ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzain_5.4.0.1/secclientmc.htm

182 lines
12 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Secure a client connection to your Management Central server with SSL" />
<meta name="abstract" content="Use the information in this scenario to use SSL to secure a connection between a remote client and your server." />
<meta name="description" content="Use the information in this scenario to use SSL to secure a connection between a remote client and your server." />
<meta name="DC.Relation" scheme="URI" content="rzainscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainmc.htm" />
<meta name="DC.Relation" scheme="URI" content="scenariodetails.htm" />
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahudcmfirsttime.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="secclientmc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Secure a client connection to your Management Central server
with SSL</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="secclientmc"><a name="secclientmc"><!-- --></a><h1 class="topictitle1">Scenario: Secure a client connection to your Management Central server
with SSL</h1>
<div><p>Use the information in this scenario to use SSL to secure a connection
between a remote client and your server.</p>
<p>This scenario explains how to use SSL to secure the connection between
a remote client and an iSeries™ server that is acting as a central system
by using the iSeries Navigator Management Central server. </p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="scenariodetails.htm">Configuration details: Secure a client connection to your Management Central server with SSL</a></strong><br />
This topic shows the expanded configurations steps for using SSL to secure a client connection to your Management Central server.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzainscenarios.htm" title="The SSL scenarios are designed to help you maximize the benefits of enabling SSL on your iSeries server:">Scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzainmc.htm" title="Read this scenario to use SSL to secure all connections with an iSeries server.">Scenario: Secure all connections to your Management Central server with SSL</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="situation"><a name="situation"><!-- --></a><h1 class="sectionscenariobar">Situation</h1>
<div><p>A company has a local area network (LAN) that includes several iSeries
servers in their office. This company's system administrator, Bob, has specified
one of the iSeries servers as the central system (hereafter referred to as
System A) for the LAN. Bob uses the Management Central server on System A
to manage all of the other endpoints on his LAN.</p>
<p>Bob is concerned about connecting to the Management Central server on System
A from a network connection that is external to his company's LAN. Bob travels
for work a lot, and requires a secure connection to the Management Central
server while he is away. He wants to ensure the connection between his PC
and the Management Central server is secure when he is not in the company
office. Bob decides to enable SSL on his PC and on the System A's Management
Central server. With SSL enabled in this way, Bob can be certain that his
connection to the Management Central server is secure when he is traveling.</p>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="objectives"><a name="objectives"><!-- --></a><h1 class="sectionscenariobar">Objectives:</h1>
<div><p>Bob wants to secure the connection between his PC and the Management Central
server. Bob does not require additional security for the connection between
the Management Central server on System A and the endpoints that are on the
LAN. Other employees that work from the company office do not need additional
security for their connections to the Management Central server, either. Bob's
plan is to configure his PC and the Management Central server on System A,
so that his connection uses server authentication. Connections to the Management
Central server from other PCs or iSeries servers on the LAN are not secured
with SSL.</p>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="details"><a name="details"><!-- --></a><h1 class="sectionscenariobar">Details:</h1>
<div><p>The following table illustrates the types of authentication used, based
on the enabling or disabling of SSL on a PC client:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Required elements for an SSL-secured connection between a client
and the Management Central server</caption><thead align="left"><tr><th align="center" valign="top" width="25.64102564102564%" id="d0e74">SSL status on Bob's PC</th>
<th align="center" valign="top" width="43.956043956043956%" id="d0e76">Specified authentication
level for the Management Central server on System A</th>
<th align="center" valign="top" width="30.4029304029304%" id="d0e78">SSL connection enabled?</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="25.64102564102564%" headers="d0e74 ">SSL off</td>
<td valign="top" width="43.956043956043956%" headers="d0e76 ">Any </td>
<td valign="top" width="30.4029304029304%" headers="d0e78 ">No</td>
</tr>
<tr><td valign="top" width="25.64102564102564%" headers="d0e74 ">SSL on</td>
<td valign="top" width="43.956043956043956%" headers="d0e76 ">Any</td>
<td valign="top" width="30.4029304029304%" headers="d0e78 ">Yes (server authentication)</td>
</tr>
</tbody>
</table>
</div>
<p><strong>Server authentication</strong> means that Bob's PC authenticates the Management
Central server's certificate. Bob's PC acts as an SSL client when connecting
to the Management Central server. The Management Central server acts as an
SSL server and must prove its identity. The Management Central server does
this by providing a certificate issued by a Certificate Authority (CA) that
Bob's PC trusts.</p>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="before2"><a name="before2"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions</h1>
<div><div class="section"><p>Bob must perform these administration and configuration tasks
in order to secure the connection between his PC and the Management Central
server on System A:</p>
</div>
<ol><li><span>System A meets the prerequisites for SSL.</span></li>
<li><span>OS/400 V5R3 or a later version of i5/OS™ is installed on System A.</span></li>
<li><span>The iSeries Navigator PC client runs V5R3 or later of iSeries Access
for Windows<sup>®</sup>.</span></li>
<li><span>Get a Certificate Authority (CA) for iSeries servers.</span></li>
<li><span>Create a certificate that is signed by the CA, for System A.</span></li>
<li><span>Send the CA and a certificate to System A, and import them into
the key database.</span></li>
<li><span>Assign the certificate with the Management Central server identification,
and the application identifications for all of the iSeries Access servers.
The TCP central server, database server, data queue server, file server, network
print server, remote command server and signon server are all iSeries Access
servers. </span><ol type="a"><li><span>On System A, Start IBM<sup>®</sup> Digital Certificate Manager. Bob obtains
or create certificates, or otherwise sets up or changes his certificate system
now.</span></li>
<li><span>Click <span class="uicontrol">Select a Certificate Store</span>.</span></li>
<li><span>Select <span class="uicontrol">*SYSTEM</span> and click <span class="uicontrol">Continue</span>.</span></li>
<li><span>Enter the *SYSTEM <var class="varname">Certificate Store password</var>,
and click <span class="uicontrol">Continue</span>. When the menu reloads, expand <span class="uicontrol">Manage
Applications</span>.</span></li>
<li><span>Click <span class="uicontrol">Update certificate assignment</span>.</span></li>
<li><span>Select <span class="uicontrol">Server</span> and click <span class="uicontrol">Continue</span>.</span></li>
<li><span>Select the <span class="uicontrol">Management Central Server</span>,
and click <span class="uicontrol">Update certificate assignment</span>. This assigns
a certificate to the Management Central server to use.</span></li>
<li><span>Click <span class="uicontrol">Assign New Certificate</span>. DCM reloads
to the <span class="wintitle">Update certificate assignment</span> page with a confirmation
message.</span></li>
<li><span>Click <span class="uicontrol">Done</span>.</span></li>
<li><span>Assign the certificate to all of the client access servers.</span></li>
</ol>
</li>
<li><span>Download the CA to the PC client.</span></li>
</ol>
<div class="section"><p>Before Bob can enable SSL on the Management Central server, he
must install the SSL Prerequisites and set up digital certificates on the
iSeries server. Once he has met the prerequisites, he can complete the following
procedures to enable SSL for the Management Central server.</p>
</div>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahudcmfirsttime.htm">Configure DCM</a></div>
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start Digital Certificate Manager</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="configurationsteps"><a name="configurationsteps"><!-- --></a><h1 class="sectionscenariobar">Configuration steps</h1>
<div><div class="section"><p>Bob needs to complete the following steps in order to secure his
PC client connection to the Management Central server on System A, with SSL:</p>
</div>
<ol><li><span><a href="scenariodetails.htm#step1">Step 1: Deactivate SSL for the iSeries Navigator client</a></span></li>
<li><span><a href="scenariodetails.htm#step2">Step 2: Set the authentication level for the Management Central server</a></span></li>
<li><span><a href="scenariodetails.htm#step3">Step 3: Restart the Management Central server on the central system</a></span></li>
<li><span><a href="scenariodetails.htm#step4">Step 4: Activate SSL for the iSeries Navigator client</a></span></li>
<li><strong>Optional: </strong><span><a href="scenariodetails.htm#optional1">Optional step: Deactivate SSL for the iSeries Navigator client</a></span></li>
</ol>
</div>
</div>
</body>
</html>