|
Hi Carl, > I have been thinking about changing our internet access to our box via SSL. > I like the idea of blocking port 23 in the firewall and opening up 992. But > if the AS400 just hands out the cert, then is it that much better? Yes, because it protects the userid & password from being sniffed by a network sniffer. I think you misunderstand the purpose of the certificate. Read on... > Anyone with a SSL enabled Telnet client can then access the box. What I > really like is you idea of needing to send the cert to someone you want > to access the AS400. In it's original design, SSL was created to allow consumers to place orders over the internet without compromising their credit card numbers. SSL provides two different things, encryption and trust. Certificates are designed to handle the trust aspect. When a desktop user connects to a server, the server sends a certificate to the client. The client looks in it's database of trusted certificates to see if it trusts the person who "signed" that certificate (by "signed" I mean that it placed it's digital signature in the certificate) The goal of this was to protect consumers putting their credit card numbers into a web site. I could not set up a www.walmart.com on a computer in my basement and tell everyone that I'm Walmart and get them to send me their credit card numbers. Why not? Because they wouldn't trust my certificate. In order to establish that trust, I'd need to get VeriSign to put their digital signature on a certificate saying "yes, indeed, Scott Klement is Walmart" (and, presumably VeriSign wouldn't do that) Putting things back into a telnet perspective... When you try to establish a 5250 session with your iSeries, the certificate is used to check if the PC trusts the iSeries. Not the other way around! In fact, many 5250 clients don't even verify that the server's certificate is trusted simply because they don't think you care :) At least, this is the way that MochaSoft worked last time I tried it. RUMBA 7.0 worked this way... My open-source TN5250 works this way unless you specifically tell it to check the server's certificate. What you really want to do is require a separate certificate to be sent from the client to the server, and have the server check THAT certificate to see if it trusts it. Client Access supports client authentication in this manner, and so does the open-source TN5250. AFIAK, Mocha and RUMBA do not. I have no experience with other 5250 clients. > I have created a cert on the AS400 (a long time ago), and have a few > questions: > 1. Is there an option in the Telnet-SSL server that says "don't hand out > the cert"? It would no longer be SSL if you didn't send the certificate. The client would have no way of knowing whether you are who you say you are if you didn't send the certificate, which would completely defeat the purpose of SSL. > 2. How do you extract the AS400 generated cert to send it to people? You don't want to do that. What you do want to do is generate user certificates (for client authentication) the way I'd go about it is: 1) In the Digital Certificate Manager under "manage applications" and "define trust" tell the telnet server to ONLY trust certificates signed by your iSeries' certificate authority. 2) Under "manage applications" again, under "Update application definition" tell it to require client authentication. 3) For each user, create a separate "User Certificate" in the digital certificate manager. Set up the user's 5250 client to present that certificate. Details are in the Information Center: http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaiw/rzaiwscenariossl.htm > 3. Where on the PC side do you install the cert? Is this done in > internet explorer? Or in the Telnet client. Ultimately, the telnet client. But, you have to use the web browser to extract the certificate from the DCM. (Which is a really clumsy and awkward system, thank you very much IBM.) Of course, if you're setting up SSL-secured Web access (rather than Telnet) then installing it into Internet Explorer would be the ultimate goal. HTH
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.