264 lines
17 KiB
HTML
264 lines
17 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Configuration details" />
|
|
<meta name="abstract" content="This topic describes the task steps for securing Telnet with SSL." />
|
|
<meta name="description" content="This topic describes the task steps for securing Telnet with SSL." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiwscenariossl.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiwconfiguresslcert.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiwscenariossldetails" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Configuration details</title>
|
|
</head>
|
|
<body id="rzaiwscenariossldetails"><a name="rzaiwscenariossldetails"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Configuration details</h1>
|
|
<div><p>This topic describes the task steps for securing Telnet with SSL.</p>
|
|
<div class="section" id="rzaiwscenariossldetails__removeport"><a name="rzaiwscenariossldetails__removeport"><!-- --></a><h4 class="sectionscenariobar">Step 1: Remove
|
|
port restrictions</h4><p>In releases before V5R1, port restrictions were
|
|
used because Secure Sockets Layer (SSL) support was not available for Telnet.
|
|
Now you can specify whether SSL, non-SSL, or both are to start. Therefore,
|
|
there is no longer a need for port restrictions. If you has defined port restrictions
|
|
in previous releases, you need to remove the port restrictions in order to
|
|
use the SSL parameter.</p>
|
|
<p>To determine whether you have Telnet port restrictions
|
|
and remove them so that you can configure the Telnet server to use SSL, follow
|
|
these steps:</p>
|
|
<ol><li>To view any current port restrictions, start iSeries™ Navigator and expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Network</span></span>.</li>
|
|
<li>Right-click <span class="uicontrol">TCP/IP Configuration</span> and select <span class="uicontrol">Properties</span>.</li>
|
|
<li>Click the <span class="uicontrol">Port Restrictions</span> tab to see a list of
|
|
port restriction settings.</li>
|
|
<li>Select the port restriction that you want to remove.</li>
|
|
<li>Click <span class="uicontrol">Remove</span>.</li>
|
|
<li>Click <span class="uicontrol">OK</span>.</li>
|
|
</ol>
|
|
<p>By default, the setting is to start SSL sessions on port 992 and non-SSL
|
|
sessions on port 23. The Telnet server uses the service table entry for Telnet
|
|
to get the non-SSL port and Telnet-SSL to get the SSL port.</p>
|
|
</div>
|
|
<div class="section" id="rzaiwscenariossldetails__createlca"><a name="rzaiwscenariossldetails__createlca"><!-- --></a><h4 class="sectionscenariobar">Step 2: Create
|
|
and operate Local Certificate Authority</h4><p>To use Digital Certificate
|
|
Manager (DCM) to create and operate a Local Certificate Authority (CA) on
|
|
the iSeries server,
|
|
follow these steps:</p>
|
|
<ol><li>Start DCM.</li>
|
|
<li>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
|
|
Authority (CA)</span> to display a series of forms. These forms guide
|
|
you through the process of creating a Local CA and completing other tasks
|
|
needed to begin using digital certificates for SSL, object signing, and signature
|
|
verification.</li>
|
|
<li>Complete all the forms that display. There is a form for each of the tasks
|
|
that you need to perform in order to create and operate a Local CA on the iSeries server.
|
|
Completing these forms allows you to: <ol type="a"><li>Choose how to store the private key for the Local CA certificate. This
|
|
step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor
|
|
installed on your iSeries. If your system does not have a cryptographic
|
|
coprocessor, DCM automatically stores the certificate and its private key
|
|
in the Local CA certificate store.</li>
|
|
<li>Provide identifying information for the Local CA.</li>
|
|
<li>Install the Local CA certificate on your PC or in your browser. This enables
|
|
software to recognize the Local CA and validate certificates that the CA issues.</li>
|
|
<li>Choose the policy data for your Local CA.</li>
|
|
<li>Use the new Local CA to issue a server or client certificate that applications
|
|
can use for SSL connections. If you have an IBM<sup>®</sup> 4758-023 PCI Cryptographic Coprocessor
|
|
installed in the iSeries server,
|
|
this step allows you to select how to store the private key for the server
|
|
or client certificate. If your system does not have a coprocessor, DCM automatically
|
|
places the certificate and its private key in the *SYSTEM certificate store.
|
|
DCM creates the *SYSTEM certificate store as part of this task.</li>
|
|
<li>Select the applications that can use the server or client
|
|
certificate for SSL connections. <div class="note"><span class="notetitle">Note:</span> Be sure to select the application ID
|
|
for the i5/OS<sup>®</sup> Telnet
|
|
server (QIBM_QTV_TELNET_SERVER).</div>
|
|
</li>
|
|
<li>Use the new local CA to issue an object signing certificate that applications
|
|
can use to digitally sign objects. This creates the *OBJECTSIGNING certificate
|
|
store, which you use to manage object signing certificates. <div class="note"><span class="notetitle">Note:</span> Although
|
|
this scenario does not use object signing certificates, be sure to complete
|
|
this step. If you cancel at this point in the task, the task ends and you
|
|
need to perform separate tasks to complete your SSL certificate configuration.</div>
|
|
</li>
|
|
<li>Select the applications that you want to trust the local
|
|
CA. <div class="note"><span class="notetitle">Note:</span> Be sure to select the application ID for the i5/OS Telnet server</div>
|
|
(QIBM_QTV_TELNET_SERVER).</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
<p>After you have completed the forms for this guided task, you can configure
|
|
the Telnet Server to require client authentication.</p>
|
|
</div>
|
|
<div class="section" id="rzaiwscenariossldetails__configtelnet"><a name="rzaiwscenariossldetails__configtelnet"><!-- --></a><h4 class="sectionscenariobar">Step 3:
|
|
Configure Telnet server to require certificates for client authentication</h4><p>In
|
|
order to activate this support, the System Administrator will indicate how
|
|
SSL support will be handled. Use the Telnet Properties General panel in iSeries Navigator
|
|
to indicate whether SSL, non-SSL, or support for both will start when the
|
|
Telnet server starts. By default, the SSL and non-SSL support always starts.</p>
|
|
<p>The
|
|
System Administrator has the ability to indicate whether the system requires
|
|
SSL client authentication for all Telnet sessions. When SSL is active and
|
|
the system requires client authentication, the presence of a valid client
|
|
certificate means that the client is trusted.</p>
|
|
<p>To configure the Telnet
|
|
server to require certificates for client authentication, follow these steps:</p>
|
|
<ol><li>Start DCM.</li>
|
|
<li>Click <span class="uicontrol">Select a Certificate Store</span>.</li>
|
|
<li>Select <span class="uicontrol">*SYSTEM</span> as the certificate store to open
|
|
and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Enter the appropriate password for *SYSTEM certificate store and click <span class="uicontrol">Continue</span>.</li>
|
|
<li>When the left navigational menu refreshes, select <span class="uicontrol">Manage Applications</span> to
|
|
display a list of tasks.</li>
|
|
<li>Select the <span class="uicontrol">Update application definition</span> task to
|
|
display a series of forms.</li>
|
|
<li>Select <span class="uicontrol">Server</span> application and click <span class="uicontrol">Continue</span> to
|
|
display a list of server applications.</li>
|
|
<li>From the list of applications, select <span class="uicontrol">i5/OS
|
|
TCP/IP Telnet Server</span>.</li>
|
|
<li>Click <span class="uicontrol">Update Application Definition</span>.</li>
|
|
<li>In the table that displays, select <span class="uicontrol">Yes</span> to require
|
|
client authentication.</li>
|
|
<li>Click <span class="uicontrol">Apply</span>. The <span class="uicontrol">Update Application
|
|
Definition</span> page displays with a message to confirm your changes.</li>
|
|
<li>Click <span class="uicontrol">Done</span>.</li>
|
|
</ol>
|
|
<p>Now that you have configured the Telnet server to require certificates
|
|
for client authentication, you can enable and start SSL for the Telnet server.</p>
|
|
</div>
|
|
<div class="section" id="rzaiwscenariossldetails__enablessl"><a name="rzaiwscenariossldetails__enablessl"><!-- --></a><h4 class="sectionscenariobar">Step 4: Enable
|
|
and start SSL on Telnet server</h4><p>To enable SSL on the Telnet server,
|
|
follow these steps:</p>
|
|
<ol><li>Open iSeries Navigator.</li>
|
|
<li>Expand <span class="menucascade"><span class="uicontrol">My iSeries server</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Servers</span> > <span class="uicontrol">TCP/IP</span></span>.</li>
|
|
<li>Right-click <span class="uicontrol">Telnet</span>.</li>
|
|
<li>Select <span class="uicontrol">Properties</span>.</li>
|
|
<li>Select the <span class="uicontrol">General</span> tab.</li>
|
|
<li>Choose one of these options for SSL support: <ul><li><span class="uicontrol">Secure only</span> Select this to allow only SSL sessions
|
|
with the Telnet server.</li>
|
|
<li><span class="uicontrol">Non-secure only</span> Select this to prohibit secure
|
|
sessions with the Telnet server. Attempts to connect to an SSL port will not
|
|
connect.</li>
|
|
<li><span class="uicontrol">Both secure and non-secure</span> Allows both secure and
|
|
non-secure sessions with the Telnet server.</li>
|
|
</ul>
|
|
</li>
|
|
</ol>
|
|
<p>To start the Telnet server using iSeries Navigator, follow these steps:</p>
|
|
<ol><li>Expand <span class="menucascade"><span class="uicontrol">your iSeries server</span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Servers</span> > <span class="uicontrol">TCP/IP</span></span>.</li>
|
|
<li>In the right pane, locate <span class="uicontrol">Telnet</span> in the Server
|
|
Name column.</li>
|
|
<li>Confirm that <span class="uicontrol">Started</span> appears in the Status column.</li>
|
|
<li>If the server is not running, right-click <span class="uicontrol">Telnet</span> and
|
|
select <span class="uicontrol">Start</span>.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section" id="rzaiwscenariossldetails__enablesslclient"><a name="rzaiwscenariossldetails__enablesslclient"><!-- --></a><h4 class="sectionscenariobar">Step
|
|
5: Enable SSL on the Telnet client</h4><p>To participate in an SSL session,
|
|
the Telnet client must be able to recognize and accept the certificate that
|
|
the Telnet server presents to establish the SSL session. To authenticate the
|
|
server's certificate, the Telnet client must have a copy of the CA certificate
|
|
in iSeries key
|
|
database. When the Telnet server uses a certificate from a Local CA, the Telnet
|
|
client must obtain a copy of the Local CA certificate and install it in the iSeries key
|
|
database.</p>
|
|
<p>To add a Local CA certificate from an iSeries so that the Telnet client can
|
|
participate in SSL sessions with Telnet servers that use a certificate from
|
|
the Local CA, follow these steps:</p>
|
|
<ol><li>Open iSeries Navigator.</li>
|
|
<li>Right-click the name of your system.</li>
|
|
<li>Select <span class="uicontrol">Properties</span>.</li>
|
|
<li>Select the <span class="uicontrol">Secure Sockets</span> tab. <div class="note"><span class="notetitle">Note:</span> This tab will
|
|
not appear unless you have completed a selective install of iSeries Client
|
|
Encryption (128-bit), 5722-CE3.</div>
|
|
</li>
|
|
<li>Click <span class="uicontrol">Download</span>. This will download the iSeries Certificate
|
|
Authority certificate automatically into the certificate key database.</li>
|
|
<li>You will be prompted for your key database password. Unless you have previously
|
|
changed the password from the default, enter <samp class="codeph">ca400</samp>. A confirmation
|
|
message displays. Click <span class="uicontrol">OK</span>.</li>
|
|
</ol>
|
|
<p>The download button automatically updates the IBM Toolbox for Java™ PC key database.</p>
|
|
</div>
|
|
<div class="section" id="rzaiwscenariossldetails__telnetclient"><a name="rzaiwscenariossldetails__telnetclient"><!-- --></a><h4 class="sectionscenariobar">Step 6:
|
|
Enable Telnet client to present certificate for authentication</h4><p>You
|
|
have configured SSL for the Telnet server, specified that the server should
|
|
trust certificates that the Local CA issues, and specified that it require
|
|
certificates for client authentication. Now, users must present a valid and
|
|
trusted client certificate to the Telnet server for each connection attempt.</p>
|
|
<p>Clients
|
|
need to use the Local CA to obtain a certificate for authentication to the
|
|
Telnet server and import that certificate to IBM Key Management database before client
|
|
authentication will work.</p>
|
|
<p>First, clients must use DCM to obtain a user
|
|
certificate by following these steps:</p>
|
|
<ol><li>Start DCM.</li>
|
|
<li>In the left navigation frame, select <span class="uicontrol">Create Certificate</span> to
|
|
display a list of tasks.</li>
|
|
<li>From the task list, select <span class="uicontrol">User Certificate</span> and
|
|
click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Complete the <span class="uicontrol">User Certificate</span> form. Only those
|
|
fields marked "Required" need to be completed. Click <span class="uicontrol">Continue</span>.</li>
|
|
<li>Depending on the browser you use, you will be asked to generate a certificate
|
|
that will be loaded into your browser. Follow the directions provided by the
|
|
browser.</li>
|
|
<li>When the <span class="uicontrol">Create User Certificate</span> page reloads,
|
|
click <span class="uicontrol">Install Certificate</span>. This will install the certificate
|
|
in the browser.</li>
|
|
<li>Export the certificate to your PC. You must store the certificate in a
|
|
password-protected file. <div class="note"><span class="notetitle">Note:</span> Microsoft<sup>®</sup> Internet Explorer 5 or Netscape
|
|
4.5 are required to use the export and import functions.</div>
|
|
</li>
|
|
</ol>
|
|
<p>Next, you must import the certificate to the IBM Key Management database so that the
|
|
Telnet client can use it for authentication by following these steps:</p>
|
|
<p>You
|
|
must add the Certificate Authority that created the client certificate to
|
|
the PC key database, otherwise the import of the client certificate will not
|
|
work.</p>
|
|
<ol><li>Click <span class="menucascade"><span class="uicontrol">Start</span> > <span class="uicontrol">Programs</span> > <span class="uicontrol">IBM iSeries Access for Windows</span> > <span class="uicontrol">iSeries Access
|
|
for Windows Properties</span></span>.</li>
|
|
<li>Select the <span class="uicontrol">Secure Sockets</span> tab.</li>
|
|
<li>Click <span class="uicontrol">IBM Key Management</span>.</li>
|
|
<li>You will be prompted for your key database password. Unless you have previously
|
|
changed the password from the default, enter <samp class="codeph">ca400</samp>. A confirmation
|
|
message displays. Click <span class="uicontrol">OK</span>.</li>
|
|
<li>From the pull-down menu, select <span class="uicontrol">Personal certificates</span>.</li>
|
|
<li>Click <span class="uicontrol">Import</span>.</li>
|
|
<li>In the <span class="uicontrol">Import key</span> display, enter the file name
|
|
and path for the certificate. Click <span class="uicontrol">OK</span>.</li>
|
|
<li>Enter the password for the protected file. This is the same password that
|
|
you specified when you create a user certificate in DCM. Click <span class="uicontrol">OK</span>.
|
|
When the certificate has been successfully added to your personal certificates
|
|
in IBM Key
|
|
Management, you can use PC5250 emulator or any other Telnet application.</li>
|
|
</ol>
|
|
<p>With these steps complete, the Telnet server can establish an SSL
|
|
session with the Telnet client and the server can authenticate the user to
|
|
resources based on the certificate that the client presents.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwscenariossl.htm" title="You can use Secure Sockets Layer (SSL) to secure Telnet on iSeries. This scenario provides a step-by-step configuration example.">Telnet scenario: Secure Telnet with SSL</a></div>
|
|
</div>
|
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
|
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start DCM</a></div>
|
|
<div><a href="rzaiwconfiguresslcert.htm" title="When you enable the Telnet server on your system to use SSL, you can establish secure Telnet connections to your system from iSeries Access for Windows or from any other SSL-enabled Telnet client, such as a Personal Communications emulator.">Assign a certificate to the Telnet server</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |