Configuring OpenSSL to use the IBMCA engine

最新推荐文章于 2024-08-23 08:57:21 发布
最新推荐文章于 2024-08-23 08:57:21 发布
阅读量33 收藏
点赞数
文章标签: linux 运维 服务器
原文链接:https://www.ibm.com/docs/en/linux-on-z?topic=engine-ibmca-configuring
版权

IBM Documentation

The OpenSSL configuration file can have an IBMCA section which only includes configuration options for the IBMCA engine.

The build process of the IBMCA engine produces a script called ibmca-engine-opensslconfig which can be used to update an existing OpenSSL configuration to enable the IBMCA engine. By default, this script is not automatically included with the package, but it is in the responsibility of the distributions whether to include it and if so, where to install it.

Configuration options for the IBMCA engine

You can specify the following options in the IBMCA section in file openssl.cnf. Also, refer to the OpenSSL configuration file man page.

dynamic_path = <path_to_ibmca.so>

Set the path to the IBMCA shared object file allowing OpenSSL to find the file.

Engines are usually loaded from the OpenSSL ENGINESDIR which was configured during OpenSSL build. You can use the command openssl version -e to display the OpenSSL ENGINESDIR setting. Alternatively, set environment variable OPENSSL_ENGINES to point to the directory where the engine is located. However, the setting of this environment variable is ignored, if a program trying to access the IBMCA engine is marked with access right flag setuid.

This option must appear before the init option described later in this list.

engine_id = <name>

Set the name of the engine. The default name is ibmca.

This option must appear before the init option described later in this list.

libica = libica-cex.so.4

If both variants of the libica library module (libica-cex.so or libica.so) are installed on a system, OpenSSL can be configured to use either of these two. For example, to use libica-cex.so.4 for the IBMCA engine, add the line libica = libica-cex.so.4.

If used, this option must be specified at the beginning.

init = 0 | 1

OpenSSL tries to initialize the engine if this option is set to 1. If set to 0, OpenSSL will not try to initialize the engine.

default_algorithms = ALL | algorithms

Redirect all cryptographic operations through the engine or redirect only certain types of operations that the engine supports. If this option is not specified, ALL is the default. However, do not use ALL with IBMCA, because for example, depending on the hardware level (IBM z15™), ECC is already accelerated implicitly by OpenSSL for certain curves (see Figure 1). Instead, use a comma-separated list for the required algorithms, for example, algorithms = RSA,DH,DSA.

  • CIPHERS
  • DH
  • DIGESTS
  • DSA
  • EC
  • PKEY
  • PKEY_ASN1
  • PKEY_CRYPTO
  • RAND
  • RSA

If you specify a list of algorithms to be enabled for the engine, all algorithms not specified in this list are performed by OpenSSL.

PKEY_ASN1 means ASN.1 conversion, printing, and information methods for a specific public key algorithm.

PKEY_CRYPTO means methods for a specific public key cryptographic algorithm. Those methods are usually used to perform different jobs, such as generating a key, signing or verifying, encrypting or decrypting.

Specifying PKEY achieves the same results as PKEY_ASN1 and PKEY_CRYPTO together. Therefore, with specifying PKEY, you achieve support for Edwards and Montgomery Curves (Ed25519 and Ed448 or X25519 and X448).

Only all CIPHERS or DIGESTS, or both can be deactivated or activated. Algorithms like AES can not be deactivated or activated independently.

For example:

default_algorithms = RSA,DH,DSA

Note: Algorithms denoted by CIPHERSDIGESTSEC, and PKEY are already accelerated by OpenSSL itself using CPACF. Therefore, do not accelerate them using the IBMCA engine. This will actually make them slower.

Refer to Table 1. Dependent on your hardware level, certain algorithms may or may not yet been accelerated by OpenSSL. Therefore, you may need to adjust the default_algorithms specification accordingly, for example, including or excluding ECC operations.

The following example demonstrates the setup of the IBMCA engine using OpenSSL version 1.1 and the IBMCA package version 2.2.1. In older or newer versions the setup is different and can be performed by using helper scripts delivered with the package ( newer releases) or refer to the README and sample files in the package (older releases).


/usr/share/doc/openssl-ibmca/openssl.cnf.sample.s390x
#
# OpenSSL example configuration file. This file will load the IBMCA engine
# for all operations that the IBMCA engine implements for all apps that
# have OpenSSL config support compiled into them.
#
# Adding OpenSSL config support is as simple as adding the following line to
# the app:
#
# #define OPENSSL_LOAD_CONF     1
#
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
ibmca = ibmca_section

[ibmca_section]
# The openssl engine path for ibmca.so.
# Set the dynamic_path to where the ibmca.so engine
# resides on the system.
engine_id = ibmca
dynamic_path = /usr/lib64/engines-1.1/ibmca.so
init = 1

...

default_algorithms = RSA,DH,DSA
maimang09
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
【libcurl 】win32 构建 Release版本 修改cmakelist 链接openssl1.1.*
突围
05-22 922
libcurl
Configuring an ADAM6017 to use current input AdvantechEN_360p.mp4
07-02
Configuring an ADAM6017 to use current input AdvantechEN_360p.mp4
OpenSSL 1.1.1: Hardware acceleration for OpenSSH via IBMCA engine
maimang1001的专栏
01-03 46
【代码】OpenSSL 1.1.1: Hardware acceleration for OpenSSH via IBMCA engine
海思 himix200交叉编译openssl
10km的专栏
12-28 1132
使用海思himix200平台的编译工具链交叉编译openssl的过程
openssl android编译,MAC下OpenSSL Android库编译配置
weixin_39686192的博客
05-27 277
1.准备OpenSSL 源码可以直接去官网下载make2.参照文章3.直接运行chmod a+x build-openssl-android.sh./build-openssl-android.sh在openssl-1.0.2g目录下找到libcrypto.a libssl.a或者/usr/local/ssl/android-21 去找build-openssl-android.sh#!/bin/...
Ubuntu 20.04上编译OpenSSL的编译选项设置
qysh123的专栏
06-07 2236
由于实验需要,我想简单看看怎么在编译OpenSSL的时候设置编译选项,之前都是用的默认选项,例如这里:怎样在BinaryNinja中查看Vulnerable的function(以HeartBleed CVE-2014-0160为例)_蛐蛐蛐的博客-CSDN博客首先下载一个对应版本,例如我在这里:/source/old/3.0/index.html下载了openssl-3.0.0.tar.gz。解压之后进入文件夹。搜了一圈发现,虽然介绍的博客很多,但是基本上大家都没有详细介绍编译选项,例如这里的介绍:linu
Linux Ubuntu openssl离线源码安装、升级版本
kjcxmx的博客
06-17 1982
Linux Ubuntu openssl安装、升级版本 文章目录Linux Ubuntu openssl安装、升级版本一、设备环境1.操作系统2.现在的openssl版本二、openssl官网下载源码三、安装openssl1.解压源码包2.查看README3.编译源码四、报错异常五、openssl命令六、openssl-3.0.0-alpha17预发布版本安装Building OpenSSLUnix / Linux / macOS 一、设备环境 1.操作系统 Ubuntu 16.04.1 root@Lemo
SSL/TLS Configuration How-To
BLOG域名:programb.blog.csdn.net
04-24 1250
Tomcat Home The Apache Software Foundation Apache Tomcat 9 Version 9.0.34, Apr 3 2020 Links Docs Home FAQ User Comments User Guide 1) Introduction 2) Setup 3) First webapp 4) Deployer 5) Manager 6) H...
【GmSSL】GmSSL 与 OpenSSL 共存的安装方法
好习惯成就伟大
02-02 3370
安装openssl 使用yum或者apt命令都可以安装,现在最新的系统自带的就是openssl1.1.1g 安装 GmSSL 关键点就是no-shared:只编译静态库 下载解压 # 下载 gmssl wget https://github.com/guanzhi/GmSSL/archive/master.zip # 解压 unzip master.zip 编译 cd GmSSL-master # --prefix 指定 gmssl 的安装路径 # --openssldir 表
openSSL1.1.1的编译
热门推荐
谢绝留言与私信
04-07 1万+
前言准备编译一个开源工程, git下来看说明, 说要openSSL. 那就先编译openSSL. 开源工程说的挺NB的, 要用户git最新版的openSSL:) 一般开源软件只敢说, 本软件要某个第三方库的某个特定范围的版本:P记录openSSL1.1.1的编译过程activeperlopenSSL的编译要用activeperl 下载activeperl http://www.
The Definitive Guide to NetBeans Platform
03-09
■CHAPTER 16 From Eclipse RCP to the NetBeans Platform . . . . . . . . . . . . . . . . . . 279 ■CHAPTER 17 Tips and Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Configuring-the-Network-File-System-_NFS_-service_The Network
09-24
Configuring NFS on linux
Configuring the SELinux Policy
12-05
介绍SELinux的文档。This technical report describes how to configure the SELinux security policy for the example security server.
多进程和多线程基础概念LINUX
2301_79109608的博客
08-22 924
直接访问物理地址,会导致地址空间没有隔离,很容易导致数据被修改通过虚拟地址空间可以实现每个进程空间都是独立的,操作系统会映射到不用的物理地址区间,在访问时互不干扰.进程状态分为三个基本状态,即运行态,就绪态,阻塞态。在五态模型中,进程分为新建态、终止态,运行态,就绪态,阻塞态。并发:有限的 cpu 核芯的情况下 ,利用快速交替(时间片轮转)执行来达到宏观上的同时执行。虚拟地址 : 虚拟地址并不代表真实的内存空间,而是一个用于寻址的编号。并行:在 cpu 多核的支持下,实现物理上的同时执行。
Linux 线程的控制 互斥与同步
最新发布
qq_63145217的博客
08-23 811
include //头文件sem_t sem;信号量的类型 信号量的变量。
Linux上构建Windows应用程序:深入探索跨平台开发的实践与挑战
w651428055的博客
08-21 1071
Linux上构建Windows应用程序,不仅拓宽了开发者的技能范围,也为软件产品的多平台部署提供了灵活性和成本效益。虽然这一过程面临挑战,但通过合理选择工具、框架和策略,可以有效地克服这些障碍。随着技术的不断进步,跨平台开发将变得更加成熟和便捷,为软件开发带来更多的可能性和机遇。未来,随着更多高效工具和框架的出现,跨平台开发的效率和质量有望进一步提升,为软件工程领域注入新的活力。
windows上传的文本在linux执行不了,格式转换
mengbing1990的博客
08-19 319
在windows编辑的文件脚本上传到linux里面执行不了,进行格式转换
i want to know how to get the methods to use chatgpt
04-04
2. Choose a platform or framework to use to implement the chatGPT model. Popular platforms/frameworks for implementing machine learning models include TensorFlow, PyTorch, and Keras. 3. Obtain the ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值