&pagelevel(4)&pagelevel
Cipher suites with Diffie-Hellman key negotiation require DH parameter sets when used on the TLS server side.
The BS2000 FTP server is supplied with a 2048 bit fixed DH parameter set. The 2048 bit length currently appears to be a sensible compromise between security and CPU resource requirements.
The GEN.DHPARAM procedure enables the FTP server operator to deviate up or down from the 2048 bit length or to generate a separate DH parameter set. For security reasons, you should not use parameters sets with less than 1024 bits. Conversely, it is important to be aware that a 4096 bit DH parameter set, for example, can slow down the TLS handshake and hence the login time significantly and increase CPU resource consumption dramatically.
Parameters
SIZE
This parameter is a measure of the size of a DH parameter set. The greater the size, the greater the security, but also the higher the CPU resource consumption for generating and in particular for using the parameter set. The parameter is set to 2048 by default.
G
This is referred to as the generator value. Without sufficient knowledge or good reason to change the value, you should leave it set to the default value 2.
PARAMFILE
This parameter specifies the file in which the DH parameter set is to be stored. The parameter defaults to SYSDAT.TCP-IP-AP.nnn.DHPARAM.
Procedure run
Once you start the procedure, it runs without further user interaction until it finishes. The runtime can be anything from minutes to hours depending on the selected SIZE parameter, the available system performance, and the random numbers received from the PRNGD subsystem. The activity of the generation program is displayed by the continuous output of the '.', '+' and '*‘characters.
Example
/CALL-PROCEDURE $.SYSSPR.TCP-IP-AP.nnn(GEN.DHPARAM),(SIZE=1024)
DH Parameter Set Generation Utility.
Copyright (c) [...] Fujitsu Technology Solutions, All Rights Reserved
Generate DH parameter set.
--------------------------------------------------------------------
% BLS0523 ELEMENT 'OPENSSL' [...]
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time..............+...............................
.................................................................+.............
............................................................+..................
........................................................................+......
...+.....+.....................................................................
...............+.......................+........................+..............
......................+..........................................+............+
............+................+.......................+.........................
................................................+..............................
...................................................................+...........
...................................................................+...........
...................+..................+.....................................+..
..................................................+............................
...................+....................+......................................
.............+...................+.............................................
.+.............................................................................
.................................+.......+.....+........+......................
...................................................+...........................
..+..+.........................................................................
........+..........................+............................+..............
............................+....................+.............................
....................................................................+..........
.+...+.........................................+.......................+......+
..++*++*++*
|
In the option file of the FTP server, this DH parameter file can then be specified with the -tlsDHparamFile option:
-tlsDHparamFile $.SYSDAT.TCP-IP-AP.nnn.DHPARAM
