OpenSSL on HP Integrity NonStop Server

OpenSSL security overview for IBM MQ client for HP Integrity NonStop Server.

The OpenSSL toolkit is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for secure communications over a network.

The toolkit is developed by the OpenSSL Project. For more information about the OpenSSL Project, see https://www.openssl.org. IBM MQ client for HP Integrity NonStop Server contains modified versions of the OpenSSL libraries and the openssl command. The libraries and openssl command are ported from the OpenSSL toolkit 1.0.1c, and are supplied as object code only. No source code is provided.

The OpenSSL libraries are loaded by IBM MQ client application programs dynamically as required. Only the OpenSSL libraries that are provided by IBM MQ are supported for use with IBM MQ client applications.

The openssl command, which can be used for certificate management purposes, is installed in the OSS directory opt_installation_path/opt/mqm/bin.

Use the openssl command, we can create and manage keys and digital certificates with various common data formats, and carry out simple certificate authority (CA) tasks.

The default format for key and certificate data that is processed by OpenSSL is the Privacy Enhanced Mail (PEM) format. Data in PEM format is base64 encoded ASCII data. The data can therefore be transferred by using text-based systems such as email, and can be cut and pasted by using text editors and web browsers. PEM is an Internet standard for text-based cryptographic exchanges and is specified in Internet RFCs 1421, 1422, 1423, and 1424. IBM MQ assumes that a file with extension .pem contains data in PEM format. A file in PEM format can contain multiple certificates and other encoded objects, and can include comments.

The IBM MQ SSL support on other operating systems might require key and certificate data in files to be encoded by using Distinguished Encoding Rules (DER). DER is a set of encoding rules for using the ASN.1 notation in secure communications. Data that is encoded by using DER is binary data, and the format of key and certificate data that is encoded by using DER is also known as PKCS#12 or PFX. A file that contains this data commonly has an extension of .p12 or .pfx. The openssl command can convert between PEM and PKCS#12 format.