Configuration details

This topic describes the task steps for securing Telnet with SSL.

Step 1: Remove port restrictions

In releases before V5R1, port restrictions were used because Secure Sockets Layer (SSL) support was not available for Telnet. Now you can specify whether SSL, non-SSL, or both are to start. Therefore, there is no longer a need for port restrictions. If you has defined port restrictions in previous releases, you need to remove the port restrictions in order to use the SSL parameter.

To determine whether you have Telnet port restrictions and remove them so that you can configure the Telnet server to use SSL, follow these steps:

  1. To view any current port restrictions, start iSeries™ Navigator and expand your iSeries server > Network.
  2. Right-click TCP/IP Configuration and select Properties.
  3. Click the Port Restrictions tab to see a list of port restriction settings.
  4. Select the port restriction that you want to remove.
  5. Click Remove.
  6. Click OK.

By default, the setting is to start SSL sessions on port 992 and non-SSL sessions on port 23. The Telnet server uses the service table entry for Telnet to get the non-SSL port and Telnet-SSL to get the SSL port.

Step 2: Create and operate Local Certificate Authority

To use Digital Certificate Manager (DCM) to create and operate a Local Certificate Authority (CA) on the iSeries server, follow these steps:

  1. Start DCM.
  2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms. These forms guide you through the process of creating a Local CA and completing other tasks needed to begin using digital certificates for SSL, object signing, and signature verification.
  3. Complete all the forms that display. There is a form for each of the tasks that you need to perform in order to create and operate a Local CA on the iSeries server. Completing these forms allows you to:
    1. Choose how to store the private key for the Local CA certificate. This step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor installed on your iSeries. If your system does not have a cryptographic coprocessor, DCM automatically stores the certificate and its private key in the Local CA certificate store.
    2. Provide identifying information for the Local CA.
    3. Install the Local CA certificate on your PC or in your browser. This enables software to recognize the Local CA and validate certificates that the CA issues.
    4. Choose the policy data for your Local CA.
    5. Use the new Local CA to issue a server or client certificate that applications can use for SSL connections. If you have an IBM® 4758-023 PCI Cryptographic Coprocessor installed in the iSeries server, this step allows you to select how to store the private key for the server or client certificate. If your system does not have a coprocessor, DCM automatically places the certificate and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM certificate store as part of this task.
    6. Select the applications that can use the server or client certificate for SSL connections.
      Note: Be sure to select the application ID for the i5/OS® Telnet server (QIBM_QTV_TELNET_SERVER).
    7. Use the new local CA to issue an object signing certificate that applications can use to digitally sign objects. This creates the *OBJECTSIGNING certificate store, which you use to manage object signing certificates.
      Note: Although this scenario does not use object signing certificates, be sure to complete this step. If you cancel at this point in the task, the task ends and you need to perform separate tasks to complete your SSL certificate configuration.
    8. Select the applications that you want to trust the local CA.
      Note: Be sure to select the application ID for the i5/OS Telnet server
      (QIBM_QTV_TELNET_SERVER).

After you have completed the forms for this guided task, you can configure the Telnet Server to require client authentication.

Step 3: Configure Telnet server to require certificates for client authentication

In order to activate this support, the System Administrator will indicate how SSL support will be handled. Use the Telnet Properties General panel in iSeries Navigator to indicate whether SSL, non-SSL, or support for both will start when the Telnet server starts. By default, the SSL and non-SSL support always starts.

The System Administrator has the ability to indicate whether the system requires SSL client authentication for all Telnet sessions. When SSL is active and the system requires client authentication, the presence of a valid client certificate means that the client is trusted.

To configure the Telnet server to require certificates for client authentication, follow these steps:

  1. Start DCM.
  2. Click Select a Certificate Store.
  3. Select *SYSTEM as the certificate store to open and click Continue.
  4. Enter the appropriate password for *SYSTEM certificate store and click Continue.
  5. When the left navigational menu refreshes, select Manage Applications to display a list of tasks.
  6. Select the Update application definition task to display a series of forms.
  7. Select Server application and click Continue to display a list of server applications.
  8. From the list of applications, select i5/OS TCP/IP Telnet Server.
  9. Click Update Application Definition.
  10. In the table that displays, select Yes to require client authentication.
  11. Click Apply. The Update Application Definition page displays with a message to confirm your changes.
  12. Click Done.

Now that you have configured the Telnet server to require certificates for client authentication, you can enable and start SSL for the Telnet server.

Step 4: Enable and start SSL on Telnet server

To enable SSL on the Telnet server, follow these steps:

  1. Open iSeries Navigator.
  2. Expand My iSeries server > Network > Servers > TCP/IP.
  3. Right-click Telnet.
  4. Select Properties.
  5. Select the General tab.
  6. Choose one of these options for SSL support:
    • Secure only Select this to allow only SSL sessions with the Telnet server.
    • Non-secure only Select this to prohibit secure sessions with the Telnet server. Attempts to connect to an SSL port will not connect.
    • Both secure and non-secure Allows both secure and non-secure sessions with the Telnet server.

To start the Telnet server using iSeries Navigator, follow these steps:

  1. Expand your iSeries server > Network > Servers > TCP/IP.
  2. In the right pane, locate Telnet in the Server Name column.
  3. Confirm that Started appears in the Status column.
  4. If the server is not running, right-click Telnet and select Start.

Step 5: Enable SSL on the Telnet client

To participate in an SSL session, the Telnet client must be able to recognize and accept the certificate that the Telnet server presents to establish the SSL session. To authenticate the server's certificate, the Telnet client must have a copy of the CA certificate in iSeries key database. When the Telnet server uses a certificate from a Local CA, the Telnet client must obtain a copy of the Local CA certificate and install it in the iSeries key database.

To add a Local CA certificate from an iSeries so that the Telnet client can participate in SSL sessions with Telnet servers that use a certificate from the Local CA, follow these steps:

  1. Open iSeries Navigator.
  2. Right-click the name of your system.
  3. Select Properties.
  4. Select the Secure Sockets tab.
    Note: This tab will not appear unless you have completed a selective install of iSeries Client Encryption (128-bit), 5722-CE3.
  5. Click Download. This will download the iSeries Certificate Authority certificate automatically into the certificate key database.
  6. You will be prompted for your key database password. Unless you have previously changed the password from the default, enter ca400. A confirmation message displays. Click OK.

The download button automatically updates the IBM Toolbox for Java™ PC key database.

Step 6: Enable Telnet client to present certificate for authentication

You have configured SSL for the Telnet server, specified that the server should trust certificates that the Local CA issues, and specified that it require certificates for client authentication. Now, users must present a valid and trusted client certificate to the Telnet server for each connection attempt.

Clients need to use the Local CA to obtain a certificate for authentication to the Telnet server and import that certificate to IBM Key Management database before client authentication will work.

First, clients must use DCM to obtain a user certificate by following these steps:

  1. Start DCM.
  2. In the left navigation frame, select Create Certificate to display a list of tasks.
  3. From the task list, select User Certificate and click Continue.
  4. Complete the User Certificate form. Only those fields marked "Required" need to be completed. Click Continue.
  5. Depending on the browser you use, you will be asked to generate a certificate that will be loaded into your browser. Follow the directions provided by the browser.
  6. When the Create User Certificate page reloads, click Install Certificate. This will install the certificate in the browser.
  7. Export the certificate to your PC. You must store the certificate in a password-protected file.
    Note: Microsoft® Internet Explorer 5 or Netscape 4.5 are required to use the export and import functions.

Next, you must import the certificate to the IBM Key Management database so that the Telnet client can use it for authentication by following these steps:

You must add the Certificate Authority that created the client certificate to the PC key database, otherwise the import of the client certificate will not work.

  1. Click Start > Programs > IBM iSeries Access for Windows > iSeries Access for Windows Properties.
  2. Select the Secure Sockets tab.
  3. Click IBM Key Management.
  4. You will be prompted for your key database password. Unless you have previously changed the password from the default, enter ca400. A confirmation message displays. Click OK.
  5. From the pull-down menu, select Personal certificates.
  6. Click Import.
  7. In the Import key display, enter the file name and path for the certificate. Click OK.
  8. Enter the password for the protected file. This is the same password that you specified when you create a user certificate in DCM. Click OK. When the certificate has been successfully added to your personal certificates in IBM Key Management, you can use PC5250 emulator or any other Telnet application.

With these steps complete, the Telnet server can establish an SSL session with the Telnet client and the server can authenticate the user to resources based on the certificate that the client presents.

Parent topic: Telnet scenario: Secure Telnet with SSL
Related tasks
Start DCM
Assign a certificate to the Telnet server