IBM Support

Configuring IBM i Access for Windows for a Secure Remote HMC 5250 Console Connection

Troubleshooting


Problem

This document describes how to configure IBM iSeries Access for Windows for use with a secure HMC remote 5250 console using the Version 7 and Version 8 "classic" GUI.

Resolving The Problem

Note: The preferred method for secure HMC console is to use IBM i Access Client Solutions. For more information see Configuring ACS for HMC Remote Console at http://www.ibm.com/support/docview.wss?uid=nas8N1020001

To configure IBM iSeries Access for Windows for use with HMC remote 5250 console over an SSL connection, do the following:

Step 1: Verify HMC time.

Click HMC Management > Change Date and Time.

Hardware Management Console screen with Change Date and Time highlighted.

Change Date band Time screen.

If the HMC time is ahead of the PC the import will fail due to invalid certificate. After correcting the time on your HMC reboot the HMC.

Step 2: Verify Console Name and Domain Name.

1. Click HMC Management > Change Network Settings.

Browser Based Menu at the HMC Management selection.

2. On the Change Network Settings screen, click on the Identification tab.


Change Network settings dialog box with the Identification tab selected.


Step 3: Stop and restart the HMC, if required.

HMC Version 7 and later configures the 5250 console proxy for SSL connections automatically at boot time. The HMC creates a self-signed certificate on the initial installation. The 5250 proxy uses the private keyring file associated with this certificate on the first stop and restart of the HMC.

If the HMC Management Manage Certificates task is later used to create a new self-signed certificate or used to import a certificate signed by a Certificate Authority (CA), the HMC must be stopped and restarted to apply the new private key to the 5250 console proxy.

Browser Based Menu at the HMC Management selection.



Step 4: Ensure the HMC firewall is enabled for remote console. Do the following:
1. Click HMC Management > Change Network Settings.

Browser based HMC menu showing Change Network Settings option selected.

2.On the Change Network Settings screen, click on the LAN Adapters tab, click on the interface on the open network (normally eth1), and then click the Details button.

Change Network settings dialog box with the LAN Adapters tab selected.
3.Click on the Firewall Settings tab.
4.In the Available Applications table, click on 5250 2300:tcp 2301:tcp, and then click Allow Incoming.
5.Click OK three times to save and exit. Do not stop and restart.

LAN Adapters Details dialog box with the Firewall Settings tab selected.


Step 4: Verify the iSeries Access for Windows Code Level.
The minimum level required is IBM iSeries Access for Windows emulator Version 5 Release 3, Service level SI13587 or later.
HMCs that require TLS 1.1 or higher, for example HMC fix levels that have SSLv3 and TLS1.0 disabled or have the HMC security mode set to security=nist_sp800_131a, require a minimum of IBM i Access for Windows 7.1 SI53584 or later.

To verify the version and service pack level, select Start > Programs > IBM iSeries Access for Windows > iSeries Access for Windows Properties. The General tab shows the version and service pack level.
IBM i Access properties

To verify the client encryption version used open click the Secure Sockets tab. Verify the version is version 8 or higher (gsk8). This panel also displays the active key database file in use.
Secure Socket tab

Note: The V7R1 "EnableTelnetKeepalive=Y " setting is not supported.

Step 5: Import the Certificate, if required.

If the HMC is using a self-signed certificate (the default), continue with Step 5a to import the public key ring file.
If the HMC is using an imported certificate signed by a CA, continue with Step 5b.

Step 5a: Import the HMC public keyring file.
1.Export the public keyring file from HMC.
Copy /opt/ccfw/data/SM.pubkr file to the PC. This can be done using removable media (cdrom/usb/diskette) or over the network.

o Copying the file using secure copy:

A popular implementation of secure copy for Microsoft Windows is PuTTY pscp. PuTTY can be downloaded from the following Web site:

www.chiark.greenend.org.uk/~sgtatham/putty/

Example: Using PuTTY pscp:

Type the following:

"C:\program files\putty\pscp" -scp hscroot@myhmc:/opt/ccfw/data/SM.pubkr c:\temp\SM.pubkr

where myhmc is the HMC host name or TCP/IP address. For further information on copying files using PuTTY pscp, refer to the following Web site:

the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter5.html#pscp

o Copying the file using removable media:

a. Open a restricted shell window. Log on the local HMC, click HMC Management in the left frame, and click Open Restricted Shell Terminal.

b. Insert the removable media. This can be a diskette, DVD-RAM, or USB stick. The USB stick must be formatted FAT or FAT32. Format the DVD-RAM as CUSTDATA using the procedure in the Rochester Support Center knowledgebase document N1014178, Coping Data to DVD-RAM with Version 7.X. To link to document N1014178 immediately, click here . Format the diskette as FAT. If required, the HMC Management Format Media function can be used to format the media.

c. List the available removable media devices. In the restricted shell window, run the command lsmediadev to list available media. Note the mount point for the target media, for example:

lsmediadev
device=/dev/cdrom,mount_point=/media/cdrom,type=1,description=CD/DVD
device=/dev/fd0,mount_point=/media/floppy,type=2,description=internal diskette drive
device=/dev/sda1,mount_point=/media/sda1,type=3,description=USB flash memory device

d. Mount the media. Type the following:

mount mountpoint

where mountpoint is the value displayed in the previous command for the target media. Using the example above, the command to mount the usb stick would be mount /media/sda1.

e. Copy the file. Type the following:

cp /opt/ccfw/data/SM.pubkr mountpoint/SM.pubkr
    where mountpoint is the value displayed in the lsmediadev command for the target media.

    f. Unmount the media. Type the following:

    umount mountpoint

    where mountpoint is the value displayed in the lsmediadev command for the target media.
    2.Open the IBM Key Management utility. Select Start > Programs > IBM iSeries Access for Windows > IBM Key Management.
    3.In the IBM Key Management dialog, select the menu option KeyDatabaseFile, Open. The Open dialog settings should contain the following values for the iSeries Access key database. If it does not, type them as shown in the following figure and, if necessary, adjust the location to the Windows All Users path. Click OK.

    IBM Key Management Open dialog box showing file name and location (path).
    4.Type the keyring file password. The default password is ca400.

    IBM Key Management dialog open password prompt.
    5.The iSeries Access for Windows key database file is displayed.

    Under Key database content, expand the drop-down list box and select Personal Certificates, then click the Import button. On the Import Key dialog, select a Key file type of PKCS12. Adjust the location and file name to the location of the SM.pubkr file exported from the HMC in Step 2. Click OK.

    Note: Verify that a copy of the SM.pubkr file is used. The IBM Key Management import function will convert the file into a format that cannot be used by WebSM.

    IBM Key Management dialog box showing the Import Key options.
    6.When prompted, type the password for the HMC public keyring file. The password is defp.

    Password prompt dialog box for password prompt when importing.
    7.Click OK to accept the new certificate.

    IBM Key Management dialog advising a new Certificate(s) have been added.
    8.The HMC certificate now appears in the list of Signer Certificates. Close and exit the IBM Key Management utility.

    IBM Key Management main dialog box with a list of signer certificates.

    Step 5b: Verify CA is in the key manager.

    If the HMC is using an imported certificate signed by a CA that is already in the list of trusted Certificate Authorities for iSeries Access for Windows, then no further configuration is needed. If needed, add the CA signer certificate to the iSeries Access for Windows key manager. It should not be necessary to add the server public keyring file.

    Step 6: Configure the PC5250 Remote Console session.
    1.Select Start > Programs > IBM iSeries Access for Windows > Emulator > Start or Configure Session.
    2.From the IBM Personal Communications - Session Manager dialog that appears, press the New Session button.
    3.In the Configure PC5250 dialog:

    a Update the System Name to the HMC host name or TCP/IP address.
    b Set the port number to 2301. 
    c Then press the Properties button.

    PC5250 Communications configuration dialog box.
    4.The properties button launches the Connection dialog shown below.

    a Set the User ID sign on information to Use default User ID, prompt as needed.
    b Set the User ID to Q#HMC.
    c Set the Security to Use Secured Sockets Layer (SSL).
    d Set the Client certificate to use to Select certificate when connecting.
    e Click OK two times.

    PC5250 advanced connection configuration dialog box.
    5.Save the profile.

    To save the workstation profile configuration for future use, click the Menu option, File then Save. Type a profile name, and click OK. The workstation save creates two files. Both file names are the same as the profile name with extensions of .ws and .cae.

    Note: Do not move or copy only the workstation profile file (extension .ws). Moving only this file will result in the loss of the connection information, which causes a cwbco1048 connection error. When possible, create a shortcut to the profile rather than a copy. If the profile must be moved or copied, copy both files to the new location.

    After connecting, the SSL connection is indicated in the status messages in the lower left corner of the emulator.

    PC5250 emulation screen connected to the HMC at the language selection screen.

    [{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"HMC","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

    Historical Number

    450925391

    Document Information

    Modified date:
    22 September 2021

    UID

    nas8N1018887