Admin Alert: A Primer For Setting Up PC5250 SSL Connectivity, Part 1
October 9, 2013 Joe Hertvik
To better secure your IBM i Access for Windows connections (Access for Windows), you may be required to encrypt your PC5250 Telnet sessions using Secure Sockets Layer (SSL) encryption. If you need SSL encryption for your PC5250 setups, here’s a primer for setting up your IBM i and PC clients to communicate via SSL certificates. The Overview Setting up Telnet SSL connectivity between your PCs and your IBM i partition requires you to perform the following configuration steps in your IBM i Digital Certificate Manager (DCM), your network, and on your PCs running IBM i Access for Windows. On your IBM i server using the Digital Certificate Manager (DCM): 1. Set up or identify the local Certificate Authority (CA) certificate that can be downloaded to your Access for Windows PC. 2. Configure your IBM i Telnet Server and associated Host Servers to use the local CA defined in step 1 for authentication. On Your Network 3. Allow network traffic over port 992. On Your PCs running IBM i Access for Windows 4. Install the SSL component to your IBM i Access for Windows setup, if it isn’t already present on the PC. 5. Use System i Navigator to download the IBM i local Certificate Authority certificate to your Access for Windows setup. 6. Configure your PC5250 Telnet sessions to connect over SSL. This issue and next, I’ll cover how to execute each step to enable Telnet SSL processing between IBM i Access for Windows PCs and your IBM i partitions. I’ll cover items 1 and 2 this week, and the network and PC configuration items 3 through 6 will be covered in my next column, to be published on October 23, 2013. Note: This setup was configured and tested using the Digital Certificate Manager included with the IBM i 6.1 operating system, and the PC5250 software included with IBM i Access for Windows 7.1. There may be some differences in the configuration instructions if you are using other versions of these products. Step 1: Set up or identify the local Certificate Authority (CA) certificate that can be downloaded to your Access for Windows PC The key to making SSL encryption work is to set up a local CA certificate and assign that certificate to the applications that Telnet uses to connect to the system. Use the IBM i Digital Certificate Manager (DCM) to perform these tasks. DCM is a browser-based utility that creates digital certificates and assigns them to IBM i applications that use those certificates for authentication. The DCM is controlled through the IBM i HTTP administrator server instance (*ADMIN). To start the *ADMIN HTTP server, run this Start TCP/IP Server (STRTCPSVR) command from a 5250 green screen. STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) Once the *admin server instance is started, you can go directly to your partition’s DCM Web page by typing this URL into a Web browser: http://system:2001/QIBM/ICSS/Cert/admin/qycucm1.ndm/main0 Where “system” is equal to a DNS server name or IP address for your IBM i partition. This URL takes you directly to the Digital Certificate Manager, where you can sign in and start your configuration. For an existing system, you may already have a local Certificate Authority (CA) certificate configured. Check to see what the name of your local CA is, and whether that CA is still valid on your system. To find and check your local CA, do the following: 1. Inside DCM, click on the Select a Certificate Store button to access the certificate store where your local CA is stored. Your certificate will reside in the Local (CA) certificate store. Click on the Local Certificate Authority (CA) radio button on the Select a Certificate Store screen as shown here, and then click the Continue button. Click graphic to enlarge. 2. The DCM will ask you for the password of the Local Certificate Authority store you’re trying to open. Enter the password to open the store. If you’ve forgotten or don’t know the password, there is an option on the sign-in screen to change the Certificate store password. To work with your Local CA certificate, click on the Manage Local CA→View option in the left-hand pane of the DCM. You’ll see a screen that looks like this. Click graphic to enlarge. At the top of the screen, you’ll see the name of the Certificate label for your local CA. Write down this name for later usage. Under the Additional information area, you’ll see the validity period that tells you what dates that the certificate is valid for. Check to see that the certificate hasn’t expired. If it hasn’t expired, this is the certificate you want to use for your encrypted Telnet SSL sessions. If your local CA has expired or you have no local CA on your system, you can retrieve IBM‘s instructions for creating a local CA by going to the IBM Configuring the SSL Telnet and Access for Windows Host Servers for Server Authentication for the First Time website. Once your local CA is setup and identified, it’s time to configure and assign it to the IBM i applications that provide TELNET services to your IBM i Access for Windows PCs. Step 2: Configure your IBM i Telnet server and associated host servers to use the local CA defined in step 1 for authentication. After you’ve identified your local CA certificate, once again click on the Select a Certificate Store button in the DCM. This time however, turn on the *SYSTEM radio button and click on the Continue button to open the system certificate store file on your partition. Once you’ve signed into the *SYSTEM certificate store, open and click on the Fast Path→Work with server and client certificates option. You’ll see a window that looks like this. This shows all the system certificates that are available for your partition. Click on the radio button in front of the certificate name that is designated as the Default Certificate Label at the top of the screen (“new default store–2008”, in this case). Then click on the “Assign To Applications” button. You’ll see a screen that looks like this. Click graphic to enlarge. On this screen, you assign your *SYSTEM server certificate to the applications that will use it to enable SSL for your IBM i Access for Windows functions. The *SYSTEM server certificate will contain your local CA certificate. To enable SSL access for all IBM i Access for Windows functions (including PC5250), place a check mark next to the servers in the following servers list and click the Continue button when you’re finished.
This configuration tells your IBM i partition to use this system certificate (which contains your local CA) when any one of these servers requests client authentication. The last step in your DCM setup is to enable your i5/OS TCP/IP Telnet Server for PC5250 connectivity. To do that, make sure your *SYSTEM certificate store is open and click on the Fast Path→Work with server applications item in the left-hand menu. You’ll see a screen like this appear: Click graphic to enlarge. Click on the radio button for the “i5/OS TCP/IP Telnet Server” and then click on the “Work with Application” button. This will show the Work with Server Application screen for the i5/OS TCP/IP Telnet server. Click graphic to enlarge. Click on the following radio buttons and then click on the Apply button. These selections perform the following functions.
Once these settings are applied, scroll down further on this Work with Server Applications screen and you’ll see an area marked Certificate Authority (CA) certificates in the application trust list. This part of the screen will look like this. Click graphic to enlarge. Click on the “Define CA Trust List” button to get to the following screen where you can identify any local CA certificates that will be trusted by the Telnet application server for SSL connectivity. Click on the name of the local CA certificate you identified above and then click on the “OK” button at the bottom of the screen to add that certificate to your CA trust list. Telnet Server Configured for SSL Access At this point, your IBM i Telnet server is configured to provide authenticated SSL access to PC5250 clients who have your local CA certificate downloaded to their PC. In Part 2 of this article (to be published on October 23, 2013), I’ll review the configuration needed on the PC client side to allow PC5250 Telnet sessions to attach to your IBM i partition using SSL. Follow Joe Hertvik on His Blog, on Twitter, and on LinkedIn Check out Joe’s blog at joehertvik.com, where he focuses on computer administration and news (especially IBM i); vendor, marketing, and tech writing news and materials; and whatever else he come across. You can also follow Joe on Twitter @JoeHertvik and on LinkedIn. Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.
|