friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzain_5.4.0.1/mcconfigsteps.htm

316 lines
23 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configuration details: Secure all connections to your Management Central server with SSL" />
<meta name="abstract" content="This topic shows the details for using SSL to secure all connections to your Management Central server." />
<meta name="description" content="This topic shows the details for using SSL to secure all connections to your Management Central server." />
<meta name="DC.Relation" scheme="URI" content="rzainmc.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
<meta name="DC.Relation" scheme="URI" content="rzainmc.htm#before" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahudcmfirsttime.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="mcconfigsteps" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configuration details: Secure all connections to your Management Central
server with SSL</title>
</head>
<body id="mcconfigsteps"><a name="mcconfigsteps"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configuration details: Secure all connections to your Management Central
server with SSL</h1>
<div><p>This topic shows the details for using SSL to secure all connections
to your Management Central server.</p>
<div class="p">The following information assumes that you have read through the following
information: <a href="rzainmc.htm#mc">Scenario: Secure all connections
to your Management Central server with SSL</a>. </div>
<div class="section"> <p>You now want to understand how to perform the steps required
to secure all connections to the Management Central server. Follow along as
Tom completes the scenario.</p>
<div class="p">Before Tom can enable SSL on the Management
Central server, he must install the prerequisite programs and set up digital
certificates on the iSeries™ server. Once he has met the prerequisites,
he can complete the following procedures to secure all connections to the
Management Central server. <div class="note"><span class="notetitle">Note:</span> If SSL has been enabled for iSeries Navigator,
Tom must disable it before he can enable SSL on the Management Central server.
If SSL has been enabled for iSeries Navigator, and not the Management Central
server, attempts by iSeries Navigator to connect with the central system
will fail.</div>
</div>
<p>SSL allows Tom to secure transmissions between a central
system and an endpoint system, as well as between the iSeries Navigator client and the central
system. SSL provides transport and authentication of certificates and encryption
of data. An SSL-connection can only occur between an SSL-enabled central system
and an SSL-enabled endpoint system. Tom needs to configure server authentication
before he can configure client authentication:</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzainmc.htm" title="Read this scenario to use SSL to secure all connections with an iSeries server.">Scenario: Secure all connections to your Management Central server with SSL</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzainmc.htm#before">Prerequisites and assumptions:</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahudcmfirsttime.htm">Set up certificates for the first time</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="rzainmancentpi"><a name="rzainmancentpi"><!-- --></a><h2 class="sectionscenariobar">Step 1: Configure the central system
for server authentication</h2>
<div><ol><li class="stepexpand"><span>In iSeries Navigator,
right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Properties</span>.</span></li>
<li class="stepexpand"><span>Click the <span class="uicontrol">Security</span> tab and select <span class="uicontrol">Use
Secure Sockets Layer (SSL)</span></span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Server</span> as the authentication level. </span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to set this value on the central
system.</span> <div class="note"><span class="notetitle">Note:</span> Do <strong>NOT</strong> restart the Management Central server
until told to do so, later. If you restart the server now, you will not be
able to contact your endpoint servers. You must complete more configuration
tasks before the server can be restarted, activating SSL. You must propagate
the SSL configuration to the endpoint systems first, with the compare and
update task.</div>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="endpointserver"><a name="endpointserver"><!-- --></a><h2 class="sectionscenariobar">Step 2: Configure endpoint systems
for server authentication</h2>
<div><div class="section">After Tom configures the central system for server authentication,
he needs to configure the endpoint systems for server authentication. He completes
the following tasks:</div>
<ol><li><span>Expand <span class="uicontrol">Management Central</span>.</span></li>
<li><span>Compare and update system values for the endpoint systems: </span><ol type="a"><li class="substepexpand"><span>Under <span class="uicontrol">Endpoint Systems</span>, right-click
the central system and select <span class="menucascade"><span class="uicontrol">Inventory</span> &gt; <span class="uicontrol">Collect</span></span>.</span></li>
<li class="substepexpand"><span> Check the <span class="uicontrol">System Values</span> option on the
collect dialog box, in order to collect the system values inventory for the central
system. Deselect any other options. Click OK and wait for the inventory task
to complete.</span></li>
<li class="substepexpand"><span>Right-click <span class="menucascade"><span class="uicontrol">System Groups</span> &gt; <span class="uicontrol">New System Group</span></span>.</span></li>
<li class="substepexpand"><span>Define a new system group that includes all the endpoint systems
to connect to, using SSL. Name this new system group 'Trusted Group.'</span></li>
<li class="substepexpand"><span>To display the new group, 'Trusted Group,' expand the list of
system groups.</span></li>
<li class="substepexpand"><span>After the collection is complete, right-click the new system
group and select <span class="menucascade"><span class="uicontrol">System Values</span> &gt; <span class="uicontrol">Compare
and Update</span></span>.</span></li>
<li class="substepexpand"><span>Verify that the central system displays in the <span class="uicontrol">Model
System</span> field.</span></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>In the <span class="uicontrol">Category</span> field, select <span class="uicontrol">Management
Central</span>. </span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Verify that <span class="uicontrol">Use Secure Sockets Layer</span> is
set to <span class="uicontrol">Yes</span> and select <span class="uicontrol">Update</span> to
propagate this value to the 'Trusted Group'. </span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Verify that <span class="uicontrol">SSL Authentication Level</span> is
set to <span class="uicontrol">Server</span> and select <span class="uicontrol">Update</span> to
propagate this value to the 'Trusted Group'. </span> <div class="note"><span class="notetitle">Note:</span> If these values
are not set, complete <a href="#rzainmancentpi">Step 1: Configure the central
system for server authentication</a>.</div>
<img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Click <span class="uicontrol">OK</span>. Wait until the <span class="uicontrol">Compare
and Update</span> completes processing before continuing to the next
step.</span><img src="./deltaend.gif" alt="End of change" /></li>
</ol>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mcrestartcentral1"><a name="mcrestartcentral1"><!-- --></a><h2 class="sectionscenariobar">Step 3: Restart the Management Central
server on the central system</h2>
<div><ol><li><span>In iSeries Navigator,
expand <span class="uicontrol">My Connections</span>.</span></li>
<li><span>Expand the central system.</span></li>
<li><span>Expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span></span> and select <span class="uicontrol">TCP/IP</span>.</span></li>
<li><span>Right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Stop</span>.
The central system view collapses, and a message displays, explaining that
you are not connected to the server.</span></li>
<li><span>Once the Management Central server has stopped, click <span class="uicontrol">Start</span> to
restart it. </span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mcrestartendpoint1"><a name="mcrestartendpoint1"><!-- --></a><h2 class="sectionscenariobar">Step 4: Restart the Management Central
server on all endpoint systems</h2>
<div><ol><li><span>In iSeries Navigator,
expand <span class="uicontrol">My Connections</span>.</span></li>
<li><span>Expand the endpoint system that you are restarting.</span></li>
<li><span>Expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span></span> and select <span class="uicontrol">TCP/IP</span>.</span></li>
<li><span>Right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Stop</span>. </span></li>
<li><span>Once the Management Central server has stopped, click <span class="uicontrol">Start</span> to
restart it.</span></li>
<li><span>Repeat this procedure for each endpoint system.</span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mcactivatessl"><a name="mcactivatessl"><!-- --></a><h2 class="sectionscenariobar">Step 5: Activate SSL for the iSeries Navigator
client</h2>
<div><ol><li><span>In iSeries Navigator,
expand <span class="uicontrol">My Connections</span>.</span></li>
<li><span>Right-click the central system, and select <span class="uicontrol">Properties</span>.</span></li>
<li><span>Click the <span class="uicontrol">Secure Sockets</span> tab and select <span class="uicontrol">Use
Secure Sockets Layer (SSL) for connection</span>.</span></li>
<li><span>Exit iSeries Navigator
and restart it.</span></li>
</ol>
<div class="section"><img src="./delta.gif" alt="Start of change" /><div class="note"><span class="notetitle">Note:</span> After you have completed these steps, server authentication
is configured for your central and endpoint systems. You can optionally configure
your central and endpoint systems for client authentication as well. Steps
6 through 10 should be completed if you want to enable client authentication
on your central and endpoint systems.</div>
<img src="./deltaend.gif" alt="End of change" /></div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="clientmc"><a name="clientmc"><!-- --></a><h2 class="sectionscenariobar">Step 6: Configure the central system
for client authentication</h2>
<div><div class="section">Now that Tom has completed the configuration for server authentication,
he can opt to perform the following optional client authentication procedures.
Client authentication provides validation of Certificate Authority and trusted
group for both the endpoint systems and the central system. When the central
system (SSL client) tries to use SSL to connect to an endpoint system (SSL
server), the central system and the endpoint system authenticate each other's
certificates through both server authentication and client authentication.
This is also referred to as Certificate Authority and Trusted Group authentication.
<div class="note"><span class="notetitle">Note:</span> You cannot complete client authentication configuration until you have
configured server authentication. If you have not configured server authentication,
go back and do so, now.</div>
</div>
<ol><li class="stepexpand"><span>In iSeries Navigator,
right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Properties</span>.</span></li>
<li class="stepexpand"><span>Click the <span class="uicontrol">Security</span> tab and select <span class="uicontrol">Use
Secure Sockets Layer (SSL)</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Client and server</span> for the authentication
level.</span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to set this value on the central
system. </span> <div class="note"><span class="notetitle">Note:</span> Do <strong>NOT</strong> restart the Management Central server
until told to do so, later. If you restart the server now, you will not be
able to contact your endpoint servers. You must complete more configuration
tasks before the server can be restarted, activating SSL. You must propagate
the SSL configuration to the endpoint systems first, with the compare and
update task.</div>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="endpointmc"><a name="endpointmc"><!-- --></a><h2 class="sectionscenariobar">Step 7: Configure endpoint systems
for client authentication</h2>
<div><div class="section">Compare and update system values for the endpoint systems: </div>
<ol><li><span>Expand <span class="uicontrol">Management Central</span>.</span></li>
<li><span>Compare and update system values for the endpoint systems: </span><ol type="a"><li class="substepexpand"><span>Under <span class="uicontrol">Endpoint Systems</span>, right-click the central system and select <span class="menucascade"><span class="uicontrol">Inventory</span> &gt; <span class="uicontrol">Collect</span></span>.</span></li>
<li class="substepexpand"><span> Check the <span class="uicontrol">System Values</span> option on the
collect dialog box, in order to collect the system values inventory for the central
system. Deselect any other options. Click OK and wait for the inventory task
to complete.</span></li>
<li class="substepexpand"><span>After the collection is complete, right-click the 'Trusted Group'
and select <span class="menucascade"><span class="uicontrol">System Values</span> &gt; <span class="uicontrol">Compare
and Update</span></span>.</span></li>
<li class="substepexpand"><span>Verify that the central system displays in the <span class="uicontrol">Model
System</span> field.</span></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>In the <span class="uicontrol">Category</span> field, select <span class="uicontrol">Management
Central</span>. </span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Verify that <span class="uicontrol">Use Secure Sockets Layer</span> is
set to <span class="uicontrol">Yes</span> and select <span class="uicontrol">Update</span> to
propagate this value to the 'Trusted Group'. </span><img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Verify that <span class="uicontrol">SSL Authentication Level</span> is
set to <span class="uicontrol">Client and Server</span> and select <span class="uicontrol">Update</span> to
propagate this value to the 'Trusted Group'. </span> <div class="note"><span class="notetitle">Note:</span> If these values
are not set, complete <a href="#clientmc">Step 6: Configure the central
system for client authentication.</a>.</div>
<img src="./deltaend.gif" alt="End of change" /></li>
<li class="substepexpand"><img src="./delta.gif" alt="Start of change" /><span>Click <span class="uicontrol">OK</span>. Wait until the <span class="uicontrol">Compare
and Update</span> completes processing before continuing to the next
step.</span><img src="./deltaend.gif" alt="End of change" /></li>
</ol>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mccopyval"><a name="mccopyval"><!-- --></a><h2 class="sectionscenariobar">Step 8: Copy the validation list to
the endpoint systems</h2>
<div><div class="p">This task assumes that your central system is V5R3 or greater. On
pre-V5R3 systems, QYPSVLDL.VLDL was located in QUSRSYS.LIB, not QMGTC2.LIB.
Therefore, if you have pre-V5R3 systems, you will need to send the validation
list to these systems and place it in QUSRSYS.LIB, instead of QMGTC2.LIB.
For V5R3 and greater systems, continue with the following steps:</div>
<ol><li class="stepexpand"><span>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">Management Central</span> &gt; <span class="uicontrol">Definitions</span></span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Package</span>, and select <span class="uicontrol">New
Definition</span>.</span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">New Definition</span> window, work with
the following: </span><ol type="a"><li><span><span class="uicontrol">Name:</span> Type the name of the definition.</span></li>
<li><span><span class="uicontrol">Source system:</span> Select the name of the
central system.</span></li>
<li><span><span class="uicontrol">Selected files and folders:</span> Click in
the field, and type <kbd class="userinput">/QSYS.LIB/QMGTC2.LIB/QYPSVLDL.VLDL</kbd>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Click the <span class="uicontrol">Options</span> tab, and select <span class="uicontrol">Replace
existing file with the file being sent</span>.</span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">Advanced</span>.</span></li>
<li class="stepexpand"><span> In the <span class="uicontrol">Advanced Options</span> window, specify <span class="uicontrol">Yes</span> to
allow object differences on restore, and change the <span class="uicontrol">Target release</span> to
be the earliest release of your endpoints.</span></li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to refresh the list of definitions
and display the new package.</span></li>
<li class="stepexpand"><span>Right-click the new package, and select <span class="uicontrol">Send</span>.</span></li>
<li class="stepexpand"><span>In the <span class="uicontrol">Send</span> dialog box, expand <span class="uicontrol">System
Groups-&gt;Trusted Group</span>, located in the <span class="uicontrol">Available Systems
and Groups</span> list. This group is the one you defined in <a href="#endpointserver">Step 2: Configure endpoint systems for server authentication</a>.</span> <div class="note"><span class="notetitle">Note:</span> The <span class="uicontrol">Send</span> task will always fail on the central
system, because it is always the source system. The <span class="uicontrol">Send</span> task
should complete successfully on all endpoint systems.</div>
</li>
<li class="stepexpand"><span>If you have any pre-V5R3 systems in <span class="uicontrol">Trusted Group</span>,
you must manually go to those systems and move the <samp class="codeph">QYPSVLDL.VLDL</samp> object
from <samp class="codeph">QMGTC2.LIB</samp> to <samp class="codeph">QUSRSYS.LIB</samp>. If there
is already a version of <samp class="codeph">QYPSVLDL.VLDL</samp> in <samp class="codeph">QUSRSYS.LIB</samp>,
delete it and replace it with the newer one from <samp class="codeph">QMGTC2.LIB</samp></span></li>
</ol>
<div class="section"></div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mcrestartcentral2"><a name="mcrestartcentral2"><!-- --></a><h2 class="sectionscenariobar">Step 9: Restart the Management Central
server on the central system</h2>
<div><ol><li><span>In iSeries Navigator,
expand <span class="uicontrol">My Connections</span>.</span></li>
<li><span>Expand the central system.</span></li>
<li><span>Expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span></span> and select <span class="uicontrol">TCP/IP</span>.</span></li>
<li><span>Right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Stop</span>.
The central system view collapses, and a message displays, explaining that
you are not connected to the server.</span></li>
<li><span>Once the Management Central server has stopped, click <span class="uicontrol">Start</span> to
restart it.</span></li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="mcrestartendpoint2"><a name="mcrestartendpoint2"><!-- --></a><h2 class="sectionscenariobar">Step 10: Restart the Management Central
server on all endpoint systems</h2>
<div><div class="section"><div class="note"><span class="notetitle">Note:</span> Repeat this procedure for each endpoint system.</div>
</div>
<ol><li><span>In iSeries Navigator,
expand <span class="uicontrol">My Connections</span>.</span></li>
<li><span>Expand the endpoint system that you are restarting.</span></li>
<li><span>Expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol"> Servers</span></span> and select <span class="uicontrol">TCP/IP</span>.</span></li>
<li><span>Right-click <span class="uicontrol">Management Central</span> and select <span class="uicontrol">Stop</span>. </span></li>
<li><span>Once the Management Central server has stopped, click <span class="uicontrol">Start</span> to
restart it.</span></li>
</ol>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink