ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiw_5.4.0.1/rzaiwrzaiwsslinit.htm

96 lines
6.4 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="SSL initialization and handshake" />
<meta name="abstract" content="You can read in this topic for details about the interactions between Telnet servers, clients, and SSL." />
<meta name="description" content="You can read in this topic for details about the interactions between Telnet servers, clients, and SSL." />
<meta name="DC.Relation" scheme="URI" content="rzaiwconfiguresslparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiwssltel.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiwchkjoblog.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiwrzaiwsslinit" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>SSL initialization and handshake</title>
</head>
<body id="rzaiwrzaiwsslinit"><a name="rzaiwrzaiwsslinit"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">SSL initialization and handshake</h1>
<div><p><span>You can read in this topic for details about
the interactions between Telnet servers, clients, and SSL.</span></p>
<p>Sometimes understanding what goes on during SSL processing can help you
determine where a problem might have occurred.</p>
<div class="section"><h4 class="sectiontitle">What happens during SSL initialization?</h4><p>The Telnet
server attempts to initialize SSL every time the server is started. During
initialization, the Telnet server checks the certificate information in the
QIBM_QTV_TELNET_SERVER application. You can tell that the SSL initialization
is successful when more than one active QTVTELNET job appears in the QSYSWRK
subsystem. Of course, if the number of server jobs to start field in the Telnet
properties General page is set to 1, you see only one active QTVTELNET job.</p>
<p>The
Telnet server does not initialize SSL when you have a restricted telnet-ssl
port. The Telnet server sends the TCP2550 message <samp class="codeph">Access to port 992
is restricted</samp> to the QTVTELNET job log and to the QSYSOPR message
queue.</p>
<p>When a certificate is incorrect or expired, initialization fails
and the Telnet server sends message CPDBC <samp class="codeph">nn</samp> to the QTVTELNET
job log.</p>
<p>Even if no certificate or an expired certificate is in the
QIBM_QTV_TELNET_SERVER application, the Telnet server successfully initializes
SSL. However, the SSL handshake fails when the client tries to connect to
the Telnet server. The Telnet server sends message CPDBC <samp class="codeph">nn</samp> to
the QTVTELNET job log.</p>
</div>
<div class="section"><h4 class="sectiontitle">What happens during SSL reinitialization?</h4><p>When the
certificate in the QIBM_QTV_TELNET_SERVER application changes, the Telnet
server reinitializes SSL if a DCM change occurs. This means that you can restore
an expired certificate or add or remove user certificates and Telnet will
pick up changes automatically. The process is the same as SSL initialization.
New Telnet SSL client sessions use the new certificate. Telnet SSL client
sessions that are already established use the original certificate. After
the Telnet server is ended and started again, all Telnet SSL client sessions
use the new certificate.</p>
<p>If the SSL re-initialization fails, established
SSL sessions use the original certificate that was initialized when the server
started and new sessions are blocked from connecting. The next time you start
the Telnet server, SSL initialization fails, although there will still be
an active SSL listener. However, no new SSL connections will be successful
until a change in the DCM forces Telnet server to re-initialize successfully.</p>
</div>
<div class="section"><h4 class="sectiontitle">What happens during SSL handshake?</h4><p>An SSL handshake
occurs when the Telnet SSL client connects to TCP port 992 and attempts an
SSL negotiation with the server. While the client is connecting to the server,
it displays status numbers or messages on the status bar of the open window.</p>
<p>If
the SSL handshake fails, the Telnet session is not established. For example,
a sign-on screen does not appear in the Telnet SSL client window. Consult
the user guide or online help for your Telnet SSL client for information about
specific status numbers or messages. The Telnet server sends message CPDBC <samp class="codeph">nn</samp> to
the QTVTELNET job log.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwconfiguresslparent.htm" title="With the Secure Sockets Layer (SSL) protocol, you can establish secure connections between the Telnet server application and Telnet clients that provide authentication of one or both endpoints of the communication session. SSL also provides privacy and integrity of the data that client and server applications exchange.">Secure Telnet with SSL</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzaiwssltel.htm" title="Use this topic to set up SSL on your iSeries server.">Configure SSL on the Telnet server</a></div>
<div><a href="rzaiwchkjoblog.htm" title="When SSL initialization and handshake fails, the Telnet server sends CPDBC nn diagnostic messages to the QTVTELNET job.">Check the Telnet job log</a></div>
</div>
</div>
</body>
</html>