Secure sockets APIs

Secure sockets consists of the following APIs:

• i5/OS Global Secure Toolkit (GSKit) APIs
  
  
• i5/OS SSL_ APIs
  
  
• Open SSL APIs

The i5/OS^(R) Global Secure Toolkit (GSKit) and i5/OS SSL_ application programming interfaces (APIs) are a set of functions that, when used with the i5/OS sockets APIs, are designed to enable and facilitate secure communications between processes on a network. The GSK Secure Toolkit (GSKit) APIs are the preferred set of APIs to be used to securely enable an application using Secure Sockets Layer/Transport Layer Security (SSL/TLS). The SSL_ APIs also can be used to enable an application to use the SSL/TLS Protocol.

SSL provides communications privacy over an open communications network (that is, the Internet). The protocol allows client/server applications to communicate to prevent eavesdropping, tampering, and message forgery. The SSL protocol connection security has three basic properties:

• The connection is private. Encryption using secret keys is used to encrypt and decrypt the data. The secret keys are generated on a per SSL session basis using an SSL handshake protocol. An SSL handshake is a series of protocol packets sent in a particular sequence, which use asymmetric cryptography to establish an SSL session. Symmetric cryptography is used for application data encryption and decryption.
  
  
• The peer's identity can be authenticated using asymmetric, or public key cryptography.
  
  
• The connection is reliable. Message transport includes a message integrity check using a keyed Message Authentication Code (MAC). Secure hash functions are used for MAC computations.

When creating ILE programs or service programs that use the i5/OS GSKit or SSL_ APIs, you do not need to explicitly bind to the secure sockets service program QSYS/QSOSSLSR because it is part of the system binding directory.

The GSKit and SSL_ API documentation describes the GSKit and SSL_ APIs only. This documentation does not include any information about how to configure or obtain any of the cryptographic objects, such as a key ring file or certificate, that are required to fully enable an application for SSL. Some cryptographic objects, such as certificate store files, are required parameters for GSKit and SSL_ APIs. Information on how to configure the cryptographic objects required for the i5/OS secure socket APIs, or how to configure a secure web server, which also uses the secure socket APIs, can be found using the following references:

• HTTP Server: Documentation
  
  
• Secure Sockets Layer (SSL) under the Security topic. Plan for enabling SSL discusses what you must install and configure before using secure sockets.
  
  
• Cryptographic Hardware topic.

For background information on GSKit and SSL_ APIs, see:

• Secure Sockets in the Sockets programming topic.