182 lines
12 KiB
HTML
182 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Scenario: Secure a client connection to your Management Central server with SSL" />
|
|
<meta name="abstract" content="Use the information in this scenario to use SSL to secure a connection between a remote client and your server." />
|
|
<meta name="description" content="Use the information in this scenario to use SSL to secure a connection between a remote client and your server." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainscenarios.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainmc.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="scenariodetails.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzainplanssl.htm#rzainrequiredprogs" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahudcmfirsttime.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="secclientmc" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Scenario: Secure a client connection to your Management Central server
|
|
with SSL</title>
|
|
</head>
|
|
<body>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<div class="nested0" id="secclientmc"><a name="secclientmc"><!-- --></a><h1 class="topictitle1">Scenario: Secure a client connection to your Management Central server
|
|
with SSL</h1>
|
|
<div><p>Use the information in this scenario to use SSL to secure a connection
|
|
between a remote client and your server.</p>
|
|
<p>This scenario explains how to use SSL to secure the connection between
|
|
a remote client and an iSeries™ server that is acting as a central system
|
|
by using the iSeries Navigator Management Central server. </p>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="scenariodetails.htm">Configuration details: Secure a client connection to your Management Central server with SSL</a></strong><br />
|
|
This topic shows the expanded configurations steps for using SSL to secure a client connection to your Management Central server.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzainscenarios.htm" title="The SSL scenarios are designed to help you maximize the benefits of enabling SSL on your iSeries server:">Scenarios</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzainmc.htm" title="Read this scenario to use SSL to secure all connections with an iSeries server.">Scenario: Secure all connections to your Management Central server with SSL</a></div>
|
|
</div>
|
|
</div></div>
|
|
<div class="nested0" xml:lang="en-us" id="situation"><a name="situation"><!-- --></a><h1 class="sectionscenariobar">Situation</h1>
|
|
<div><p>A company has a local area network (LAN) that includes several iSeries
|
|
servers in their office. This company's system administrator, Bob, has specified
|
|
one of the iSeries servers as the central system (hereafter referred to as
|
|
System A) for the LAN. Bob uses the Management Central server on System A
|
|
to manage all of the other endpoints on his LAN.</p>
|
|
<p>Bob is concerned about connecting to the Management Central server on System
|
|
A from a network connection that is external to his company's LAN. Bob travels
|
|
for work a lot, and requires a secure connection to the Management Central
|
|
server while he is away. He wants to ensure the connection between his PC
|
|
and the Management Central server is secure when he is not in the company
|
|
office. Bob decides to enable SSL on his PC and on the System A's Management
|
|
Central server. With SSL enabled in this way, Bob can be certain that his
|
|
connection to the Management Central server is secure when he is traveling.</p>
|
|
</div>
|
|
</div>
|
|
<div class="nested0" xml:lang="en-us" id="objectives"><a name="objectives"><!-- --></a><h1 class="sectionscenariobar">Objectives:</h1>
|
|
<div><p>Bob wants to secure the connection between his PC and the Management Central
|
|
server. Bob does not require additional security for the connection between
|
|
the Management Central server on System A and the endpoints that are on the
|
|
LAN. Other employees that work from the company office do not need additional
|
|
security for their connections to the Management Central server, either. Bob's
|
|
plan is to configure his PC and the Management Central server on System A,
|
|
so that his connection uses server authentication. Connections to the Management
|
|
Central server from other PCs or iSeries servers on the LAN are not secured
|
|
with SSL.</p>
|
|
</div>
|
|
</div>
|
|
<div class="nested0" xml:lang="en-us" id="details"><a name="details"><!-- --></a><h1 class="sectionscenariobar">Details:</h1>
|
|
<div><p>The following table illustrates the types of authentication used, based
|
|
on the enabling or disabling of SSL on a PC client:</p>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Required elements for an SSL-secured connection between a client
|
|
and the Management Central server</caption><thead align="left"><tr><th align="center" valign="top" width="25.64102564102564%" id="d0e74">SSL status on Bob's PC</th>
|
|
<th align="center" valign="top" width="43.956043956043956%" id="d0e76">Specified authentication
|
|
level for the Management Central server on System A</th>
|
|
<th align="center" valign="top" width="30.4029304029304%" id="d0e78">SSL connection enabled?</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" width="25.64102564102564%" headers="d0e74 ">SSL off</td>
|
|
<td valign="top" width="43.956043956043956%" headers="d0e76 ">Any </td>
|
|
<td valign="top" width="30.4029304029304%" headers="d0e78 ">No</td>
|
|
</tr>
|
|
<tr><td valign="top" width="25.64102564102564%" headers="d0e74 ">SSL on</td>
|
|
<td valign="top" width="43.956043956043956%" headers="d0e76 ">Any</td>
|
|
<td valign="top" width="30.4029304029304%" headers="d0e78 ">Yes (server authentication)</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p><strong>Server authentication</strong> means that Bob's PC authenticates the Management
|
|
Central server's certificate. Bob's PC acts as an SSL client when connecting
|
|
to the Management Central server. The Management Central server acts as an
|
|
SSL server and must prove its identity. The Management Central server does
|
|
this by providing a certificate issued by a Certificate Authority (CA) that
|
|
Bob's PC trusts.</p>
|
|
</div>
|
|
</div>
|
|
<div class="nested0" xml:lang="en-us" id="before2"><a name="before2"><!-- --></a><h1 class="sectionscenariobar">Prerequisites and assumptions</h1>
|
|
<div><div class="section"><p>Bob must perform these administration and configuration tasks
|
|
in order to secure the connection between his PC and the Management Central
|
|
server on System A:</p>
|
|
</div>
|
|
<ol><li><span>System A meets the prerequisites for SSL.</span></li>
|
|
<li><span>OS/400 V5R3 or a later version of i5/OS™ is installed on System A.</span></li>
|
|
<li><span>The iSeries Navigator PC client runs V5R3 or later of iSeries Access
|
|
for Windows<sup>®</sup>.</span></li>
|
|
<li><span>Get a Certificate Authority (CA) for iSeries servers.</span></li>
|
|
<li><span>Create a certificate that is signed by the CA, for System A.</span></li>
|
|
<li><span>Send the CA and a certificate to System A, and import them into
|
|
the key database.</span></li>
|
|
<li><span>Assign the certificate with the Management Central server identification,
|
|
and the application identifications for all of the iSeries Access servers.
|
|
The TCP central server, database server, data queue server, file server, network
|
|
print server, remote command server and signon server are all iSeries Access
|
|
servers. </span><ol type="a"><li><span>On System A, Start IBM<sup>®</sup> Digital Certificate Manager. Bob obtains
|
|
or create certificates, or otherwise sets up or changes his certificate system
|
|
now.</span></li>
|
|
<li><span>Click <span class="uicontrol">Select a Certificate Store</span>.</span></li>
|
|
<li><span>Select <span class="uicontrol">*SYSTEM</span> and click <span class="uicontrol">Continue</span>.</span></li>
|
|
<li><span>Enter the *SYSTEM <var class="varname">Certificate Store password</var>,
|
|
and click <span class="uicontrol">Continue</span>. When the menu reloads, expand <span class="uicontrol">Manage
|
|
Applications</span>.</span></li>
|
|
<li><span>Click <span class="uicontrol">Update certificate assignment</span>.</span></li>
|
|
<li><span>Select <span class="uicontrol">Server</span> and click <span class="uicontrol">Continue</span>.</span></li>
|
|
<li><span>Select the <span class="uicontrol">Management Central Server</span>,
|
|
and click <span class="uicontrol">Update certificate assignment</span>. This assigns
|
|
a certificate to the Management Central server to use.</span></li>
|
|
<li><span>Click <span class="uicontrol">Assign New Certificate</span>. DCM reloads
|
|
to the <span class="wintitle">Update certificate assignment</span> page with a confirmation
|
|
message.</span></li>
|
|
<li><span>Click <span class="uicontrol">Done</span>.</span></li>
|
|
<li><span>Assign the certificate to all of the client access servers.</span></li>
|
|
</ol>
|
|
</li>
|
|
<li><span>Download the CA to the PC client.</span></li>
|
|
</ol>
|
|
<div class="section"><p>Before Bob can enable SSL on the Management Central server, he
|
|
must install the SSL Prerequisites and set up digital certificates on the
|
|
iSeries server. Once he has met the prerequisites, he can complete the following
|
|
procedures to enable SSL for the Management Central server.</p>
|
|
</div>
|
|
</div>
|
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzainplanssl.htm#rzainrequiredprogs">SSL prerequisites</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../rzahu/rzahudcmfirsttime.htm">Configure DCM</a></div>
|
|
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start Digital Certificate Manager</a></div>
|
|
</div>
|
|
</div></div>
|
|
<div class="nested0" xml:lang="en-us" id="configurationsteps"><a name="configurationsteps"><!-- --></a><h1 class="sectionscenariobar">Configuration steps</h1>
|
|
<div><div class="section"><p>Bob needs to complete the following steps in order to secure his
|
|
PC client connection to the Management Central server on System A, with SSL:</p>
|
|
</div>
|
|
<ol><li><span><a href="scenariodetails.htm#step1">Step 1: Deactivate SSL for the iSeries Navigator client</a></span></li>
|
|
<li><span><a href="scenariodetails.htm#step2">Step 2: Set the authentication level for the Management Central server</a></span></li>
|
|
<li><span><a href="scenariodetails.htm#step3">Step 3: Restart the Management Central server on the central system</a></span></li>
|
|
<li><span><a href="scenariodetails.htm#step4">Step 4: Activate SSL for the iSeries Navigator client</a></span></li>
|
|
<li><strong>Optional: </strong><span><a href="scenariodetails.htm#optional1">Optional step: Deactivate SSL for the iSeries Navigator client</a></span></li>
|
|
</ol>
|
|
</div>
|
|
</div>
|
|
|
|
</body>
|
|
</html> |