Scenario: Secure a client connection to your Management Central server with SSL

Use the information in this scenario to use SSL to secure a connection between a remote client and your server.

This scenario explains how to use SSL to secure the connection between a remote client and an iSeries™ server that is acting as a central system by using the iSeries Navigator Management Central server.

Parent topic: Scenarios
Related concepts
Scenario: Secure all connections to your Management Central server with SSL

Situation

A company has a local area network (LAN) that includes several iSeries servers in their office. This company's system administrator, Bob, has specified one of the iSeries servers as the central system (hereafter referred to as System A) for the LAN. Bob uses the Management Central server on System A to manage all of the other endpoints on his LAN.

Bob is concerned about connecting to the Management Central server on System A from a network connection that is external to his company's LAN. Bob travels for work a lot, and requires a secure connection to the Management Central server while he is away. He wants to ensure the connection between his PC and the Management Central server is secure when he is not in the company office. Bob decides to enable SSL on his PC and on the System A's Management Central server. With SSL enabled in this way, Bob can be certain that his connection to the Management Central server is secure when he is traveling.

Objectives:

Bob wants to secure the connection between his PC and the Management Central server. Bob does not require additional security for the connection between the Management Central server on System A and the endpoints that are on the LAN. Other employees that work from the company office do not need additional security for their connections to the Management Central server, either. Bob's plan is to configure his PC and the Management Central server on System A, so that his connection uses server authentication. Connections to the Management Central server from other PCs or iSeries servers on the LAN are not secured with SSL.

Details:

The following table illustrates the types of authentication used, based on the enabling or disabling of SSL on a PC client:

Table 1. Required elements for an SSL-secured connection between a client and the Management Central server
SSL status on Bob's PC Specified authentication level for the Management Central server on System A SSL connection enabled?
SSL off Any No
SSL on Any Yes (server authentication)

Server authentication means that Bob's PC authenticates the Management Central server's certificate. Bob's PC acts as an SSL client when connecting to the Management Central server. The Management Central server acts as an SSL server and must prove its identity. The Management Central server does this by providing a certificate issued by a Certificate Authority (CA) that Bob's PC trusts.

Prerequisites and assumptions

Bob must perform these administration and configuration tasks in order to secure the connection between his PC and the Management Central server on System A:

  1. System A meets the prerequisites for SSL.
  2. OS/400 V5R3 or a later version of i5/OS™ is installed on System A.
  3. The iSeries Navigator PC client runs V5R3 or later of iSeries Access for Windows®.
  4. Get a Certificate Authority (CA) for iSeries servers.
  5. Create a certificate that is signed by the CA, for System A.
  6. Send the CA and a certificate to System A, and import them into the key database.
  7. Assign the certificate with the Management Central server identification, and the application identifications for all of the iSeries Access servers. The TCP central server, database server, data queue server, file server, network print server, remote command server and signon server are all iSeries Access servers.
    1. On System A, Start IBM® Digital Certificate Manager. Bob obtains or create certificates, or otherwise sets up or changes his certificate system now.
    2. Click Select a Certificate Store.
    3. Select *SYSTEM and click Continue.
    4. Enter the *SYSTEM Certificate Store password, and click Continue. When the menu reloads, expand Manage Applications.
    5. Click Update certificate assignment.
    6. Select Server and click Continue.
    7. Select the Management Central Server, and click Update certificate assignment. This assigns a certificate to the Management Central server to use.
    8. Click Assign New Certificate. DCM reloads to the Update certificate assignment page with a confirmation message.
    9. Click Done.
    10. Assign the certificate to all of the client access servers.
  8. Download the CA to the PC client.

Before Bob can enable SSL on the Management Central server, he must install the SSL Prerequisites and set up digital certificates on the iSeries server. Once he has met the prerequisites, he can complete the following procedures to enable SSL for the Management Central server.

Related concepts
SSL prerequisites
Related information
Configure DCM
Start Digital Certificate Manager

Configuration steps

Bob needs to complete the following steps in order to secure his PC client connection to the Management Central server on System A, with SSL:

  1. Step 1: Deactivate SSL for the iSeries Navigator client
  2. Step 2: Set the authentication level for the Management Central server
  3. Step 3: Restart the Management Central server on the central system
  4. Step 4: Activate SSL for the iSeries Navigator client
  5. Optional: Optional step: Deactivate SSL for the iSeries Navigator client