Download presentation
Presentation is loading. Please wait.
1
Configuring the iSeries Access Servers to Use SSL
Patrick Botz IBM STG Lab Services, Security Architecture and Implementation Consulting (c) Copyright IBM Corporation, All Rights Reserved This publication may refer to products that are not currently available in your country. IBM makes no commitment to make available any products referred to herein. (c) Copyright IBM Corporation, All Rights Reserved This publication may refer to products that are not currently available in your country. IBM makes no commitment to make available any products referred to herein.
2
Objectives Using a local Certificate Authority (CA)
Create a local CA on your iSeries Create a system certificate Install server certificates Assign certificates to applications (iSeries Access Servers) Install the Local CA certificates On your PC In iSeries Access Setting up PC5250 Client Authentication Create a client certificate on your iSeries Export client certificate to client Enable telnet server for client authentication Configure prompting modes in iSeries Access
3
Objectives (continued)
Using a well-known Certificate Authority (CA) Obtain digital certificate Assign certificate to applications (iSeries Access Servers) Configure the iSeries Access functions to use SSL
4
Server Authentication Secure Sockets Layer (SSL) Flow
The server is authenticated when iSeries Access Client sends a secure connection request to iSeries Access Server Server sends Client its digital certificate Client verifies the server's certificate and determines if it trusts the issuer of the certificate After server authentication is complete Session keys are negotiated and the rest of the flows are encrypted. iSeries Access Servers Browser determines if it trusts the issuer of the server certificate by looking in the list of signers of certificates. If the server certificate's signer is not in this list, the certificate is not automatically trusted. This is the step that throws most users when using a self-signed server certificate. (That is, the server is using a certificate signed by an AS/400.) To have this work, you've got to get the AS/400 CA certificate into the browser's list of trusted signers. Also need to get the concept across that the server is always authenticated - it is optional whether you authenticate the client iSeries Access for Windows Clients List of trusted signers this day of , , by DIGITAL CERTIFICATE OWNER CA Express Server IBM Corp
5
Client Authentication Secure Sockets Layer (SSL) Flow
The client is authenticated when iSeries Access Client sends a secure connection request to Server. Server sends its certificate, and requests a client certificate. Client validates the server certificate, and sends its certificate to the Server. Server validates the client certificate. After client authentication is complete Session keys are negotiated and the rest of the flows are encrypted. Browser determines if it trusts the issuer of the server certificate by looking in the list of signers of certificates. If the server certificate's signer is not in this list, the certificate is not automatically trusted. This is the step that throws most users when using a self-signed server certificate. (That is, the server is using a certificate signed by an AS/400.) To have this work, you've got to get the AS/400 CA certificate into the browser's list of trusted signers. Also need to get the concept across that the server is always authenticated - it is optional whether you authenticate the client iSeries Access Servers iSeries Access for Windows Clients this day of , , by DIGITAL CERTIFICATE OWNER CA Express Server IBM Corp List of trusted signers
6
Creating a Local CA on your iSeries and creating a system (server) certificate...
7
Obtaining a server certificate from a local CA (the iSeries)
(2) Create Local CA Create Server Cert Digital Certificate Manager (DCM) (3) (1) Certificate stores iSeries Server Web Browser
8
Step 1: Obtaining a server certificate from a well-known CA - Details
Logon to the iSeries Tasks page. Enter the URL Signon with your OS/400 or i5/OS userid and password (you must have *ALLOBJ and *SECADM) On the tasks page, click Digital Certificate Manager
9
Click on "Create a Certificate Authority" on the left
Then, select "Local Certificate Authority" on the right
10
Complete the form page and click OK.
Note: Each store has its own password Hint: Don't forget this password. You'll need it to work with this certificate store in the future.
11
The Install Certificate link allows you to install the CA certificate on your browser. If you want your browser to recognize certificates issued by this intranet CA, you can download the intranet CA certificate now (or do it later.) You can go ahead and do this, especially if you are going to have web applications that use https. However, putting the CA certificate in your browser won't help you with SSL and the Client Access Express servers. You need to get this certificate in your Client Access Express key database, which defaults to cwbssldf.kdb To verify that it was installed on your browser, click on the Security icon, then click on Signers. Note: Installing certificate with IE will start an IE wizard for importing a certificate.
12
Select Yes if you want to allow the creation of user certificates from this CA. This is needed for Client Authentication Click OK You have now created a local CA on your iSeries!!!
13
Policy data for CA was changed message will be shown along with a list of registered applications.
Click on Continue button
14
You may not want to specify a zip code because it's not a required field and is not supported by all browsers. In particular, Netscape 4.5, 4.51 and 4.6 will fail on the certificate validation step if a zip code is specified. Netscape says it will be fixed in 4.7 Fill out the Create a System Certificate form. Note: This password is different than the CA Store. Info on bottom cut off about IPV6 is for VPN. Read help on VPN for info. Ignore for now. Click OK
15
Configuring an Application to Use a Server Certificate ...
16
System Certificate created message will be shown along with a list of registered applications.
Choose the application that will use the certificate you just created. This associates the digital certificate the server is going to use on the server authentication portion of the SSL-handshake. Click OK If they use exit points, these names will look familiar because it's the same name used in the registration facility to identify the server exit points. Ugly, I know - fixed in a future release :-)
17
Object Signing Click on Continue enable your system to sign objects
Note: This is not needed for iSeries Access, so could be done later.
18
* Fill in form * Click on OK
19
You have now: enabled the iSeries to be a CA created your first server (or system) certificate signed by your CA assigned that certificate to the iSeries Access servers After you have created your first certificate, the system creates a "*SYSTEM certificate store." As you create more certificates or import them from well-known CAs, you will probably want to store them in the *SYSTEM certificate store.
20
Servers to enable for iSeries Access Functions
5250 Display & Print Sign-on, Central, Telnet Data Transfer Sign-on, Central, Database Base Ops Nav Sign-on, Remote Command All Ops Nav Function Signon, Remote Command, File,Print, Database, Web Admin,Mgmt Central, Directory, Data Queue ODBC Sign-on, Database OLE DB Sign-on, Database, DDM, Remote Command, Data Queue AFP Viewer Sign-on, Print If Application Administration is being used, then always enable Remote Command. Also, Central may be required if translation tables need to be downloaded for other languages. There is no harm in using the same certificate for all applications There is no harm in assigning a certificate to applications even if you do not intend to enable them to use SSL.
21
Getting a CA certificate into the iSeries Access for Windows Client's list of trusted signers ...
22
Installing SSL on your Client
Click on Selective Setup in the IBM iSeries Access for Windows folder. Follow the wizard - specify where you are going to install from Look for, then expand the SSL choices. Choose the encryption strength to install. Hints: if SSL does not show up in the list of choices, you are either not authorized to the directory \QIBM\ProdData\CA400\Express\SSL or you need to install one of the encryption products (CE2 or CE3) The encryption products must be installed from an AS/400 directory - they are not on the iSeries Access install CD in V5R2 and earlier. For V5R3, the SSL component is shipped on that CD. Verify that Secure Sockets Layer (SSL) is under the "Added components" heading In the iSeries Access for Windows folder you will see a new IBM Key Management icon as well as a new tab Secure Sockets in the iSeries Access for Windows Properties dialog.
23
Installing CA onto client PC
A download button is available in iSeries Navigator to easily move the CA into the 2 key databases used by iSeries Access: iSeries Access key database Java key database (used by Java components of iSeries Navigator) Right-click on system name in iSeries Navigator, and choose "Properties". From "Secure Sockets" tab, check box to enable SSL. Click on "Download" button. Restart iSeries Navigator for SSL to take effect for iSeries Navigator Note: The "Secure Sockets" page in System Properties is new for V5R1. In V4R4 and V4R5, the checkbox for enabling SSL was on the "Connection" tab. In V4R4 and V4R5, the ability to download the CA with a single button was done via a separate tool downloadable from the web. In V5R1, it was integrated into V5R1. An enhanced version of the tool is available on the web for download also.
24
Enabling iSeries Navigator for SSL...
Note: Trying to access a pre-V4R4 system via Op Nav using SSL will fail !! SSL is not supported before V4R4. After restarting iSeries, notice the padlock on the iSeries you just configured to use SSL Also, once SSL is turned on in iSeries, all other iSeries Access applications that are started from that point on will also get SSL as the default (including 3rd-party apps that use iSeries Access APIs.)
25
Enabling SSL on iSeries Access functions
26
Enabling PC5250 Sessions for SSL...
Open your 5250 session. From the menu bar, click Communication, then select Configure Select Properties Click on Secured with SSL Click on Apply or OK.
27
Enabling Data Transfer for SSL
Open the Data Transfer you want to configure to use SSL. From the menu bar, click File->Properties From Properties, click the Connection tab. From Connection, choose which option you want. Click OK You can save this data transfer by using File->Save
28
Enabling ODBC for SSL Launch ODBC Administration
Click on the User DSN tab Double-click on the user Data Source you want to configure to use SSL. Click on Connection Options in the General tab. Select Use Secured Sockets Layer (SSL) under the Security heading Click OK Close the ODBC Setup. Current connections must be closed and re-opened to take effect
29
Creating Client Certificate for Client Authentication
30
Enabling Client Authentication in DCM
Client Authentication of the telnet server is available on V5R1 and later Start with the main DCM screen below, and click on "Create Certificate" in the left navigation pane.
31
Creating User Certificate
Select "User Certificate" as the type of certificate. Click on the Continue button.
32
Certificate Information
Fill out the Certificate Information. The address is not used by iSeries Access for Windows. Bottom section will only be displayed to Netscape users Click on Continue
33
Private Key Generation
If using Netscape, this screen is shown Click on OK With Internet Explorer, this screen will not appear
34
Click on the Install Certificate link
35
If using Netscape, then... With Netscape, click on Communicator->Tools-> Security Info. Netscape will prompt for key database password too. Click on the certificate, then on the Export button When prompted, save the certificate as a PKCS12 file. Password protect the file.
36
If using Internet Explorer, then...
From the toolbar, select Tools->Internet Options From the Content page, click on Certificates Highlight the certificate and select Export
37
Exporting a certificate with IE continued...
The certificate export wizard starts. Select Next Then select Yes, export the private key and then Next Then select the Personal Information Exchange button and then Next
38
Exporting a certificate with IE continued...
Next you will be prompted for a password to protect the file. Enter a password and confirmation. Select a location to save the file, and select Next Select Finish to complete the export
39
Enabling Telnet Server for Client Authentication
Click on "Select a Certificate Store" Select *System Click on Continue
40
Under "Manage Applications", select "Update Application Definition"
Select "Server" in the right pane.
41
Select the TCP/IP Server
Click on "Update Application Definition" (bottom of dialog)
42
Select "Yes" for Client Authentication Required.
43
Note that this will take effect immediately
Note that this will take effect immediately. Telnet does not have to be restarted. Click the Apply button
44
Configuring Client Authentication on the PC
45
Once the client certificate is stored in a PKCS12 file, it must be imported into the iSeries Access key database. The preferred way to start the IBM Key Database Management program is through Control Panel Start->Settings->Control Panel, then double-click on "Client Access". Select the "Secure Sockets" tab, and then click on the IBM Key Management button If you start this program an alternate way, the key database name won't be filled in by default, and you will have to browse for it.
46
Importing Personal Certificate
From the pull-down, choose "Personal Certificates" Then click on the "Import" button on the right
47
Importing Personal Certificate (continued)
Specify the PKCS file you saved earlier Enter the password you saved for it.
48
Setting Prompting for Key Database Password
Set the prompting mode for the key database password (optional) Specify how often you want to be prompted.
49
Enabling Client Authentication on PC
From PC5250 Config: Click on Properties Select "Use Default" This is optional Selecting "Select Certificate.." causes extra prompt.
50
Connecting with Client Authentication
When attempting a PC5250 connection, the above dialog appears. Enter your key database password (default password is "ca400").
51
Obtaining a certificate from a well-known CA ...
52
Obtaining a server certificate from a well-known CA
Authority Digital Certificate Manager (4) Certificate store (3) (2) Equifax ... (1) Internet Web Browser iSeries Server
53
Click on "Select a Certificate Store"
Select "*System" Select "Create Certificate" on left Select "Server or client certificate" Click Continue
54
Select "Verisign or other Internet Certificate Authority"
Click on Continue
55
Server name is the TCP/IP host_name.domain_name of your iSeries.
You may not want to specify a zip code because it's not a required field and is not supported by all browsers. In particular, Netscape 4.5, 4.51 and 4.6 will fail on the certificate validation step if a zip code is specified. Netscape says it will be fixed in 4.7 get the server name from the system TCP/IP configuration The longer the key size, the more time the encryption will take - if performance is really an issue (then you won't use SSL - editorial comment) you may want to use the shortest key - if not, use the longest. Fill out form. Hints: Server name is the TCP/IP host_name.domain_name of your iSeries. Spell out your state Don't specify the zip code Click OK
56
Copy the certificate request to the clipboard.
MAKE SURE you select the area that includes "BEGIN NEW CERTIFICATE REQUEST" through the area that ends with "END NEW CERTIFICATE REQUEST -----" Some Internet CAs refer to this certificate request as Certificate Signing Request (CSR). The cert request consists of an encrypted data string the represents the new certificate's public plus the information from the form you filled-out
57
Example of requesting a certificate from VeriSign at www.verisign.com
The cert request consists of an encrypted data string the represents the new certificate's public plus the information from the form you filled-out
58
Paste the certificate request from DCM into the box.
An example of requesting a certificate from VeriSign. You can get SSL server certificates for 14 day free trials. Paste the certificate request from DCM into the box.
59
Hints to this point ... Tips for getting the certificate to the AS/400 Create a new directory under root through Op Nav or MKDIR before you ftp to the AS/400, make sure it's set to use path names rather than library/object After logging on to AS/400 type 'bin' to send the file in binary form. Next do cd /new_directory_name (get the slash going the right direction) Next do put filenameonyourPC.txt It's there ! Now quit You will be sent a certificate to the address you specified in the server certificate request. Cut and paste the certificate into a .txt file on your PC. ftp or map a drive to your iSeries to store the file in IFS
60
Back in DCM, click on "Select a Certificate Store", and select *System
In the left panel, select "Manage Certificates", then Import Certificate On the Import Certificate form, specify the path name of the IFS file name where you placed the certificate sent back to you by the well-known CA Click OK Now DCM takes the VeriSign certificate and puts it in the *SYSTEM certificate store
61
Click on Update certificate assignment under "Manage Applications"
Select the iSeries Access Servers that you need. Click on Update certificate assignment button at the bottom
62
If you are using a well-known CA, configuration is complete and you are ready to go!!!
63
Software Requirements
OS/400 release V4R4 or later or i5/OS IBM HTTP Server for iSeries (5769-DG1) Digital Certificate Manager (5769-SS1, option 34) IBM Cryptographic Access Provider (5722-AC2 or AC3) iSeries Client Encryption (5722-CE2 or CE3)
64
For More Information AS/400 Client Access Express for Windows: Implementing V4R4, SG (redbook) Webmaster's Guide, GC41-543 Tips and Tools for Securing Your AS/400, SC AS/400 Internet Security: Developing a Digital Certificate Infrastructure, SC (redbook)
65
Appendix: How to manually copy CA to PC (Alternative to using "Download" button)
66
Select "Copy and Paste certificate" from DCM.
"Install Certificate" link will not work for iSeries Access
67
Copy certificate from the ---BEGIN through CERTIFICATE---
In the menu bar, click Edit->Copy In the task bar, click Start->Programs->Accessories->Notepad On the menu bar, click Edit->Paste On the menu bar, click File->Save As. Call the file your_iSeries_name-CA.arm. Save in C:\Program Files\IBM\Client Access
68
Go to the iSeries Access for Windows program group
Double click on the IBM Key Management shortcut (this may take a few minutes) Choose Signer Certificates from the drop down Click on Add
69
In the Location field, enter the pathname of the CA certificate you stored earlier
Hint: If you use the Browse button to find the location and click Open, it will fill in the pathname for you. Click OK Now you will be asked to provide a name (label) for the certificate Click OK
70
this tool will also take care of the Java key database
this tool will also take care of the Java key database. If they just use IKEYMAN the java-enabled functions in Op Nav will fail. The iSeries CA certificate now is in iSeries Access's list of trusted signers. Note: These steps do not put the certificate into the Java Toolbox key database, so parts of iSeries Navigator will not work over SSL.
71
STG Lab Services www.ibm.com/eserver/services
A 14 year track record…proven methods & techniques, worldwide results STG Lab Services To learn more about how STG Lab Services can help you attain your sales objectives, see us in the Solutions Center or contact a Lab Services Opportunity Manager: System i (WW, AG) Mark Even, (507) , Pete Cornell, (507) , System p Stephen Brandenburg, (301) , Greg Mallare, (727) , System x Michael Karchov, (919) , Mike Sigl, (425) , System z Jerry Koger (623) , System Storage (WW, AG) Kevin Bogart, (919) , Optimization Studies (WW, AG) Marlin Maddy, (877) , Solutions Mohsen Nikbakhshian, (301) , AP System i, z System p, x Storage US contact for AP Jenny Chen, , Zhe Xu, x306, Jin-Ming Liu, (507) , Europe SWE & NEE IOT’s Benoit Sirot. , Gerard Barneaud. , The STG Lab Service teams can be engaged through technical support and STG sales teams. Business Partners can use Lab Services for acquiring skills by working side-by-side with Lab Services on their own solution, or skills from Lab Services can be subcontracted by the Business Partner on their own engagements. Lab Services has a proven track record of revenue influence in its engagements in the delivery of emerging products and technology, which in turn enables early client success and satisfaction. Lab Services also provides services in niche and mature/end of life markets on important products and/or technologies used by a limited number of clients, where skills may not be available through other service providers. For more information on STG Lab Service offerings or if you wish to discuss a specific example, please visit the Lab Services pedestal in the Solution Center, or contact one of the listed Opportunity Managers.
72
STG Lab Services Workshops in Open Sessions – given by Thomas Barlen
iSeries / System i Security Overview and Implementation, 3 days QI71V0NL - Amsterdam ( The Netherlands ) / 12, 13 & 14 June QI71V0BE - Brussels ( Belgium ) / 16, 17 & 18 October Simplifying Sign on Processes and Eliminating Passwords with Single Sign On, 3 days QI72V0BE - Brussels ( Belgium ) / 18, 19 & 20 September QI72V0NL - Amsterdam ( The Netherlands ) / 6, 7 & 8 November Protecting Sensitive Information in your Database with i5/OS Encryption, 3 days QI73V0NL - Amsterdam ( The Netherlands ) / 11, 12, 13 September Details : on the IBM Training stand ibm.com/training/be/nl/iseriesworkshops
73
Trademarks and Disclaimers
8 IBM Corporation All rights reserved. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. Photographs shown may be engineering prototypes. Changes may be incorporated in production models.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.