Troubleshooting
Problem
This document lists the host servers that need a Digital Certificate assigned in order to use Secure Socket Layer (SSL) with the iSeries Access ODBC driver.
Resolving The Problem
For information on creating a System Certificate and assigning the System Certificate to the Client Access Host Servers applications, refer to Rochester Support Center Technote document N1010449 Configuring the SSL Telnet and Access for Windows Host Servers for Server Authentication for the First Time. This technote document also contains information on the licensed products that are required in order to use Secure Socket Layer (SSL).
In order to use SSL with ODBC, the following applications should have the certificate listed on the certificate assigned field:
Central Server | License Management | Non-SSL uses port 8470 | SSL uses port 9470 |
Remote Command Server | RPC/DPC (Remote Command) | Non-SSL uses port 8475 | SSL uses port 9475 |
Signon Server | Sign-On Verification | Non-SSL uses port 8476 | SSL uses port 9476 |
Database Server | Database Access | Non-SSL uses port 8471 | SSL uses port 9471 |
Once configuration is complete, you should restart the Client Access Host Servers (ENDHOSTSVR *ALL, then STRHOSTSVR *ALL ). Verify they are listening on the secure ports by typing NETSTAT *CNN, and pressing PF14 to display the ports. You should see ports 9470 - 9471 and 9475 - 9476 (possibly others, depending upon which Client Access applications are assigned to use secure sockets) in a Listen state. If these ports are not in a Listen state after restarting the Host Servers, you will need to review the configuration Technote referenced above.
Once the applications are set up in Digital Certificate Manager, clients can be configured to use either an SSL or a non-SSL connection.
The option to use SSL for ODBC can be set in a Data Source by going into ODBC Administration, taking the option to 'configure' an existing Data Source or to 'create' a new one, and clicking on the [connection options] button on the General Tab. Choices are in the 'Security' section. You should choose 'Do not use Secured Sockets Layer (SSL)', 'Use Secured Sockets Layer (SSL)', and 'Use same security as iSeries Navigator connection'.
The option to use SSL can also be set using a Connection String Keyword. Keyword SSL defaults to 0 - 'Encrypt only the password'. Alternatively, it can be set to 1 - 'Encrypt all clients/server communication'.
Historical Number
512258648
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1018654