IBM Support

Host Servers Requiring a Digital Certificate Assigned to use Secure Socket Layer (SSL) with the iSeries Access ODBC Driver

Troubleshooting


Problem

This document lists the host servers that need a Digital Certificate assigned in order to use Secure Socket Layer (SSL) with the iSeries Access ODBC driver.

Resolving The Problem

For information on creating a System Certificate and assigning the System Certificate to the Client Access Host Servers applications, refer to Rochester Support Center Technote document N1010449 Configuring the SSL Telnet and Access for Windows Host Servers for Server Authentication for the First Time. This technote document also contains information on the licensed products that are required in order to use Secure Socket Layer (SSL).

In order to use SSL with ODBC, the following applications should have the certificate listed on the certificate assigned field:

Central ServerLicense Management Non-SSL uses port 8470SSL uses port 9470
Remote Command ServerRPC/DPC (Remote Command)Non-SSL uses port 8475SSL uses port 9475
Signon ServerSign-On VerificationNon-SSL uses port 8476SSL uses port 9476
Database ServerDatabase AccessNon-SSL uses port 8471SSL uses port 9471


Once configuration is complete, you should restart the Client Access Host Servers (ENDHOSTSVR *ALL, then STRHOSTSVR *ALL ). Verify they are listening on the secure ports by typing NETSTAT *CNN, and pressing PF14 to display the ports. You should see ports 9470 - 9471 and 9475 - 9476 (possibly others, depending upon which Client Access applications are assigned to use secure sockets) in a Listen state. If these ports are not in a Listen state after restarting the Host Servers, you will need to review the configuration Technote referenced above.

Once the applications are set up in Digital Certificate Manager, clients can be configured to use either an SSL or a non-SSL connection.

The option to use SSL for ODBC can be set in a Data Source by going into ODBC Administration, taking the option to 'configure' an existing Data Source or to 'create' a new one, and clicking on the [connection options] button on the General Tab. Choices are in the 'Security' section. You should choose 'Do not use Secured Sockets Layer (SSL)', 'Use Secured Sockets Layer (SSL)', and 'Use same security as iSeries Navigator connection'.

The option to use SSL can also be set using a Connection String Keyword. Keyword SSL defaults to 0 - 'Encrypt only the password'. Alternatively, it can be set to 1 - 'Encrypt all clients/server communication'.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

512258648

Document Information

Modified date:
18 December 2019

UID

nas8N1018654