ICSF and COZSFTP

Discussion of the Co:Z Co-Processing Toolkit for z/OS
njd
Posts: 21
Joined: Fri Apr 24, 2015 5:57 am

ICSF and COZSFTP

Postby njd » Wed Sep 16, 2015 5:48 am

We want to enable the option of using ICSF with COZSFTP. From the manual I can see that we have to add the following lines
to /etc/ssh/zos_ssh_config and /etc/ssh/zos_sshd_config:

CiphersSource any
MACsSource any

and we should also define the following RACF resources/access (assuming these aren't already in place)

RDEFINE CSFIQA CLASS(CSFSERV) UACC(NONE)
RDEFINE CSF1TRC CLASS(CSFSERV) UACC(NONE)
RDEFINE CSF1TRD CLASS(CSFSERV) UACC(NONE)
RDEFINE CSF1SKE CLASS(CSFSERV) UACC(NONE)
RDEFINE CSF1SKD CLASS(CSFSERV) UACC(NONE)
RDEFINE CSFOWH CLASS(CSFSERV) UACC(NONE)
PERMIT CSFIQA CLASS(CSFSERV) ID(*) ACCESS(READ)
PERMIT CSF1TRC CLASS(CSFSERV) ID(*) ACCESS(READ)
PERMIT CSF1TRD CLASS(CSFSERV) ID(*) ACCESS(READ)
PERMIT CSF1SKE CLASS(CSFSERV) ID(*) ACCESS(READ)
PERMIT CSF1SKD CLASS(CSFSERV) ID(*) ACCESS(READ)
PERMIT CSFOWH CLASS(CSFSERV) ID(*) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH

Is that all that is required? Could someone also clarify what ICSF would be used for ? Is it the encryption of the file being transferred?
I assume without ICSF fully configured the encryption would take place in the SSHD software?

dovetail
Site Admin
Posts: 1756
Joined: Thu Jul 29, 2004 12:12 pm

Re: ICSF and COZSFTP

Postby dovetail » Wed Sep 16, 2015 1:52 pm

There are setup guides for Ported Tools OpenSSH that cover everything here:

http://dovetail.com/docs/pt-quick-inst-12/index.html (P.T. 1.2)
http://dovetail.com/docs/pt-quick-inst/index.html (P.T. 1.3)

njd
Posts: 21
Joined: Fri Apr 24, 2015 5:57 am

Re: ICSF and COZSFTP

Postby njd » Thu Sep 17, 2015 4:16 am

I assume you are referring to sections 1.6 and 2.1 - 2.3?

We have been running some tests using "export COZ_LOG=D" to compare the cpu and initially this was showing double the cpu usage under ICSF as it was without ICSF.

After adding the following to /etc/ssh/sshd_config

# Only support ICSF/CPACF SHA-1 MACs:
MACs hmac-sha1,hmac-sha1-96

and the following to /etc/ssh/ssh_config

# 2) Prefer AES ICSF/CPACF Ciphers, but fallback to others
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,
arcfour128,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,rijndael-cbc@lysator.liu.se

we see the CPU come down to just below what was used when not using ICSF. Should we not see this being 50% less CPU than when we run without ICSF? Also, by limiting the MACs to only hmac-sha1 and hmac-sha1-96 and the Ciphers as above are we likely to break anything?

dovetail
Site Admin
Posts: 1756
Joined: Thu Jul 29, 2004 12:12 pm

Re: ICSF and COZSFTP

Postby dovetail » Thu Sep 17, 2015 8:42 am

Most customers do see around a 50% reduction in CPU when switching to ICSF ciphers and macs.
I can't really tell from your post what you are comparing (which Ciphers and Macs you are actually using in the ICSF vs. non-ICSF CPU comparison).

You may want to consult IBM if you are having CPU utilization issues with ICSF use with IBM Ported Tools OpenSSH.
We have heard of overhead problems having to do with ICSF calls to RACF (or other security product) that I believe were found to be a RACF problem.

One thing to try (if you are at the A1 version of ICSF) is to disable individual RACF checks for MACs. This is covered in our Quick Start guides.

RDEFINE CSF.CSFSERV.AUTH.CSFOWH.DISABLE
CLASS(XFACILIT) UACC(READ)
RDEFINE CSF.CSFSERV.AUTH.CSFRNG.DISABLE
CLASS(XFACILIT) UACC(READ)
SETROPTS CLASSACT(XFACILIT)
SETROPTS RACLIST(XFACILIT) REFRESH

I can't say whether you will break anything by only using SHA-1 MACs. I would think that it is extremely unlikely, since SHA-1 is the most common and required in a SSH implementation. Nevertheless, it is theoretically possible that one of your connection partners doesn't support SHA-1.

dovetail
Site Admin
Posts: 1756
Joined: Thu Jul 29, 2004 12:12 pm

Re: ICSF and COZSFTP

Postby dovetail » Thu Sep 17, 2015 1:53 pm

I forgot to point something out when looking at Co:Z SFTP CPU costs.

When running Co:Z SFTP, there is a separate OMVS address space that runs either ssh or sshd for the connection. This address space is where all of the encryption occurs and if ICSF is not used it will generally account for over 90% of the overall CPU costs. You would need to look at the SMF30 records to see the account for this, since it will not show up in the batch job account for running the Co:Z SFTP client.

njd
Posts: 21
Joined: Fri Apr 24, 2015 5:57 am

Re: ICSF and COZSFTP

Postby njd » Fri Sep 18, 2015 8:32 am

Can I ask what I would have to define in the Ciphers and Macs parameters to run in the most CPU efficient way and not disable anything?
I assume there is a complete list of Ciphers and Macs that COZSFTP supports and a preferred order. I assume by just coding "MACs hmac-sha1,hmac-sha1-96 " as recommended in the manual certain MACs would not be available for use.

dovetail
Site Admin
Posts: 1756
Joined: Thu Jul 29, 2004 12:12 pm

Re: ICSF and COZSFTP

Postby dovetail » Fri Sep 18, 2015 3:49 pm

In our quickstart guide, I refer you to this:

http://dovetail.com/docs/pt-quick-inst- ... -icsf.html
Cipher and MAC negotiation rule
The first algorithm in the client list that appears anywhere in the server list will be selected.


Therefore, in the ssh client's Ciphers and Macs list, you can simply move the ICSF enabled ciphers (SHA-1) to the front of the list. These (the ICSF enabled Ciphers and Macs) will then be selected as long as the server supports them.

There is no perfect solution for configuring the SSHD server. Here are your options from the QuickStart guide:

Configuring SSHD server Ciphers and MACs

The negotiation rule implies that your have fewer choices for selecting Ciphers and MACs in your SSHD server configuration. Generally, there are three strategies:

1. Only allow ICSF/CPACF supported Ciphers and fail otherwise
2. Allow any Cipher; try to ask your clients to prefer ICSF/CPACF supported Ciphers
3. Allow a subset of the supported Ciphers as required by your clients


For complete reference information. see the IBM z/OS OpenSSH User's Guide.

Rock73
Posts: 1
Joined: Wed Jun 14, 2017 1:46 am

Re: ICSF and COZSFTP

Postby Rock73 » Wed Jun 14, 2017 1:52 am

we see the CPU come down to just below what was used when not using ICSF. Should we not see this being 50% less CPU than when we run without ICSF? Also, by limiting the MACs to only hmac-sha1 and hmac-sha1-96 and the Ciphers as above are we likely to break anything?

dovetail
Site Admin
Posts: 1756
Joined: Thu Jul 29, 2004 12:12 pm

Re: ICSF and COZSFTP

Postby dovetail » Wed Jun 14, 2017 8:31 am

Take a look at "Verifying ICSF Usage" here: https://dovetail.com/docs/pt-quick-inst ... erify-icsf

1) check that you are using an ICSF enabled Cipher and Mac (which ones?)

2) You can compare quickly by using these options on your cozsftp command line:

-oCiphersSource=OpenSSL -oMacsSource=OpenSSL

-oCiphersSource=ICSF -oMacsSource=ICSF

3) add this to your script before running the cozsftp command line:

export COZ_LOG=D

this will enable Debug level messages, and most importantly you should see a message like this:

... SSH process times: elapsed=... secs, user cpu=... secs, sys cpu=... secs


Return to “Co:Z”

Who is online

Users browsing this forum: No registered users and 1 guest