212 lines
15 KiB
HTML
212 lines
15 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scenario: Secure all connections to your Management Central server with SSL" />
|
|
<meta name="abstract" content="Read this scenario to use SSL to secure all connections with an iSeries server." />
|
|
<meta name="description" content="Read this scenario to use SSL to secure all connections with an iSeries server." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainscenarios.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="secclientmc.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="mcconfigsteps.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainsecapps.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="scenariodetails.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
|
|
<meta name="DC.Relation" scheme="URI" content="http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/info/rzain/rzainmc.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu401usingdcm.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="mcconfigsteps.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahudcmfirsttime.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="mc" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Secure all connections to your Management Central server
|
|
with SSL</title>
|
|
</head>
|
|
<body>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<div class="nested0" id="mc"><a name="mc"><!-- --></a><h1 class="topictitle1">Scenario: Secure all connections to your Management Central server
|
|
with SSL</h1>
|
|
<div><p>Read this scenario to use SSL to secure all connections with an iSeries™ server.</p>
|
|
<p>This scenario explains how to use SSL to secure all connections with an iSeries server
|
|
that is acting as a central system by using the iSeries Navigator Management Central
|
|
server.</p>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="mcconfigsteps.htm">Configuration details: Secure all connections to your Management Central server with SSL</a></strong><br />
|
|
This topic shows the details for using SSL to secure all connections to your Management Central server.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzainscenarios.htm" title="The SSL scenarios are designed to help you maximize the benefits of enabling SSL on your iSeries server:">Scenarios</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="secclientmc.htm" title="Use the information in this scenario to use SSL to secure a connection between a remote client and your server.">Scenario: Secure a client connection to your Management Central server with SSL</a></div>
|
|
<div><a href="rzainsecapps.htm" title="See a list of applications that you can use to secure with SSL on the iSeries server.">Application security with SSL</a></div>
|
|
</div>
|
|
</div></div>
|
|
<div class="nested0" xml:lang="en-us" id="situation2"><a name="situation2"><!-- --></a><h1 class="sectionscenariobar">Situation:</h1>
|
|
<div><p>A company has just set up a wide area network (WAN) that includes several iSeries servers
|
|
in remote locations (endpoints). The endpoints are centrally managed by one iSeries server
|
|
(the central system), located at the main office. Tom is the company's security
|
|
specialist. Tom wants use Secure Sockets Layer (SSL) to secure all of the
|
|
connections between the Management Central server on the company's central
|
|
system and all iSeries Access
|
|
servers and clients.</p>
|
|
</div>
|
|
</div>
|
|
<div class="nested0" xml:lang="en-us" id="details2"><a name="details2"><!-- --></a><h1 class="sectionscenariobar">Details:</h1>
|
|
<div><p>Tom can manage all connections to the Management Central server <strong>securely</strong>,
|
|
with SSL. To use SSL with the Management Central server, Tom needs to secure iSeries Navigator
|
|
on the PC that he uses to access the central system.</p>
|
|
<p>Tom chooses from two authentication levels for the Management Central server:</p>
|
|
<dl><dt class="dlterm">Server authentication</dt>
|
|
<dd>Provides authentication of the server certificate. The client must validate
|
|
the server, whether the client is iSeries Navigator on a PC, or the Management
|
|
Central server on the central system. When iSeries Navigator connects to the central
|
|
system, the PC is the SSL Client and the Management Central server running
|
|
on the central system is the SSL Server. The central system acts as an SSL
|
|
client when connecting to an endpoint system. The endpoint system acts as
|
|
an SSL server. The server must prove its identity to the client by providing
|
|
a certificate that was issued by a Certificate Authority that the client trusts.
|
|
There must be a valid certificate issued by a trusted CA for every SSL server.</dd>
|
|
<dt class="dlterm">Client and server authentication</dt>
|
|
<dd>Provides authentication of both the central system and the endpoint system
|
|
certificates. This is a stronger security level than the server authentication
|
|
level. In other applications, this is known as client authentication, where
|
|
the client must supply a valid trusted certificate. When the central system
|
|
(SSL client) attempts to establish a connection with an endpoint system (SSL
|
|
server), the central system and the endpoint system authenticate each other's
|
|
certificates for certificate authority authenticity. <div class="note"><span class="notetitle">Note:</span> Client and server
|
|
authentication only happens between two iSeries systems. Client authentication
|
|
is not performed by the server when the client is a PC.</div>
|
|
<p>Unlike other
|
|
applications, Management Central also provides authentication through a validation
|
|
list, called Trusted Group validation list. Generally the validation list
|
|
stores information that identifies the user, such as a user identification,
|
|
and authentication information, such as password, personal identification
|
|
number, or digital certificate. This authentication information is encrypted.</p>
|
|
</dd>
|
|
</dl>
|
|
<div class="p">Most applications typically do not specify that you enable both server
|
|
and client authentication, because server authentication almost always occurs
|
|
during SSL session enablement. Many applications have client authentication
|
|
configuration options. Management Central uses the term "server and client
|
|
authentication" instead of client authentication because of the dual role
|
|
that the central system plays in the network. When PC users connect to the
|
|
central system, the central system acts as a server. However, when the central
|
|
system is connecting to an endpoint system, it acts as a client. The following
|
|
illustration shows how the central system operates as both a server and client
|
|
in a network. <div class="note"><span class="notetitle">Note:</span> In this illustration, the certificate associated with
|
|
the Certificate Authority must be stored in the key database on the central
|
|
system and on all of the endpoint systems. The Certificate Authority must
|
|
on the central system, all the endpoints, as well as the PC.</div>
|
|
<br /><a name="details2__image"><!-- --></a><img id="details2__image" src="rzain501.gif" alt="SSL-secured Management Central Wide Area Network (WAN)" /><br /></div>
|
|
</div>
|
|
</div>
|
|
<div class="nested0" xml:lang="en-us" id="before"><a name="before"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions:</h1>
|
|
<div><div class="section"><p>Tom must perform the following administration and configuration
|
|
tasks, in order to secure all of the connections to the Management Central
|
|
server:</p>
|
|
</div>
|
|
<ol><li class="stepexpand"><span>System A meets the prerequisites for SSL.</span></li>
|
|
<li class="stepexpand"><span>The central system and all endpoint iSeries servers run V5R2 or later versions
|
|
of OS/400<sup>®</sup> or i5/OS™.
|
|
V5R4 i5/OS connections
|
|
to V5R1 OS/400 systems
|
|
are not allowed.</span> </li>
|
|
<li class="stepexpand"><span>The iSeries Navigator
|
|
PC client runs V5R2 or later of iSeries Access for Windows<sup>®</sup>.</span></li>
|
|
<li class="stepexpand"><span>Get a Certificate Authority (CA) for iSeries servers.</span></li>
|
|
<li class="stepexpand"><span>Create a certificate that is signed by the CA, for System A.</span></li>
|
|
<li class="stepexpand"><span>Send the CA and a certificate to System A, and import them into
|
|
the key database.</span></li>
|
|
<li class="stepexpand"><span>Assign the certificates with the Management Central application
|
|
identification, and the application identifications for all of the iSeries Access
|
|
servers. The TCP central server, database server, data queue server, file
|
|
server, network print server, remote command server and signon server are
|
|
all iSeries Access
|
|
servers.</span><ol type="a"><li class="substepexpand"><span>Start IBM<sup>®</sup> Digital Certificate Manager on the Management Central
|
|
server. </span> If Tom needs to obtain or create certificates, or otherwise
|
|
set up or change his certificate system, he does so now.</li>
|
|
<li class="substepexpand"><span>Click <span class="uicontrol">Select a Certificate Store</span>.</span></li>
|
|
<li class="substepexpand"><span>Select <span class="uicontrol">*SYSTEM</span> and click <span class="uicontrol">Continue</span>.</span></li>
|
|
<li class="substepexpand"><span>Enter the *SYSTEM <kbd class="userinput">Certificate Store password</kbd>,
|
|
and click <span class="uicontrol">Continue</span>. When the menu reloads, expand <span class="uicontrol">Manage
|
|
Applications</span>.</span></li>
|
|
<li class="substepexpand"><span>Click <span class="uicontrol">Update certificate assignment</span>.</span></li>
|
|
<li class="substepexpand"><span>Select <span class="uicontrol">Server</span> and click <span class="uicontrol">Continue</span>.</span></li>
|
|
<li class="substepexpand"><span>Select the <kbd class="userinput">Management Central server</kbd>,
|
|
and click <span class="uicontrol">Update certificate assignment</span>. This assigns
|
|
a certificate to the Management Central server to use.</span></li>
|
|
<li class="substepexpand"><span>Choose the certificate you want to assign to the application,
|
|
and click <span class="uicontrol">Assign New Certificate</span>. DCM reloads to the <span class="uicontrol">Update
|
|
certificate assignment </span> page with a confirmation message.</span></li>
|
|
<li class="substepexpand"><span>Click <span class="uicontrol">Cancel</span> to return to the list of
|
|
applications.</span></li>
|
|
<li class="substepexpand"><span>Repeat this procedure for all iSeries Access servers.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li class="stepexpand"><span>Download the CA to the iSeries Navigator PC client.</span></li>
|
|
</ol>
|
|
</div>
|
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
|
|
</div>
|
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
|
<div><a href="scenariodetails.htm" title="This topic shows the expanded configurations steps for using SSL to secure a client connection to your Management Central server.">Configuration details: Secure a client connection to your Management Central server with SSL</a></div>
|
|
<div><a href="mcconfigsteps.htm" title="This topic shows the details for using SSL to secure all connections to your Management Central server.">Configuration details: Secure all connections to your Management Central server with SSL</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/info/rzain/rzainmc.htm">V5R1 Information Center, "Securing Management Central"</a></div>
|
|
<div><a href="../rzahu/rzahurzahu401usingdcm.htm">Using Digital Certificate Manager</a></div>
|
|
</div>
|
|
</div></div>
|
|
<div class="nested0" xml:lang="en-us" id="configurationsteps2"><a name="configurationsteps2"><!-- --></a><h1 class="sectionscenariobar">Configuration steps:</h1>
|
|
<div><div class="section">Before Tom can enable SSL on the Management Central server, he must
|
|
install the prerequisite programs and set up digital certificates on the central
|
|
system. See the <a href="#before">Prerequisites and assumptions:</a> for this scenario before continuing.
|
|
Once he has met the prerequisites, he can complete the following procedures
|
|
to secure all connections to the Management Central server: <div class="note"><span class="notetitle">Note:</span> If SSL has
|
|
been enabled for iSeries Navigator,
|
|
Tom must disable it before he can enable SSL on the Management Central server.
|
|
If SSL has been enabled for iSeries Navigator and not the Management Central
|
|
server, attempts by iSeries Navigator to connect with the central system
|
|
will fail.</div>
|
|
</div>
|
|
<ol><li><span><a href="mcconfigsteps.htm#rzainmancentpi">Step 1: Configure the central system for server authentication</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#endpointserver">Step 2: Configure endpoint systems for server authentication</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mcrestartcentral1">Step 3: Restart the Management Central server on the central system</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mcrestartendpoint1">Step 4: Restart the Management Central server on all endpoint systems</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mcactivatessl">Step 5: Activate SSL for the iSeries Navigator client</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#clientmc">Step 6: Configure the central system for client authentication</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#endpointmc">Step 7: Configure endpoint systems for client authentication</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mccopyval">Step 8: Copy the validation list to the endpoint systems</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mcrestartcentral2">Step 9: Restart the Management Central server on the central system</a></span></li>
|
|
<li><span><a href="mcconfigsteps.htm#mcrestartendpoint2">Step 10: Restart the Management Central server on all endpoint systems</a></span></li>
|
|
</ol>
|
|
</div>
|
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../rzahu/rzahudcmfirsttime.htm">Set up certificates for the first time</a></div>
|
|
</div>
|
|
</div></div>
|
|
|
|
</body>
|
|
</html> |