friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8826eae394
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzain_5.4.0.1/rzainmc.htm

212 lines
15 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Secure all connections to your Management Central server with SSL" />
<meta name="abstract" content="Read this scenario to use SSL to secure all connections with an iSeries server." />
<meta name="description" content="Read this scenario to use SSL to secure all connections with an iSeries server." />
<meta name="DC.Relation" scheme="URI" content="rzainscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="secclientmc.htm" />
<meta name="DC.Relation" scheme="URI" content="mcconfigsteps.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainsecapps.htm" />
<meta name="DC.Relation" scheme="URI" content="scenariodetails.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
<meta name="DC.Relation" scheme="URI" content="http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/info/rzain/rzainmc.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu401usingdcm.htm" />
<meta name="DC.Relation" scheme="URI" content="mcconfigsteps.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahudcmfirsttime.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="mc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Secure all connections to your Management Central server
with SSL</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="mc"><a name="mc"><!-- --></a><h1 class="topictitle1">Scenario: Secure all connections to your Management Central server
with SSL</h1>
<div><p>Read this scenario to use SSL to secure all connections with an iSeries™ server.</p>
<p>This scenario explains how to use SSL to secure all connections with an iSeries server
that is acting as a central system by using the iSeries Navigator Management Central
server.</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="mcconfigsteps.htm">Configuration details: Secure all connections to your Management Central server with SSL</a></strong><br />
This topic shows the details for using SSL to secure all connections to your Management Central server.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzainscenarios.htm" title="The SSL scenarios are designed to help you maximize the benefits of enabling SSL on your iSeries server:">Scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="secclientmc.htm" title="Use the information in this scenario to use SSL to secure a connection between a remote client and your server.">Scenario: Secure a client connection to your Management Central server with SSL</a></div>
<div><a href="rzainsecapps.htm" title="See a list of applications that you can use to secure with SSL on the iSeries server.">Application security with SSL</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="situation2"><a name="situation2"><!-- --></a><h1 class="sectionscenariobar">Situation:</h1>
<div><p>A company has just set up a wide area network (WAN) that includes several iSeries servers
in remote locations (endpoints). The endpoints are centrally managed by one iSeries server
(the central system), located at the main office. Tom is the company's security
specialist. Tom wants use Secure Sockets Layer (SSL) to secure all of the
connections between the Management Central server on the company's central
system and all iSeries Access
servers and clients.</p>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="details2"><a name="details2"><!-- --></a><h1 class="sectionscenariobar">Details:</h1>
<div><p>Tom can manage all connections to the Management Central server <strong>securely</strong>,
with SSL. To use SSL with the Management Central server, Tom needs to secure iSeries Navigator
on the PC that he uses to access the central system.</p>
<p>Tom chooses from two authentication levels for the Management Central server:</p>
<dl><dt class="dlterm">Server authentication</dt>
<dd>Provides authentication of the server certificate. The client must validate
the server, whether the client is iSeries Navigator on a PC, or the Management
Central server on the central system. When iSeries Navigator connects to the central
system, the PC is the SSL Client and the Management Central server running
on the central system is the SSL Server. The central system acts as an SSL
client when connecting to an endpoint system. The endpoint system acts as
an SSL server. The server must prove its identity to the client by providing
a certificate that was issued by a Certificate Authority that the client trusts.
There must be a valid certificate issued by a trusted CA for every SSL server.</dd>
<dt class="dlterm">Client and server authentication</dt>
<dd>Provides authentication of both the central system and the endpoint system
certificates. This is a stronger security level than the server authentication
level. In other applications, this is known as client authentication, where
the client must supply a valid trusted certificate. When the central system
(SSL client) attempts to establish a connection with an endpoint system (SSL
server), the central system and the endpoint system authenticate each other's
certificates for certificate authority authenticity. <div class="note"><span class="notetitle">Note:</span> Client and server
authentication only happens between two iSeries systems. Client authentication
is not performed by the server when the client is a PC.</div>
<p>Unlike other
applications, Management Central also provides authentication through a validation
list, called Trusted Group validation list. Generally the validation list
stores information that identifies the user, such as a user identification,
and authentication information, such as password, personal identification
number, or digital certificate. This authentication information is encrypted.</p>
</dd>
</dl>
<div class="p">Most applications typically do not specify that you enable both server
and client authentication, because server authentication almost always occurs
during SSL session enablement. Many applications have client authentication
configuration options. Management Central uses the term "server and client
authentication" instead of client authentication because of the dual role
that the central system plays in the network. When PC users connect to the
central system, the central system acts as a server. However, when the central
system is connecting to an endpoint system, it acts as a client. The following
illustration shows how the central system operates as both a server and client
in a network. <div class="note"><span class="notetitle">Note:</span> In this illustration, the certificate associated with
the Certificate Authority must be stored in the key database on the central
system and on all of the endpoint systems. The Certificate Authority must
on the central system, all the endpoints, as well as the PC.</div>
<br /><a name="details2__image"><!-- --></a><img id="details2__image" src="rzain501.gif" alt="SSL-secured Management Central Wide Area Network (WAN)" /><br /></div>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="before"><a name="before"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions:</h1>
<div><div class="section"><p>Tom must perform the following administration and configuration
tasks, in order to secure all of the connections to the Management Central
server:</p>
</div>
<ol><li class="stepexpand"><span>System A meets the prerequisites for SSL.</span></li>
<li class="stepexpand"><span>The central system and all endpoint iSeries servers run V5R2 or later versions
of OS/400<sup>®</sup> or i5/OS™.
V5R4 i5/OS connections
to V5R1 OS/400 systems
are not allowed.</span> </li>
<li class="stepexpand"><span>The iSeries Navigator
PC client runs V5R2 or later of iSeries Access for Windows<sup>®</sup>.</span></li>
<li class="stepexpand"><span>Get a Certificate Authority (CA) for iSeries servers.</span></li>
<li class="stepexpand"><span>Create a certificate that is signed by the CA, for System A.</span></li>
<li class="stepexpand"><span>Send the CA and a certificate to System A, and import them into
the key database.</span></li>
<li class="stepexpand"><span>Assign the certificates with the Management Central application
identification, and the application identifications for all of the iSeries Access
servers. The TCP central server, database server, data queue server, file
server, network print server, remote command server and signon server are
all iSeries Access
servers.</span><ol type="a"><li class="substepexpand"><span>Start IBM<sup>®</sup> Digital Certificate Manager on the Management Central
server. </span> If Tom needs to obtain or create certificates, or otherwise
set up or change his certificate system, he does so now.</li>
<li class="substepexpand"><span>Click <span class="uicontrol">Select a Certificate Store</span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">*SYSTEM</span> and click <span class="uicontrol">Continue</span>.</span></li>
<li class="substepexpand"><span>Enter the *SYSTEM <kbd class="userinput">Certificate Store password</kbd>,
and click <span class="uicontrol">Continue</span>. When the menu reloads, expand <span class="uicontrol">Manage
Applications</span>.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Update certificate assignment</span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Server</span> and click <span class="uicontrol">Continue</span>.</span></li>
<li class="substepexpand"><span>Select the <kbd class="userinput">Management Central server</kbd>,
and click <span class="uicontrol">Update certificate assignment</span>. This assigns
a certificate to the Management Central server to use.</span></li>
<li class="substepexpand"><span>Choose the certificate you want to assign to the application,
and click <span class="uicontrol">Assign New Certificate</span>. DCM reloads to the <span class="uicontrol">Update
certificate assignment </span> page with a confirmation message.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Cancel</span> to return to the list of
applications.</span></li>
<li class="substepexpand"><span>Repeat this procedure for all iSeries Access servers.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Download the CA to the iSeries Navigator PC client.</span></li>
</ol>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="scenariodetails.htm" title="This topic shows the expanded configurations steps for using SSL to secure a client connection to your Management Central server.">Configuration details: Secure a client connection to your Management Central server with SSL</a></div>
<div><a href="mcconfigsteps.htm" title="This topic shows the details for using SSL to secure all connections to your Management Central server.">Configuration details: Secure all connections to your Management Central server with SSL</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/info/rzain/rzainmc.htm">V5R1 Information Center, "Securing Management Central"</a></div>
<div><a href="../rzahu/rzahurzahu401usingdcm.htm">Using Digital Certificate Manager</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="configurationsteps2"><a name="configurationsteps2"><!-- --></a><h1 class="sectionscenariobar">Configuration steps:</h1>
<div><div class="section">Before Tom can enable SSL on the Management Central server, he must
install the prerequisite programs and set up digital certificates on the central
system. See the <a href="#before">Prerequisites and assumptions:</a> for this scenario before continuing.
Once he has met the prerequisites, he can complete the following procedures
to secure all connections to the Management Central server: <div class="note"><span class="notetitle">Note:</span> If SSL has
been enabled for iSeries Navigator,
Tom must disable it before he can enable SSL on the Management Central server.
If SSL has been enabled for iSeries Navigator and not the Management Central
server, attempts by iSeries Navigator to connect with the central system
will fail.</div>
</div>
<ol><li><span><a href="mcconfigsteps.htm#rzainmancentpi">Step 1: Configure the central system for server authentication</a></span></li>
<li><span><a href="mcconfigsteps.htm#endpointserver">Step 2: Configure endpoint systems for server authentication</a></span></li>
<li><span><a href="mcconfigsteps.htm#mcrestartcentral1">Step 3: Restart the Management Central server on the central system</a></span></li>
<li><span><a href="mcconfigsteps.htm#mcrestartendpoint1">Step 4: Restart the Management Central server on all endpoint systems</a></span></li>
<li><span><a href="mcconfigsteps.htm#mcactivatessl">Step 5: Activate SSL for the iSeries Navigator client</a></span></li>
<li><span><a href="mcconfigsteps.htm#clientmc">Step 6: Configure the central system for client authentication</a></span></li>
<li><span><a href="mcconfigsteps.htm#endpointmc">Step 7: Configure endpoint systems for client authentication</a></span></li>
<li><span><a href="mcconfigsteps.htm#mccopyval">Step 8: Copy the validation list to the endpoint systems</a></span></li>
<li><span><a href="mcconfigsteps.htm#mcrestartcentral2">Step 9: Restart the Management Central server on the central system</a></span></li>
<li><span><a href="mcconfigsteps.htm#mcrestartendpoint2">Step 10: Restart the Management Central server on all endpoint systems</a></span></li>
</ol>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahudcmfirsttime.htm">Set up certificates for the first time</a></div>
</div>
</div></div>
</body>
</html>
Reference in New Issue Copy Permalink