<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="concept" /> <meta name="DC.Title" content="Telnet scenario: Secure Telnet with SSL" /> <meta name="abstract" content="You can use Secure Sockets Layer (SSL) to secure Telnet on iSeries. This scenario provides a step-by-step configuration example." /> <meta name="description" content="You can use Secure Sockets Layer (SSL) to secure Telnet on iSeries. This scenario provides a step-by-step configuration example." /> <meta name="DC.Relation" scheme="URI" content="rzaiwscenario.htm" /> <meta name="DC.Relation" scheme="URI" content="rzaiwscenariossldetails.htm" /> <meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzaiwscenariossl" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Telnet scenario: Secure Telnet with SSL</title> </head> <body id="rzaiwscenariossl"><a name="rzaiwscenariossl"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <h1 class="topictitle1">Telnet scenario: Secure Telnet with SSL</h1> <div><p>You can use Secure Sockets Layer (SSL) to secure Telnet on iSeries™. This scenario provides a step-by-step configuration example.</p> <div class="section" id="rzaiwscenariossl__situation"><a name="rzaiwscenariossl__situation"><!-- --></a><h4 class="sectionscenariobar">Situation</h4><p>Bob is in the process of creating a home-based brokerage business. He has retired from his position as a stock broker at a major trading firm, and wants to continue to offer brokerage services to a small number of clients from his home. He runs his business on a small iSeries server, which he would like to use to provide account access to his clients, through 5250 Telnet sessions. Bob is currently working on a way to allow his clients continuous access to their accounts, so that they can manage their shareholdings. Bob wants his clients to use 5250 Telnet sessions to access their accounts, but he is concerned about the security of his server, as well as the security of his clients' sessions. After researching the iSeries server Telnet security options, Bob decides to use Secure Sockets Layer (SSL) to ensure the privacy of data over 5250 Telnet sessions between his iSeries server and clients.</p> </div> <div class="section" id="rzaiwscenariossl__objective"><a name="rzaiwscenariossl__objective"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><p>In this scenario, Bob wants to secure his brokerage clients' 5250 Telnet sessions to their shareholder accounts on his iSeries server. Bob wants to enable SSL to protect the privacy of client data as it passes through the Internet. He also wants to enable certificates for client authentication to ensure that his server verifies that only his clients are accessing their accounts. After Bob has configured the Telnet server for SSL and enabled client and server authentication, he can roll out this new account accessibility option to his clients, assuring them that their account access sessions will be secure. After Bob has met the following objectives, he can roll out this new account accessibility option to his clients, assuring them that their 5250 Telnet sessions will be secure:</p> <ul><li>Secure the Telnet server with SSL</li> <li>Enable the Telnet server for client authentication</li> <li>Obtain a private certificate from a local certificate authority (CA) and assign it to the Telnet server.</li> </ul> </div> <div class="section" id="rzaiwscenariossl__details"><a name="rzaiwscenariossl__details"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>In this scenario, the setup for the brokerage business is as follows:</p> <ul><li>An iSeries server runs i5/OS Version 5 Release 4 (V5R4) and provides shareholder account access over 5250 Telnet sessions.</li> <li>The i5/OS Telnet server application is started on the iSeries server.</li> <li>The Telnet server initializes SSL, and checks the certificate information in the <samp class="codeph">QIBM_QTV_TELNET_SERVER</samp> application ID.</li> <li>If the Telnet certificate configuration is correct, the Telnet server begins listening on the SSL port for client connections.</li> <li>A client initiates a request for access to the Telnet server.</li> <li>The Telnet server responds by providing its certificate to the client.</li> <li>The client software validates the certificate as an acceptable, trusted source communicating with the server.</li> <li>The Telnet server requests a certificate from the client software.</li> <li>The client software presents a certificate to the Telnet server.</li> <li>The Telnet server validates the certificate, and recognizes the client's right to establish a 5250 session with the server.</li> <li>The Telnet server establishes a 5250 session with the client.</li> </ul> </div> <div class="section" id="rzaiwscenariossl__prereq"><a name="rzaiwscenariossl__prereq"><!-- --></a><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>This scenario makes the following assumptions:</p> <ul><li>iSeries server running i5/OS<sup>®</sup> Version 5 Release 2 (V5R2) or later.</li> <li>TCP/IP is configured.</li> <li>Bob has IOSYSCFG authority.</li> <li><a href="rzaiwconfigtelsrvr.htm">Telnet server is configured</a>.</li> <li>Bob has addressed the issues in <a href="../rzain/rzainplanssl.htm">Plan for SSL enablement</a>.</li> <li>Bob has created a local certificate authority on his iSeries server.</li> </ul> </div> <div class="section" id="rzaiwscenariossl__steps"><a name="rzaiwscenariossl__steps"><!-- --></a><h4 class="sectionscenariobar">Task steps</h4><p>There are two sets of tasks that Bob must complete to implement this scenario: One set of tasks allows him to set up his iSeries server to use SSL and require certificates for user authentication. The other set of tasks allows users on Telnet clients to participate in SSL sessions with Bob's Telnet server and obtain certificates for user authentication.</p> <p>Bob performs the following task steps to complete this scenario:</p> <p><strong>Telnet server task steps</strong></p> <p>To implement this scenario, Bob must perform these tasks on his iSeries server:</p> <ol><li><a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__removeport">Remove port restrictions</a></li> <li><a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__createlca">Create and operate Local Certificate Authority</a></li> <li><a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__configtelnet">Configure Telnet server to require certificates for client authentication</a></li> <li><a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__enablessl">Enable and start SSL on Telnet server</a> </li> </ol> <p><strong>Client configuration task steps</strong></p> <p>To implement this scenario, each user who will access the Telnet server on Bob's iSeries server must perform these tasks:</p> <p> 5. <a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__enablesslclient">Enable SSL on the Telnet client</a></p> <p> 6. <a href="rzaiwscenariossldetails.htm#rzaiwscenariossldetails__telnetclient">Enable Telnet client to present certificate for authentication</a></p> <p>These tasks accomplish both SSL and client authentication by certificates, resulting in SSL-secured access to account information for Bob's clients using 5250 Telnet sessions.</p> </div> </div> <div> <ul class="ullinks"> <li class="ulchildlink"><strong><a href="rzaiwscenariossldetails.htm">Configuration details</a></strong><br /> This topic describes the task steps for securing Telnet with SSL.</li> </ul> <div class="familylinks"> <div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwscenario.htm" title="This topic provides examples of using Telnet to introduce basic concepts and configuration tasks.">Telnet scenarios</a></div> </div> </div> </body> </html>