Admin Alert: A Primer For Setting Up PC5250 SSL Connectivity, Part 2
October 23, 2013 Joe Hertvik
Last issue, I published Part 1 of a primer for setting up IBM i PC5250 Telnet sessions to use Secure Sockets Layer (SSL) encryption. That article described everything you need for configuring your IBM i server to use SSL Telnet. This issue, I’ll look at the PC Windows side and show you how to configure your IBM i Access for Windows clients to use SSL when starting Telnet sessions.
Revisiting The Overview
Last time, I listed out these six basic steps for configuring Telnet SSL connectivity between a PC and an IBM i partition. These steps are performed in your IBM i Digital Certificate Manager (DCM), on your network, and on your PCs running IBM i Access for Windows.
On your IBM i server using the Digital Certificate Manager (DCM):
1. Set up or identify the local Certificate Authority (CA) certificate that can be downloaded to your Access for Windows PC.
2. Configure your IBM i Telnet Server and associated Host Servers to use the local CA defined in step 1 for authentication.
On Your Network
3. Allow network traffic over port 992.
On Your PCs Running IBM i Access for Windows
4. Install the SSL component to your IBM i Access for Windows setup, if it isn’t already present on the PC.
5. Use System i Navigator to download the IBM i local Certificate Authority certificate to your Access for Windows setup.
6. Configure your PC5250 Telnet sessions to connect over SSL.
I covered items 1 and 2 in Part 1. This time, we’ll discuss the network and client configuration steps in items 3 through 6. Taken together, all six steps will allow you to create encrypted PC5250 Telnet sessions that can be connected to your IBM i partitions.
Note: This setup was configured and tested using the Digital Certificate Manager included with the IBM i 6.1 operating system, and the PC5250 software included with IBM i Access for Windows 7.1. There may be some differences in the configuration instructions if you are using other versions of these products.
Step 3: Allow network traffic over port 992.
In order to connect PC5250 Telnet sessions through SSL, you’ll have to allow traffic for port 992 to run over your network. SSL Telnet runs over port 992. If you want to force your network users to only use Telnet SSL sessions to your IBM i partition, talk to your network administrator and shut down port 23 traffic to your partition (23 is the default Telnet port).
Step 4: Install the SSL component on your IBM i Access for Windows setup, if it isn’t already present on the PC.
The next step is to set up your IBM i Access for Windows PCs to use SSL. You do this by adding the SSL component of IBM i Access to your Windows PC setup. You can do this on your target PCs by doing the following:
1. Go into the Windows Control Panel and select Add or Remove a Program
2. Right-click on the IBM i Access for Windows 7.1 icon
3. Select Change from the pop-up menu that appears. This will trigger the InstallShield wizard for IBM i Access for Windows.
4. Click on the Next button until you get to the Program Maintenance screen shown here:
Click graphic to enlarge.
5. Click on the Modify radio button on this screen. Then click on the Next button until you get to the Custom Setup screen (shown below). Scroll down on the Custom Setup screen until you see the Secure Sockets Layer (SSL) feature. Click on the SSL button and select either “This feature will be installed on a local hard drive” or the “This feature and all its sub-features will be installed on a local hard drive” from the options that appear.
Click graphic to enlarge.
6. Click Next and finish the installation.
Once the installation is finished, your IBM i Access for Windows setup will be configured to use SSL in its processing. Proceed with Step 5.
Step 5: Use System i Navigator to download the IBM i local Certificate Authority certificate to your Access for Windows setup.
In order to use SSL for your IBM i Access for Windows PC5250 sessions, you first need to download the SSL key database file. The SSL key database will be used when this PC connects to your partition’s SSL setup.
To download the SSL key database, go into the System i Navigator program that came with IBM i Access for Windows. Highlight and right-click on the icon for the system that you’re setting up for SSL connectivity. Select Properties from the pop-up menu that appears. On the Properties panel (shown below), click on the Secure Sockets tab and you’ll see the following screen appear.
Click graphic to enlarge.
Click on the Download button in the i5/OS Certificate Authority section of this screen. You’ll see a screen show up indicating that the SSL key database is being downloaded.
The download function will then use the following screen to ask you where you want to store the SSL key database on your PC and to enter the password for that database.
Click graphic to enlarge.
Take the default option shown on the screen for the key database name and location. Unless you’ve specifically changed the key management database password, type in CA400 into the password field on this screen. CA400 is IBM’s default password for the SSL keys database.
After the SSL key database file finishes downloading, you’ll see the following screen.
After downloading the SSL key database, look again at the SSL tab on the system Properties screen in System i Navigator. That tab contains a checkbox to Use Secure Sockets Layer for Connection. If I’m using SSL just for PC5250 Telnet sessions, I generally leave this check box blank. If I check this box, it will require all IBM i Access for Windows features to use SSL. For our purposes, leave it blank, but if you have issues with your PC5250 SSL Telnet sessions you may want to try turning it on.
Step 6: Configure your PC5250 Telnet sessions to connect over SSL.
The final step is to configure your PC5250 sessions to require an SSL connection. If you didn’t check the Use Secure Sockets Layer for Connection check box on the Secure Sockets tab of System i Navigator, you can choose whether to enable a specific PC5250 session to use Telnet or not to use Telnet. However, if you did check Use Secure Sockets Layer for Connection on the System i Navigator Properties screen, all of your PC5250 screens will require SSL to connect to your server.
To configure a PC5250 session for SSL Telnet, click on Communications→Configure from the PC5250 menu bar in the target session. On the Configure PC5250 screen that appears, click on the Properties button and a Connection screen that looks like this will appear.
To configure this PC5250 session for Telnet, click on the Use Secured Sockets Layer (SSL) and the Use Default radio buttons in the Security box area of this screen. Then click on OK on the Connection screen and click OK again on the Configure PC5250 screen to make the change. PC5250 will then close your existing Telnet connection to your server and attempt to reopen it again as an SSL Telnet session using Port 992.
You can verify that your PC5250 session is connecting via SSL by looking at the Status Bar History for this session. Open the Status Bar History by clicking on View→Status Bar History option from the PC5250 menu bar. You’ll see a screen that looks like this.
Look for any messages that reference connecting to your IBM i partition through Port 992. If you have a successful connection to port 992, you’ll know that this PC5250 Telnet session is attaching to your partition through SSL.
The Final Step
At this point, your PC should be set up to use SSL for its PC5250 Telnet sessions. Repeat this setup on any other PCs that need to use SSL and you’ll be enabled for SSL Telnet access throughout your organization.
Follow Joe Hertvik on His Blog, on Twitter, and on LinkedIn
Check out Joe’s blog at joehertvik.com, where he focuses on computer administration and news (especially IBM i); vendor, marketing, and tech writing news and materials; and whatever else he come across.
Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.