IBM Support

Configuring the SSL Telnet and Host Servers for Server Authentication for the First Time

Technote (troubleshooting)


Problem(Abstract)

This document explains how to configure the SSL Telnet and IBM i Access Host Servers for Server Authentication for the first time.

Resolving the problem

This document explains how to configure the SSL Telnet and IBM i Access Host Servers for Server Authentication for the first time.

Note: This document was created for configuring a new system. For systems that already have the stores for DCM, you should ensure that the existing CA and server certificates are valid. If they are not valid, you must renew them first and then proceed to Step 12 to assign them to the servers.

To establish a secure 5250 session over SSL using the IBM i Access Family of clients, the Telnet server and IBM i Access Host Servers must be configured to use Secure Sockets. For further information on configuring Secure Sockets and what LPPs must be installed, you should refer to the IBM i Knowledge Center at the following Web site:

http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzain/rzainplanssl.htm

This document covers creating a System Certificate and assigning the System Certificate to the Telnet and Access for Windows Host Servers applications.

Creating the System Certificate

Step 1: To create the system certificate, open a Web browser and connect to: <your system name or ip address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

where <your system name or ip address> in this URL address is replaced with your IBM i OS IP address or system host name

This following screen is displayed:

Sign on to HTTP Admin

Step 2: Type a valid user profile and password that exist on the BM i OS and click OK:

DCM Main Windows

Step 3: Click on Create a Certificate Authority (CA):

Note: If a Certificate Authority is already created, you will not see the Create a Certificate Authority link.

Form for CA cert
Step 4: Fill out the required fields, and click Continue. The default validity period is 1095 days. The maximum value of 7300 days is recommended, or whatever your security administrator allows.

Install CA to browser

Step 5: Click Continue:

Policy Data

Step 6: Depending on whether or not you want to create user certificate, select Yes or No. Then set the validity period, and click Continue. The default validity period is 365 days. It is recommended that you set it for 2000 days, or whatever maximum your security administrator allows:

Policy Data Accepted

Step 7: Click Continue:

Note: Not all information is displayed on the next screen.

Server Cert Creation

Step 8: Fill out the required fields, and click Continue:

Note: Not all information is displayed on the next screen. You will see the message at the top...

Message Your certificate was created and placed in the *SYSTEM certificate store.

Assign server apps
Step 9: Select the appropriate applications that you want to assign to the certificate. The specified functions of Access for Windows will determine which applications you will assign. When using Access for Windows and PC5250, the Telnet Server, Central Server, Signon Server, and Remote Command Server must be assigned. For all Access for Windows functions to be secured, also assign the Database Server, Data Queue Server, File Server, Network Print Server, File Server, Host Server and DDM/DRDA. When done selecting the applications, click Continue:

Apps accepted

Step10: Click Continue:

object signing cancel

Step 11: Click Cancel. You do not want object signing. At this point, the Stores are created and you can move to assigning certificates:

Select Cert Store

Step 12: To ensure everything is configured properly, click Select a Certificate Store:

*System select continue

Step 13: Select *SYSTEM, and click Continue:

Password for store

Step 14: Type the password, and click Continue:

Note: Do not press the Enter key after typing the password. Rather, click Continue.

Fast path

Step 15: Click Fast Path:

Select work with server apps

Step 16: Click Work with server applications:

Note: Not all information is displayed.

Verify apps

Step 17: If everything is configured properly, the applications assigned should have the certificate listed on the certificate assigned field. Select Telnet Server, and click Work with application:

Note: Not all information is displayed.

Verify client auth is no

Step 18: Ensure Client Authentication required is No and Define the CA trust list is Yes. Page Down to Define CA Trust List:

Note: Not all information is displayed.

Define CA trust list

Step 19: Click Define the CA Trust list:

Note: Not all information is displayed.

Select loca CA

Step 20: Ensure the Local_Certificate_Authority box is selected. If not, select it, and click OK. Click Cancel, click Cancel again, and click Done.

You are now finished configuring Telnet and IBM i Access Host servers to use SSL. For the Telnet and IBM i Access Host Server to be listening on the secure ports, recycle the Telnet server and restart the IBM i Access Host Servers. Verify they are listening on the secure ports by typing NETSTAT *CNN, and press PF14 to display the ports. You will see port 992 for Telnet and ports 9470 - 9476 (depending upon which IBM i Access Host Server applications you assigned to use secure sockets).


To configure the PC 5250 session to use SSL, you should refer to IBM Rochester Support Center Knowledgebase document New, Configuring Client Access 6.1 and 7.1 to Use Secure Sockets: Database 'DCF Technotes (IBM i)', View 'Products', Document 'Configuring Client Access 6.1 and 7.1 to Use Secure Sockets'.


Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1
Operating System IBM i 6.1
Operating System IBM i 7.3

Historical Number

665196666

Document information

More support for: IBM i
Access for Windows

Software version: 5.4.0, 6.1, 6.1.0, 7.1, 7.1.0, 7.2, 7.2.0, 7.3, Version Independent

Operating system(s): IBM i

Reference #: N1010449

Modified date: 17 April 2013


Translate this page: