Configuration details: Secure all connections to your Management Central server with SSL

This topic shows the details for using SSL to secure all connections to your Management Central server.

The following information assumes that you have read through the following information: Scenario: Secure all connections to your Management Central server with SSL.

You now want to understand how to perform the steps required to secure all connections to the Management Central server. Follow along as Tom completes the scenario.

Before Tom can enable SSL on the Management Central server, he must install the prerequisite programs and set up digital certificates on the iSeries™ server. Once he has met the prerequisites, he can complete the following procedures to secure all connections to the Management Central server.
Note: If SSL has been enabled for iSeries Navigator, Tom must disable it before he can enable SSL on the Management Central server. If SSL has been enabled for iSeries Navigator, and not the Management Central server, attempts by iSeries Navigator to connect with the central system will fail.

SSL allows Tom to secure transmissions between a central system and an endpoint system, as well as between the iSeries Navigator client and the central system. SSL provides transport and authentication of certificates and encryption of data. An SSL-connection can only occur between an SSL-enabled central system and an SSL-enabled endpoint system. Tom needs to configure server authentication before he can configure client authentication:

Parent topic: Scenario: Secure all connections to your Management Central server with SSL
Related concepts
SSL prerequisites
Related tasks
Prerequisites and assumptions:
Related information
Set up certificates for the first time

Step 1: Configure the central system for server authentication

  1. In iSeries Navigator, right-click Management Central and select Properties.
  2. Click the Security tab and select Use Secure Sockets Layer (SSL)
  3. Select Server as the authentication level.
  4. Click OK to set this value on the central system.
    Note: Do NOT restart the Management Central server until told to do so, later. If you restart the server now, you will not be able to contact your endpoint servers. You must complete more configuration tasks before the server can be restarted, activating SSL. You must propagate the SSL configuration to the endpoint systems first, with the compare and update task.

Step 2: Configure endpoint systems for server authentication

After Tom configures the central system for server authentication, he needs to configure the endpoint systems for server authentication. He completes the following tasks:
  1. Expand Management Central.
  2. Compare and update system values for the endpoint systems:
    1. Under Endpoint Systems, right-click the central system and select Inventory > Collect.
    2. Check the System Values option on the collect dialog box, in order to collect the system values inventory for the central system. Deselect any other options. Click OK and wait for the inventory task to complete.
    3. Right-click System Groups > New System Group.
    4. Define a new system group that includes all the endpoint systems to connect to, using SSL. Name this new system group 'Trusted Group.'
    5. To display the new group, 'Trusted Group,' expand the list of system groups.
    6. After the collection is complete, right-click the new system group and select System Values > Compare and Update.
    7. Verify that the central system displays in the Model System field.
    8. Start of changeIn the Category field, select Management Central. End of change
    9. Start of changeVerify that Use Secure Sockets Layer is set to Yes and select Update to propagate this value to the 'Trusted Group'. End of change
    10. Start of changeVerify that SSL Authentication Level is set to Server and select Update to propagate this value to the 'Trusted Group'.
      Note: If these values are not set, complete Step 1: Configure the central system for server authentication.
      End of change
    11. Start of changeClick OK. Wait until the Compare and Update completes processing before continuing to the next step.End of change

Step 3: Restart the Management Central server on the central system

  1. In iSeries Navigator, expand My Connections.
  2. Expand the central system.
  3. Expand Network > Servers and select TCP/IP.
  4. Right-click Management Central and select Stop. The central system view collapses, and a message displays, explaining that you are not connected to the server.
  5. Once the Management Central server has stopped, click Start to restart it.

Step 4: Restart the Management Central server on all endpoint systems

  1. In iSeries Navigator, expand My Connections.
  2. Expand the endpoint system that you are restarting.
  3. Expand Network > Servers and select TCP/IP.
  4. Right-click Management Central and select Stop.
  5. Once the Management Central server has stopped, click Start to restart it.
  6. Repeat this procedure for each endpoint system.

Step 5: Activate SSL for the iSeries Navigator client

  1. In iSeries Navigator, expand My Connections.
  2. Right-click the central system, and select Properties.
  3. Click the Secure Sockets tab and select Use Secure Sockets Layer (SSL) for connection.
  4. Exit iSeries Navigator and restart it.
Start of change
Note: After you have completed these steps, server authentication is configured for your central and endpoint systems. You can optionally configure your central and endpoint systems for client authentication as well. Steps 6 through 10 should be completed if you want to enable client authentication on your central and endpoint systems.
End of change

Step 6: Configure the central system for client authentication

Now that Tom has completed the configuration for server authentication, he can opt to perform the following optional client authentication procedures. Client authentication provides validation of Certificate Authority and trusted group for both the endpoint systems and the central system. When the central system (SSL client) tries to use SSL to connect to an endpoint system (SSL server), the central system and the endpoint system authenticate each other's certificates through both server authentication and client authentication. This is also referred to as Certificate Authority and Trusted Group authentication.
Note: You cannot complete client authentication configuration until you have configured server authentication. If you have not configured server authentication, go back and do so, now.
  1. In iSeries Navigator, right-click Management Central and select Properties.
  2. Click the Security tab and select Use Secure Sockets Layer (SSL).
  3. Select Client and server for the authentication level.
  4. Click OK to set this value on the central system.
    Note: Do NOT restart the Management Central server until told to do so, later. If you restart the server now, you will not be able to contact your endpoint servers. You must complete more configuration tasks before the server can be restarted, activating SSL. You must propagate the SSL configuration to the endpoint systems first, with the compare and update task.

Step 7: Configure endpoint systems for client authentication

Compare and update system values for the endpoint systems:
  1. Expand Management Central.
  2. Compare and update system values for the endpoint systems:
    1. Under Endpoint Systems, right-click the central system and select Inventory > Collect.
    2. Check the System Values option on the collect dialog box, in order to collect the system values inventory for the central system. Deselect any other options. Click OK and wait for the inventory task to complete.
    3. After the collection is complete, right-click the 'Trusted Group' and select System Values > Compare and Update.
    4. Verify that the central system displays in the Model System field.
    5. Start of changeIn the Category field, select Management Central. End of change
    6. Start of changeVerify that Use Secure Sockets Layer is set to Yes and select Update to propagate this value to the 'Trusted Group'. End of change
    7. Start of changeVerify that SSL Authentication Level is set to Client and Server and select Update to propagate this value to the 'Trusted Group'.
      Note: If these values are not set, complete Step 6: Configure the central system for client authentication..
      End of change
    8. Start of changeClick OK. Wait until the Compare and Update completes processing before continuing to the next step.End of change

Step 8: Copy the validation list to the endpoint systems

This task assumes that your central system is V5R3 or greater. On pre-V5R3 systems, QYPSVLDL.VLDL was located in QUSRSYS.LIB, not QMGTC2.LIB. Therefore, if you have pre-V5R3 systems, you will need to send the validation list to these systems and place it in QUSRSYS.LIB, instead of QMGTC2.LIB. For V5R3 and greater systems, continue with the following steps:
  1. In iSeries Navigator, expand Management Central > Definitions.
  2. Right-click Package, and select New Definition.
  3. In the New Definition window, work with the following:
    1. Name: Type the name of the definition.
    2. Source system: Select the name of the central system.
    3. Selected files and folders: Click in the field, and type /QSYS.LIB/QMGTC2.LIB/QYPSVLDL.VLDL.
  4. Click the Options tab, and select Replace existing file with the file being sent.
  5. Click Advanced.
  6. In the Advanced Options window, specify Yes to allow object differences on restore, and change the Target release to be the earliest release of your endpoints.
  7. Click OK to refresh the list of definitions and display the new package.
  8. Right-click the new package, and select Send.
  9. In the Send dialog box, expand System Groups->Trusted Group, located in the Available Systems and Groups list. This group is the one you defined in Step 2: Configure endpoint systems for server authentication.
    Note: The Send task will always fail on the central system, because it is always the source system. The Send task should complete successfully on all endpoint systems.
  10. If you have any pre-V5R3 systems in Trusted Group, you must manually go to those systems and move the QYPSVLDL.VLDL object from QMGTC2.LIB to QUSRSYS.LIB. If there is already a version of QYPSVLDL.VLDL in QUSRSYS.LIB, delete it and replace it with the newer one from QMGTC2.LIB

Step 9: Restart the Management Central server on the central system

  1. In iSeries Navigator, expand My Connections.
  2. Expand the central system.
  3. Expand Network > Servers and select TCP/IP.
  4. Right-click Management Central and select Stop. The central system view collapses, and a message displays, explaining that you are not connected to the server.
  5. Once the Management Central server has stopped, click Start to restart it.

Step 10: Restart the Management Central server on all endpoint systems

Note: Repeat this procedure for each endpoint system.
  1. In iSeries Navigator, expand My Connections.
  2. Expand the endpoint system that you are restarting.
  3. Expand Network > Servers and select TCP/IP.
  4. Right-click Management Central and select Stop.
  5. Once the Management Central server has stopped, click Start to restart it.