96 lines
6.4 KiB
HTML
96 lines
6.4 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="SSL initialization and handshake" />
|
|
<meta name="abstract" content="You can read in this topic for details about the interactions between Telnet servers, clients, and SSL." />
|
|
<meta name="description" content="You can read in this topic for details about the interactions between Telnet servers, clients, and SSL." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiwconfiguresslparent.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiwssltel.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiwchkjoblog.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiwrzaiwsslinit" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>SSL initialization and handshake</title>
|
|
</head>
|
|
<body id="rzaiwrzaiwsslinit"><a name="rzaiwrzaiwsslinit"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">SSL initialization and handshake</h1>
|
|
<div><p><span>You can read in this topic for details about
|
|
the interactions between Telnet servers, clients, and SSL.</span></p>
|
|
<p>Sometimes understanding what goes on during SSL processing can help you
|
|
determine where a problem might have occurred.</p>
|
|
<div class="section"><h4 class="sectiontitle">What happens during SSL initialization?</h4><p>The Telnet
|
|
server attempts to initialize SSL every time the server is started. During
|
|
initialization, the Telnet server checks the certificate information in the
|
|
QIBM_QTV_TELNET_SERVER application. You can tell that the SSL initialization
|
|
is successful when more than one active QTVTELNET job appears in the QSYSWRK
|
|
subsystem. Of course, if the number of server jobs to start field in the Telnet
|
|
properties General page is set to 1, you see only one active QTVTELNET job.</p>
|
|
<p>The
|
|
Telnet server does not initialize SSL when you have a restricted telnet-ssl
|
|
port. The Telnet server sends the TCP2550 message <samp class="codeph">Access to port 992
|
|
is restricted</samp> to the QTVTELNET job log and to the QSYSOPR message
|
|
queue.</p>
|
|
<p>When a certificate is incorrect or expired, initialization fails
|
|
and the Telnet server sends message CPDBC <samp class="codeph">nn</samp> to the QTVTELNET
|
|
job log.</p>
|
|
<p>Even if no certificate or an expired certificate is in the
|
|
QIBM_QTV_TELNET_SERVER application, the Telnet server successfully initializes
|
|
SSL. However, the SSL handshake fails when the client tries to connect to
|
|
the Telnet server. The Telnet server sends message CPDBC <samp class="codeph">nn</samp> to
|
|
the QTVTELNET job log.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">What happens during SSL reinitialization?</h4><p>When the
|
|
certificate in the QIBM_QTV_TELNET_SERVER application changes, the Telnet
|
|
server reinitializes SSL if a DCM change occurs. This means that you can restore
|
|
an expired certificate or add or remove user certificates and Telnet will
|
|
pick up changes automatically. The process is the same as SSL initialization.
|
|
New Telnet SSL client sessions use the new certificate. Telnet SSL client
|
|
sessions that are already established use the original certificate. After
|
|
the Telnet server is ended and started again, all Telnet SSL client sessions
|
|
use the new certificate.</p>
|
|
<p>If the SSL re-initialization fails, established
|
|
SSL sessions use the original certificate that was initialized when the server
|
|
started and new sessions are blocked from connecting. The next time you start
|
|
the Telnet server, SSL initialization fails, although there will still be
|
|
an active SSL listener. However, no new SSL connections will be successful
|
|
until a change in the DCM forces Telnet server to re-initialize successfully.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">What happens during SSL handshake?</h4><p>An SSL handshake
|
|
occurs when the Telnet SSL client connects to TCP port 992 and attempts an
|
|
SSL negotiation with the server. While the client is connecting to the server,
|
|
it displays status numbers or messages on the status bar of the open window.</p>
|
|
<p>If
|
|
the SSL handshake fails, the Telnet session is not established. For example,
|
|
a sign-on screen does not appear in the Telnet SSL client window. Consult
|
|
the user guide or online help for your Telnet SSL client for information about
|
|
specific status numbers or messages. The Telnet server sends message CPDBC <samp class="codeph">nn</samp> to
|
|
the QTVTELNET job log.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwconfiguresslparent.htm" title="With the Secure Sockets Layer (SSL) protocol, you can establish secure connections between the Telnet server application and Telnet clients that provide authentication of one or both endpoints of the communication session. SSL also provides privacy and integrity of the data that client and server applications exchange.">Secure Telnet with SSL</a></div>
|
|
</div>
|
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
|
<div><a href="rzaiwssltel.htm" title="Use this topic to set up SSL on your iSeries server.">Configure SSL on the Telnet server</a></div>
|
|
<div><a href="rzaiwchkjoblog.htm" title="When SSL initialization and handshake fails, the Telnet server sends CPDBC nn diagnostic messages to the QTVTELNET job.">Check the Telnet job log</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |