RE: remote telnet with ssl -- MIDRANGE-L

David:
I have been thinking about changing our internet access to our box via SSL.
I like the idea of blocking port 23 in the firewall and opening up 992.  But
if the AS400 just hands out the cert, then is it that much better?  Anyone
with a SSL enabled Telnet client can then access the box.
What I really like is you idea of needing to send the cert to someone you
want to access the AS400.  I have created a cert on the AS400 (a long time
ago), and have a few questions:
1. Is there an option in the Telnet-SSL server that says "don't hand out the
cert"?
2. How do you extract the AS400 generated cert to send it to people?
3. Where on the PC side do you install the cert?  Is this done in internet
explorer?  Or in the Telnet client.

Thanks for the education.
cjg

Carl J. Galgano
EDI Consulting Services, Inc.
600 Kennesaw Avenue, Suite 400
Marietta, GA  30060
(770) 422-2995 - voice
(419) 730-8212 - fax
mailto:cgalgano@xxxxxxxxxxxxxxxxx
http://www.ediconsulting.com
AS400 EDI, Networking, E-Commerce and Communications Consulting and
Implementation 
http://www.icecreamovernight.com
Premium Ice Cream Brands shipped Overnight

Visit our website to subscribe to our FREE AS/400 Timesharing Service

-----Original Message-----
From: David C. Shea [mailto:dshea@xxxxxxxxxxxx] 
Sent: Thursday, March 18, 2004 8:19 PM
To: Midrange Systems Technical Discussion
Subject: RE: remote telnet with ssl


Telnet with SSL works very nicely on the AS/400.  I have tested it with
Client Access, Mocha and Nexus Mainframe Terminal.  Mocha and NMT also have
SSL enabled printer features that work very nicely.  

You need to set up a certificate on the AS/400, which it then dishes out to
the client automagically.  You need to be able to get through to the AS/400
on port 992 instead of port 23 like regular telnet.  So, you'd have to open
up that port on the firewall.  The problem with Client Access is that you
need to open up several other ports besides 23 or 992 to be able to connect.
CA does something special before even initiating the telnet connection.

A decent VPN is probably more secure than SSL telnet, but SSL telnet at
least encrypts the traffic between host and client.

If you really wanted to get fancy, I assume that you could set up
certificates at both ends (as400 and pc) so that the host 400 wouldn't just
dish out a cert to anyone that comes knocking.  This would provide an added
level of security - only someone with the right cert installed could get a
connection.

If I recall, setting up the cert on the 400 wasn't a big deal.  The info
center had the step by step.  I managed to get it running in about a half
hour.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
Sent: Thursday, March 18, 2004 8:07 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: remote telnet with ssl

Is there such a thing as remote telnet with ssl, but 
not having to ssl the local network?
This is to have remote "support" access to customers
who don't want a vpn or to use ssl locally. Currently
no windoze server for other options.
jim


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.