open() (see gsk_environment_open())
- gsk_free_cert_data() (see gsk_free_cert_data())
- gsk_get_all_cipher_suites() (see gsk_get_all_cipher_suites())
- gsk_get_cert_by_label() (see gsk_get_cert_by_label())
- gsk_get_cipher_suites() (see gsk_get_cipher_suites())
- gsk_get_ssl_vector() (see gsk_get_ssl_vector())
- gsk_get_update() (see gsk_get_update())
- gsk_list_free() (see gsk_list_free())
- gsk_secure_socket_close() (see gsk_secure_socket_close())
- gsk_secure_socket_init() (see gsk_secure_socket_init())
- gsk_secure_socket_misc() (see gsk_secure_socket_misc())
- gsk_secure_socket_open() (see gsk_secure_socket_open())
- gsk_secure_socket_read() (see gsk_secure_socket_read())
- gsk_secure_socket_shutdown() (see gsk_secure_socket_shutdown())
- gsk_secure_socket_write() (see gsk_secure_socket_write())
- gsk_strerror() (see gsk_strerror())