Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Connecting to an iSeries or AS/400 Using SSL and Reflection for the Web
Technical Note 1759
Last Reviewed 30-May-2008
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 8.0 through 9.6
Summary

This technical note describes how to set up Reflection for the Web to connect over SSL-enabled Telnet to an iSeries or AS/400, using a self-signed certificate.

Note: These general steps can also be used to configure Reflection to utilize a registered digital signature and key pair (from a certifying authority); however, it is recommended that you configure and test your SSL environment using a self-signed certificate before implementing a production certificate from a certificate authority.

Important: The security for Reflection depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. The recommendations in this note are general guidelines and should be evaluated in the context of your own computing needs and environment.

The Process

There are four steps involved in setting up Reflection for the Web to connect to an iSeries or AS/400 over SSL:

Step One—Prepare the AS/400 for SSL
Step Two—Create a Self-Signed Certificate
Step Three—Transfer or Extract the Certificate
Step Four—Make a Connection

Note: Once you have fully tested the SSL/TLS support, you can repeat steps 3 and 4 using a Certificate Authority (CA) signed certificate.

Step One—Prepare the AS/400 for SSL

Before creating SSL certificates, the Digital Certificate Manager (Option 34 of 57xx-SS1) utility and the Cryptographic Access Provider (57xx-AC3) must be installed and configured on your AS/400.

Once this is done, follow the steps below to create a server certificate and assign it to a Telnet service before proceeding.

  1. Using the Digital Certificate Manager, create a certificate authority certificate for your AS/400.

For more information on creating certificates and assigning certificates to applications, see the iSeries Information Center at http://publib.boulder.ibm.com/pubs/html/as400/infocenter.html.

  1. Open the Digital Certificate Manager and click Select a Certificate Store.
  2. Select *SYSTEM and click Continue.
  3. Enter the Certificate store password and click Continue.
  4. Select View application definition and click Continue.
  5. Select Server and click Continue.
  6. Locate the QIBM_QTV_TELNET_SERVER application and verify that the correct certificate is assigned. For example:
QIBM_QTV_TELNET_SERVER myhost.mycompany.com

Verify the Setup

To apply the updates to the TCP/IP server, cycle the iSeries or AS/400 TCP/IP stack. Once you have done this, you will be able to see that the port you have configured for the secure connections is listening.

Execute the OS/400 command NETSTAT *CNN to verify that the port is up and listening for the telnet-ssl local port.

Sample display:

Remote Address
Remote Port
Local Port
Idle Time
State
*
*
www
001:30:33
Listen
*
*
Telnet
261:48:39
Listen
*
*
telnet -> *
070:54:37
Listen

* The Local Port entry telnet -> expands to telnet-ssl. Press F14 to view the port number where telnet SSL is running.

Step Two—Create a Self-Signed Certificate

Using the Digital Certificate Manager (DCM) create a self-signed certificate and assign it to the Telnet Server. For more information on creating certificates and assigning certificates to applications, see the iSeries Information Center at http://publib.boulder.ibm.com/pubs/html/as400/infocenter.html.

Note the following:

  • While creating the certificate, enter the fully-qualified host name in the Common Name field of the certificate.
  • In the Install Local CA Certificate on Your PC dialog box, select Copy and Paste Certificate.
    1. Copy the entire certificate, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. For example:
-----BEGIN CERTIFICATE-----
MIICYzCCAcygAwIBAgIEPbb1+QQFADB2MQswCQYDVQQGEwJ
UzETMBEGA1UECBMjA4GA1UEBxMHU2VhdHRsZTEMMAoGA1UE
ChMDV1JRMQwwCgJDAiBgNVBAMTG1Bvcmt5IENlcnRpZmljY
IEF1dGhvcml0eTAeF4MThaFw0xMTAxMDkxOTE4MThaMHYxC
-----END CERTIFICATE-----

    1. Paste the certificate to Notepad and save the file with a DER extension. For example, mycert.der.

Note: Notepad may automatically add a TXT extension. Check the file to make sure it has a DER extension before proceeding.

  • If you plan to implement client authentication, you must also create a client certificate. (Steps for creating client certificates are not provided in this technical note.)
  • The administrator must maintain physical security of the management server and proxy server. That is, no one other than the administrator should be able to physically access the servers, and no unauthorized individuals should be able to access the key store folders on the server. The security of the servers is important to prevent compromise of the certificates.

Step Three—Transfer or Extract the Certificate

Once you have created and saved the self-signed certificate, copy the certificate to the web server's \ReflectionData\certificates folder and manually integrate the certificate with the AWS certificate manager.

SSL Direct to the Host

When using SSL direct to the host, the host certificate is used to authenticate the host to the emulator applet.

The host certificate is stored in the Reflection management server’s trusted certificates store. The emulator applet retrieves the host certificate from the management server and caches it locally. The emulator applet authenticates the host using this certificate.

CA-signed or Self-signed

If the SSL enabled host is being used only with Reflection for the Web emulator clients, then a self-signed host server certificate is sufficient. The emulator applet uses a trusted certificate store that is deployed centrally from the management server, so it is simple to deploy the host’s certificate to the trusted certificates store of all the clients.

However, if the host is being used with Windows-based Reflection clients, such as Reflection for IBM or Reflection for UNIX and OpenVMS, then a CA-signed certificate should be installed on the host. This avoids untrusted certificate errors when the Windows-based Reflection clients attempt to connect to the host.

Whether you use a CA-signed or a self-signed certificate on the host, for maximum security, the option to verify server identity should be enabled in the Administrative WebStation. This option (which is enabled by default) causes the emulator applet to verify the common name on the host certificate. Check this setting on the Administrative WebStation > Security Setup > Security tab (in versions earlier than 8.5, on the Administrative WebStation > Settings > Security tab.) In the Enable Client Verification of Server Identity section, the "Enable server identity verification" check box should be selected.

How to Implement

To import a self-signed or CA-signed certificate and private key to a host, use the tools specific for that host.

Import the host certificate on the Administrative WebStation > Security Setup > Certificates tab (in versions earlier than 8.5 on the Administrative WebStation > Settings > Certificates tab) in the Administer Terminal Emulator Applet Trusted Certificate List section. Click "View or modify certificates trusted by the terminal emulator applet."

Import the self-signed certificate here.

For a CA-signed certificate, review the "Trusted Root Certificate Authorities" section on the Administrative WebStation > Settings > Certificates tab. In the Administer Terminal Emulator Applet Trusted Certificate List section, click "View or modify certificates trusted by the terminal emulator applet" to confirm that the CA is listed. If not, you can import the CA certificate to the list of trusted certificates.

Step Four—Make a Connection

To make an SSL connection using Reflection for the Web, use the Session Manager to create the Reflection terminal sessions you deploy to end users:

  1. In the Administrative WebStation's left navigation bar, click Session Manager.
  2. To create a new terminal session, click Add.
  3. Under Session Type, Web Based, select IBM 5250.
  4. Enter a name in the Session Name field, and then click Continue.
  5. Configure Appearance, and Applet parameters (optional).
    • Appearance – Fill in the Windows title or retain the default. Choose to display the session in its own window or in an embedded window.
    • Applet parameters – Select or create custom applet parameters that modify the behavior of a terminal session.

Note: In versions earlier than 9.5, also configure End user menu level at this point. (End user menu level is used to determine which set of menus and commands are available to end users.) Beginning in version 9.5, use the User Interface Profiler (or Profiler), which is available from the Administration menu within the emulator, to configure menu levels.

  1. Click Launch.
  2. The next steps depend on your version:

Reflection for the Web 2008:

    1. In the Connection Setup dialog box, enter the host name or IP address and the SSL service port number.

Important: Refer to the host using the same identification used in the certificate common name. If the certificate uses the fully qualified DNS host name, enter the fully qualified DNS host name here (for example, hostname.domain.com:<port #>). If the certificate uses the host's short name or IP address, use that identifier.

    1. Click SSL/TLS.
    2. Select the "TLS 1.0 and SSL 3.0" option (or if your host doesn't support TLS, the "SSL 3.0" option) from the SSL/TLS Security drop-down menu, and then click OK.

Reflection for the Web 8.0-9.x:

    1. In the Session Setup dialog box, enter the host name or IP address and the SSL service port number.

Important: Refer to the host using the same identification used in the certificate common name. If the certificate uses the fully qualified DNS host name, enter the fully qualified DNS host name here (for example, hostname.domain.com). If the certificate uses the host's short name or IP address, use that identifier.

    1. Click Security.
    2. Select the Use SSL/TLS Security check box, and then click OK.
  1. Click Connect. You should now see the host logon prompt.

If you see the host prompt, proceed to step 9.

If you receive the errors "Creation of Master Secret Failed" and "Connection to host failed," click OK. This error may indicate that your java clients do not have a high encryption security pack installed.

To bypass this problem, do one of the following:

    • install the java high encryption security pack on each client – or -
    • disable AES on your host – or -
    • disable AES in Reflection for the Web

Install the high encryption security pack: By default, the Sun Java Plug-in does not support 256-bit AES. To enable your workstations to support 256-bit AES connections, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (5.0) on each workstation that uses the Sun Java Plug-in and Reflection for the Web. JCE can be downloaded from http://java.sun.com/j2se/1.5.0/download.jsp. For further details, see the JCE readme.txt file.

Disable AES on you host: Refer to your host documentation for information about disabling AES on your host.

Disable AES in Reflection for the Web: To disable AES in Reflection for the Web, follow these steps:

    1. In the session window, click File > Exit. When prompted to save your changes, click Save/Exit.
    2. In the Administrative WebStation, click Session Manager, and then click on the session you just created (the session name is a hyperlink).
    3. Click Applet Parameters.
    4. In the Custom parameters section, enter these values:
      Field
      		Value
      Parameter
      		sslAES256
      Value
      		False
    1. Click Add, click Continue, and then click Save Settings.
  1. In the terminal session, use Reflection for the Web's menu commands to select default settings for end users. Here are some examples:
    • Click Color on the Setup menu to customize the screen colors of your host application.
    • Click Set User Preference Rules on the Administration menu to determine which settings end users can change and save locally in a preference file.

When you are done configuring your session, click File > Exit. When prompted to change your changes, click Save/Exit.

Deploy the Terminal Session to Users or Groups

Follow the steps below to deploy the new terminal session to users or groups.

  1. In the Administrative WebStation's left navigation bar, click Access Mapper.
  2. Choose your new terminal session and enable the session for users. For more details, click Help.
  3. Click Save Settings.

Make a Connection

To view the new session, launch a browser, access the Reflection for the Web Links List, and select your new session.

Once you have successfully connected, a key icon is displayed in the OIA line indicating that your connection is secure.

Related Technical Notes
1766 SSL Client Certificates and Reflection for the Web
9991 Reflection for IBM Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.