ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiw_5.4.0.1/rzaiwscenariossldetails.htm

264 lines
17 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Configuration details" />
<meta name="abstract" content="This topic describes the task steps for securing Telnet with SSL." />
<meta name="description" content="This topic describes the task steps for securing Telnet with SSL." />
<meta name="DC.Relation" scheme="URI" content="rzaiwscenariossl.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiwconfiguresslcert.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiwscenariossldetails" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configuration details</title>
</head>
<body id="rzaiwscenariossldetails"><a name="rzaiwscenariossldetails"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configuration details</h1>
<div><p>This topic describes the task steps for securing Telnet with SSL.</p>
<div class="section" id="rzaiwscenariossldetails__removeport"><a name="rzaiwscenariossldetails__removeport"><!-- --></a><h4 class="sectionscenariobar">Step 1: Remove
port restrictions</h4><p>In releases before V5R1, port restrictions were
used because Secure Sockets Layer (SSL) support was not available for Telnet.
Now you can specify whether SSL, non-SSL, or both are to start. Therefore,
there is no longer a need for port restrictions. If you has defined port restrictions
in previous releases, you need to remove the port restrictions in order to
use the SSL parameter.</p>
<p>To determine whether you have Telnet port restrictions
and remove them so that you can configure the Telnet server to use SSL, follow
these steps:</p>
<ol><li>To view any current port restrictions, start iSeries™ Navigator and expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Network</span></span>.</li>
<li>Right-click <span class="uicontrol">TCP/IP Configuration</span> and select <span class="uicontrol">Properties</span>.</li>
<li>Click the <span class="uicontrol">Port Restrictions</span> tab to see a list of
port restriction settings.</li>
<li>Select the port restriction that you want to remove.</li>
<li>Click <span class="uicontrol">Remove</span>.</li>
<li>Click <span class="uicontrol">OK</span>.</li>
</ol>
<p>By default, the setting is to start SSL sessions on port 992 and non-SSL
sessions on port 23. The Telnet server uses the service table entry for Telnet
to get the non-SSL port and Telnet-SSL to get the SSL port.</p>
</div>
<div class="section" id="rzaiwscenariossldetails__createlca"><a name="rzaiwscenariossldetails__createlca"><!-- --></a><h4 class="sectionscenariobar">Step 2: Create
and operate Local Certificate Authority</h4><p>To use Digital Certificate
Manager (DCM) to create and operate a Local Certificate Authority (CA) on
the iSeries server,
follow these steps:</p>
<ol><li>Start DCM.</li>
<li>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
Authority (CA)</span> to display a series of forms. These forms guide
you through the process of creating a Local CA and completing other tasks
needed to begin using digital certificates for SSL, object signing, and signature
verification.</li>
<li>Complete all the forms that display. There is a form for each of the tasks
that you need to perform in order to create and operate a Local CA on the iSeries server.
Completing these forms allows you to: <ol type="a"><li>Choose how to store the private key for the Local CA certificate. This
step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor
installed on your iSeries. If your system does not have a cryptographic
coprocessor, DCM automatically stores the certificate and its private key
in the Local CA certificate store.</li>
<li>Provide identifying information for the Local CA.</li>
<li>Install the Local CA certificate on your PC or in your browser. This enables
software to recognize the Local CA and validate certificates that the CA issues.</li>
<li>Choose the policy data for your Local CA.</li>
<li>Use the new Local CA to issue a server or client certificate that applications
can use for SSL connections. If you have an IBM<sup>®</sup> 4758-023 PCI Cryptographic Coprocessor
installed in the iSeries server,
this step allows you to select how to store the private key for the server
or client certificate. If your system does not have a coprocessor, DCM automatically
places the certificate and its private key in the *SYSTEM certificate store.
DCM creates the *SYSTEM certificate store as part of this task.</li>
<li>Select the applications that can use the server or client
certificate for SSL connections. <div class="note"><span class="notetitle">Note:</span> Be sure to select the application ID
for the i5/OS<sup>®</sup> Telnet
server (QIBM_QTV_TELNET_SERVER).</div>
</li>
<li>Use the new local CA to issue an object signing certificate that applications
can use to digitally sign objects. This creates the *OBJECTSIGNING certificate
store, which you use to manage object signing certificates. <div class="note"><span class="notetitle">Note:</span> Although
this scenario does not use object signing certificates, be sure to complete
this step. If you cancel at this point in the task, the task ends and you
need to perform separate tasks to complete your SSL certificate configuration.</div>
</li>
<li>Select the applications that you want to trust the local
CA. <div class="note"><span class="notetitle">Note:</span> Be sure to select the application ID for the i5/OS Telnet server</div>
(QIBM_QTV_TELNET_SERVER).</li>
</ol>
</li>
</ol>
<p>After you have completed the forms for this guided task, you can configure
the Telnet Server to require client authentication.</p>
</div>
<div class="section" id="rzaiwscenariossldetails__configtelnet"><a name="rzaiwscenariossldetails__configtelnet"><!-- --></a><h4 class="sectionscenariobar">Step 3:
Configure Telnet server to require certificates for client authentication</h4><p>In
order to activate this support, the System Administrator will indicate how
SSL support will be handled. Use the Telnet Properties General panel in iSeries Navigator
to indicate whether SSL, non-SSL, or support for both will start when the
Telnet server starts. By default, the SSL and non-SSL support always starts.</p>
<p>The
System Administrator has the ability to indicate whether the system requires
SSL client authentication for all Telnet sessions. When SSL is active and
the system requires client authentication, the presence of a valid client
certificate means that the client is trusted.</p>
<p>To configure the Telnet
server to require certificates for client authentication, follow these steps:</p>
<ol><li>Start DCM.</li>
<li>Click <span class="uicontrol">Select a Certificate Store</span>.</li>
<li>Select <span class="uicontrol">*SYSTEM</span> as the certificate store to open
and click <span class="uicontrol">Continue</span>.</li>
<li>Enter the appropriate password for *SYSTEM certificate store and click <span class="uicontrol">Continue</span>.</li>
<li>When the left navigational menu refreshes, select <span class="uicontrol">Manage Applications</span> to
display a list of tasks.</li>
<li>Select the <span class="uicontrol">Update application definition</span> task to
display a series of forms.</li>
<li>Select <span class="uicontrol">Server</span> application and click <span class="uicontrol">Continue</span> to
display a list of server applications.</li>
<li>From the list of applications, select <span class="uicontrol">i5/OS
TCP/IP Telnet Server</span>.</li>
<li>Click <span class="uicontrol">Update Application Definition</span>.</li>
<li>In the table that displays, select <span class="uicontrol">Yes</span> to require
client authentication.</li>
<li>Click <span class="uicontrol">Apply</span>. The <span class="uicontrol">Update Application
Definition</span> page displays with a message to confirm your changes.</li>
<li>Click <span class="uicontrol">Done</span>.</li>
</ol>
<p>Now that you have configured the Telnet server to require certificates
for client authentication, you can enable and start SSL for the Telnet server.</p>
</div>
<div class="section" id="rzaiwscenariossldetails__enablessl"><a name="rzaiwscenariossldetails__enablessl"><!-- --></a><h4 class="sectionscenariobar">Step 4: Enable
and start SSL on Telnet server</h4><p>To enable SSL on the Telnet server,
follow these steps:</p>
<ol><li>Open iSeries Navigator.</li>
<li>Expand <span class="menucascade"><span class="uicontrol">My iSeries server</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span> &gt; <span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">Telnet</span>.</li>
<li>Select <span class="uicontrol">Properties</span>.</li>
<li>Select the <span class="uicontrol">General</span> tab.</li>
<li>Choose one of these options for SSL support: <ul><li><span class="uicontrol">Secure only</span> Select this to allow only SSL sessions
with the Telnet server.</li>
<li><span class="uicontrol">Non-secure only</span> Select this to prohibit secure
sessions with the Telnet server. Attempts to connect to an SSL port will not
connect.</li>
<li><span class="uicontrol">Both secure and non-secure</span> Allows both secure and
non-secure sessions with the Telnet server.</li>
</ul>
</li>
</ol>
<p>To start the Telnet server using iSeries Navigator, follow these steps:</p>
<ol><li>Expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span> &gt; <span class="uicontrol">TCP/IP</span></span>.</li>
<li>In the right pane, locate <span class="uicontrol">Telnet</span> in the Server
Name column.</li>
<li>Confirm that <span class="uicontrol">Started</span> appears in the Status column.</li>
<li>If the server is not running, right-click <span class="uicontrol">Telnet</span> and
select <span class="uicontrol">Start</span>.</li>
</ol>
</div>
<div class="section" id="rzaiwscenariossldetails__enablesslclient"><a name="rzaiwscenariossldetails__enablesslclient"><!-- --></a><h4 class="sectionscenariobar">Step
5: Enable SSL on the Telnet client</h4><p>To participate in an SSL session,
the Telnet client must be able to recognize and accept the certificate that
the Telnet server presents to establish the SSL session. To authenticate the
server's certificate, the Telnet client must have a copy of the CA certificate
in iSeries key
database. When the Telnet server uses a certificate from a Local CA, the Telnet
client must obtain a copy of the Local CA certificate and install it in the iSeries key
database.</p>
<p>To add a Local CA certificate from an iSeries so that the Telnet client can
participate in SSL sessions with Telnet servers that use a certificate from
the Local CA, follow these steps:</p>
<ol><li>Open iSeries Navigator.</li>
<li>Right-click the name of your system.</li>
<li>Select <span class="uicontrol">Properties</span>.</li>
<li>Select the <span class="uicontrol">Secure Sockets</span> tab. <div class="note"><span class="notetitle">Note:</span> This tab will
not appear unless you have completed a selective install of iSeries Client
Encryption (128-bit), 5722-CE3.</div>
</li>
<li>Click <span class="uicontrol">Download</span>. This will download the iSeries Certificate
Authority certificate automatically into the certificate key database.</li>
<li>You will be prompted for your key database password. Unless you have previously
changed the password from the default, enter <samp class="codeph">ca400</samp>. A confirmation
message displays. Click <span class="uicontrol">OK</span>.</li>
</ol>
<p>The download button automatically updates the IBM Toolbox for Java™ PC key database.</p>
</div>
<div class="section" id="rzaiwscenariossldetails__telnetclient"><a name="rzaiwscenariossldetails__telnetclient"><!-- --></a><h4 class="sectionscenariobar">Step 6:
Enable Telnet client to present certificate for authentication</h4><p>You
have configured SSL for the Telnet server, specified that the server should
trust certificates that the Local CA issues, and specified that it require
certificates for client authentication. Now, users must present a valid and
trusted client certificate to the Telnet server for each connection attempt.</p>
<p>Clients
need to use the Local CA to obtain a certificate for authentication to the
Telnet server and import that certificate to IBM Key Management database before client
authentication will work.</p>
<p>First, clients must use DCM to obtain a user
certificate by following these steps:</p>
<ol><li>Start DCM.</li>
<li>In the left navigation frame, select <span class="uicontrol">Create Certificate</span> to
display a list of tasks.</li>
<li>From the task list, select <span class="uicontrol">User Certificate</span> and
click <span class="uicontrol">Continue</span>.</li>
<li>Complete the <span class="uicontrol">User Certificate</span> form. Only those
fields marked "Required" need to be completed. Click <span class="uicontrol">Continue</span>.</li>
<li>Depending on the browser you use, you will be asked to generate a certificate
that will be loaded into your browser. Follow the directions provided by the
browser.</li>
<li>When the <span class="uicontrol">Create User Certificate</span> page reloads,
click <span class="uicontrol">Install Certificate</span>. This will install the certificate
in the browser.</li>
<li>Export the certificate to your PC. You must store the certificate in a
password-protected file. <div class="note"><span class="notetitle">Note:</span> Microsoft<sup>®</sup> Internet Explorer 5 or Netscape
4.5 are required to use the export and import functions.</div>
</li>
</ol>
<p>Next, you must import the certificate to the IBM Key Management database so that the
Telnet client can use it for authentication by following these steps:</p>
<p>You
must add the Certificate Authority that created the client certificate to
the PC key database, otherwise the import of the client certificate will not
work.</p>
<ol><li>Click <span class="menucascade"><span class="uicontrol">Start</span> &gt; <span class="uicontrol">Programs</span> &gt; <span class="uicontrol">IBM iSeries Access for Windows</span> &gt; <span class="uicontrol">iSeries Access
for Windows Properties</span></span>.</li>
<li>Select the <span class="uicontrol">Secure Sockets</span> tab.</li>
<li>Click <span class="uicontrol">IBM Key Management</span>.</li>
<li>You will be prompted for your key database password. Unless you have previously
changed the password from the default, enter <samp class="codeph">ca400</samp>. A confirmation
message displays. Click <span class="uicontrol">OK</span>.</li>
<li>From the pull-down menu, select <span class="uicontrol">Personal certificates</span>.</li>
<li>Click <span class="uicontrol">Import</span>.</li>
<li>In the <span class="uicontrol">Import key</span> display, enter the file name
and path for the certificate. Click <span class="uicontrol">OK</span>.</li>
<li>Enter the password for the protected file. This is the same password that
you specified when you create a user certificate in DCM. Click <span class="uicontrol">OK</span>.
When the certificate has been successfully added to your personal certificates
in IBM Key
Management, you can use PC5250 emulator or any other Telnet application.</li>
</ol>
<p>With these steps complete, the Telnet server can establish an SSL
session with the Telnet client and the server can authenticate the user to
resources based on the certificate that the client presents.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwscenariossl.htm" title="You can use Secure Sockets Layer (SSL) to secure Telnet on iSeries. This scenario provides a step-by-step configuration example.">Telnet scenario: Secure Telnet with SSL</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start DCM</a></div>
<div><a href="rzaiwconfiguresslcert.htm" title="When you enable the Telnet server on your system to use SSL, you can establish secure Telnet connections to your system from iSeries Access for Windows or from any other SSL-enabled Telnet client, such as a Personal Communications emulator.">Assign a certificate to the Telnet server</a></div>
</div>
</div>
</body>
</html>