Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Connecting to an iSeries or AS/400 Using SSL and Reflection for IBM 2008 or 2007
Technical Note 2215
Last Reviewed 13-Nov-2008
Applies To
Reflection for IBM 2008
Reflection Standard Suite 2008
Reflection for IBM 2007
Summary

This technical note describes how to set up Reflection for IBM 2008 or 2007 to connect over SSL-enabled Telnet to an iSeries or AS/400, using a self-signed certificate.

Considerations Before You Begin

The security for Reflection depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.

The recommendations in this note are general guidelines and should be evaluated in the context of your own computing needs and environment. These general steps can also be used to configure Reflection to utilize a registered digital signature and key pair (from a certifying authority); however, it is recommended that you configure and test your SSL environment using a self-signed certificate before implementing a production certificate from a certificate authority.

The Process

Setting up Reflection for IBM 2008 or 2007 to connect to an iSeries or AS/400 over SSL involves these steps:

  1. Configure the AS/400 for SSL
  2. Create a Self-Signed Certificate
  3. Make a Connection

Note the following:

  • Once you have fully tested the SSL/TLS support, you can repeat steps 2 and 3 using a Certificate Authority (CA) signed certificate.
  • Reflection's SSL/TLS support requires that Microsoft Internet Explorer be installed on the client machine. It need not be the primary browser, but Internet Explorer must be installed and configured to be able to manage and use the certificate.

Configure the AS/400 for SSL

Before creating SSL certificates, the Digital Certificate Manager (Option 34 of 57xx-SS1) utility and the Cryptographic Access Provider (57xx-AC3) must be installed and configured on your AS/400.

Verify that TCP is configured and running on the AS/400 before proceeding.

Create a Self-Signed Certificate

Using the Digital Certificate Manager (DCM), create a self-signed certificate and assign it to the Telnet Server. For more information on creating certificates and assigning certificates to applications, see the iSeries Information Center at http://publib.boulder.ibm.com/iseries/.

Note the following:

  • While creating the certificate, enter the fully-qualified host name in the Common Name field of the certificate.
  • If you plan to implement client authentication, you must also create a client certificate. (Those steps are not provided in this technical note.)
  • The administrator must maintain physical security of the management server and proxy server. That is, no one other than the administrator should be able to physically access the servers, and no unauthorized individuals should be able to access the key store folders on the server. The security of the servers is important to prevent compromise of the certificates.

Saving the Self-Signed Certificate

The self-signed server certificate can either be saved to a file (by selecting Copy and Paste Certificate) or, for testing purposes, it can be saved directly to your workstation (by selecting Install Certificate).

If you choose Copy and Paste Certificate, you will need to manually integrate the certificate with Internet Explorer. (See steps in Transfer or Extract the Certificate.)

If you choose Install Certificate, the certificate is installed to your workstation and is automatically added to Internet Explorer.

Verify the Setup

To apply the updates to the TCP/IP server, cycle the iSeries or AS/400 TCP/IP stack. Once you have done this, you will be able to see that the port you have configured for the secure connections is listening.

Execute the OS/400 command NETSTAT *CNN to verify that the port is up and listening for the telnet-ssl local port.

Sample display:

Remote Address
Remote Port
Local Port
Idle Time
State
*
*
www
001:30:33
Listen
*
*
telnet
261:48:39
Listen
*
*
telnet ->
070:54:37
Listen

Note: The Local Port entry telnet-> expands to telnet-ssl. Press F14 to view the port number where telnet SSL is running.

Transfer or Extract the Certificate

When creating the self-signed certificate using the DCM, if you chose Copy and Paste Certificate, rather than Install Certificate, follow these steps to manually integrate the certificate with Internet Explorer.

  1. From the Windows Control Panel, double-click Internet Options.
  2. On the Content tab, click Certificates.
  3. On the Trusted Root Certification Authorities tab, click Import > Next.
  4. Click Browse. Browse for and select your self-signed certificate file, and then click Open.
  5. Click Next, and then click Finish.
  6. When asked, "Do you want to ADD the following certificate to the Root Store," click Yes.

The new certificate is displayed in the Trusted Root Certification Authorities list.

Make a Connection

To make an SSL connection using Reflection for IBM 2008 or 2007:

  1. Start Reflection.

By default, Reflection opens by displaying the Create New Document dialog box. (Alternate navigation to Create New Document: click the upper-left icon and click New.)

  1. Under AS/400 (System i), click 5250 Terminal (Default) or one of the other 5250 Terminal options. Click the Create button (lower right).
  2. In the Host name/IP address field, enter the name of your host as it appears in the Common Name field of the self-signed certificate. Typically, this is the fully qualified host name.
  3. In the Port field, enter the AS/400's secure port number. By default, this is Port 992.

To verify the port number, use the OS/400 NETSTAT *CNN command, and view the port entry for telnet-ssl. (The Telnet-SSL heading may be displayed as telnet->.)

  1. In the 5250 Terminal Document Settings dialog box, select the checkbox to Configure additional settings (in the bottom-left corner). Click OK.
  2. In the Settings dialog box under Host Connection, click Set up Connection (or 5250) Security.

This link is a shortcut to the Security section of the Configure Advanced Connection (or 5250) Settings dialog box.

  1. Click Security Settings.
  2. In the Security Properties dialog box, select the check box to Use SSL/TLS security.

For testing purposes, accept the Encryption strength Default setting.

  1. Click OK, and then click OK again to connect.

Once you have successfully connected, a blue and gray padlock icon displays in the Reflection display status bar, indicating that your connection is secure.

Troubleshooting

If you are unable to connect using SSL, try again with the following configurations.

  1. Navigate to Security Settings (see steps 6-7 above).
  2. In the Security Properties dialog box, click Configure PKI.
  3. In the PKI Configuration dialog box, clear all three check boxes:
Certificate host name must match host being contacted
Use OCSP
Use CRL
  1. Click Reflection Certificate Manager
  2. On the Trusted Certification Authorities tab, verify that the Use System Certificate Store for SSL/TLS connections check box is selected. Click Close.
  3. Click OK to exit the dialog boxes and connect.
Related Technical Notes
2211 Technical Notes for Reflection for IBM 2007
9985 Technical Notes for Reflection 2008
10068 Encrypting Connections Between the Verastream Server and Host

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.