Telnet scenario: Secure Telnet with SSL

Situation

Bob is in the process of creating a home-based brokerage business. He has retired from his position as a stock broker at a major trading firm, and wants to continue to offer brokerage services to a small number of clients from his home. He runs his business on a small iSeries server, which he would like to use to provide account access to his clients, through 5250 Telnet sessions. Bob is currently working on a way to allow his clients continuous access to their accounts, so that they can manage their shareholdings. Bob wants his clients to use 5250 Telnet sessions to access their accounts, but he is concerned about the security of his server, as well as the security of his clients' sessions. After researching the iSeries server Telnet security options, Bob decides to use Secure Sockets Layer (SSL) to ensure the privacy of data over 5250 Telnet sessions between his iSeries server and clients.

Objectives

In this scenario, Bob wants to secure his brokerage clients' 5250 Telnet sessions to their shareholder accounts on his iSeries server. Bob wants to enable SSL to protect the privacy of client data as it passes through the Internet. He also wants to enable certificates for client authentication to ensure that his server verifies that only his clients are accessing their accounts. After Bob has configured the Telnet server for SSL and enabled client and server authentication, he can roll out this new account accessibility option to his clients, assuring them that their account access sessions will be secure. After Bob has met the following objectives, he can roll out this new account accessibility option to his clients, assuring them that their 5250 Telnet sessions will be secure:

• Secure the Telnet server with SSL
• Enable the Telnet server for client authentication
• Obtain a private certificate from a local certificate authority (CA) and assign it to the Telnet server.

Details

In this scenario, the setup for the brokerage business is as follows:

• An iSeries server runs i5/OS Version 5 Release 4 (V5R4) and provides shareholder account access over 5250 Telnet sessions.
• The i5/OS Telnet server application is started on the iSeries server.
• The Telnet server initializes SSL, and checks the certificate information in the QIBM_QTV_TELNET_SERVER application ID.
• If the Telnet certificate configuration is correct, the Telnet server begins listening on the SSL port for client connections.
• A client initiates a request for access to the Telnet server.
• The Telnet server responds by providing its certificate to the client.
• The client software validates the certificate as an acceptable, trusted source communicating with the server.
• The Telnet server requests a certificate from the client software.
• The client software presents a certificate to the Telnet server.
• The Telnet server validates the certificate, and recognizes the client's right to establish a 5250 session with the server.
• The Telnet server establishes a 5250 session with the client.

Prerequisites and assumptions

This scenario makes the following assumptions:

• iSeries server running i5/OS^® Version 5 Release 2 (V5R2) or later.
• TCP/IP is configured.
• Bob has IOSYSCFG authority.
• Telnet server is configured.
• Bob has addressed the issues in Plan for SSL enablement.
• Bob has created a local certificate authority on his iSeries server.

Task steps

There are two sets of tasks that Bob must complete to implement this scenario: One set of tasks allows him to set up his iSeries server to use SSL and require certificates for user authentication. The other set of tasks allows users on Telnet clients to participate in SSL sessions with Bob's Telnet server and obtain certificates for user authentication.

Bob performs the following task steps to complete this scenario:

Telnet server task steps

To implement this scenario, Bob must perform these tasks on his iSeries server:

1. Remove port restrictions
2. Create and operate Local Certificate Authority
3. Configure Telnet server to require certificates for client authentication
4. Enable and start SSL on Telnet server

Client configuration task steps

To implement this scenario, each user who will access the Telnet server on Bob's iSeries server must perform these tasks:

5. Enable SSL on the Telnet client

6. Enable Telnet client to present certificate for authentication

These tasks accomplish both SSL and client authentication by certificates, resulting in SSL-secured access to account information for Bob's clients using 5250 Telnet sessions.