RE: remote telnet with ssl -- MIDRANGE-L

Scott, thanks for the excellent explanation below.
cjg

Carl J. Galgano
EDI Consulting Services, Inc.
600 Kennesaw Avenue, Suite 400
Marietta, GA  30060
(770) 422-2995 - voice
(419) 730-8212 - fax
mailto:cgalgano@xxxxxxxxxxxxxxxxx
http://www.ediconsulting.com
AS400 EDI, Networking, E-Commerce and Communications Consulting and
Implementation 
http://www.icecreamovernight.com
Premium Ice Cream Brands shipped Overnight

Visit our website to subscribe to our FREE AS/400 Timesharing Service

-----Original Message-----
From: Scott Klement [mailto:klemscot@xxxxxxxxxxxx] 
Sent: Thursday, March 25, 2004 12:38 PM
To: Midrange Systems Technical Discussion
Cc: Scott Lapin
Subject: RE: remote telnet with ssl



Hi Carl,

> I have been thinking about changing our internet access to our box via 
> SSL. I like the idea of blocking port 23 in the firewall and opening 
> up 992.  But if the AS400 just hands out the cert, then is it that 
> much better?

Yes, because it protects the userid & password from being sniffed by a
network sniffer.  I think you misunderstand the purpose of the certificate.
Read on...


> Anyone with a SSL enabled Telnet client can then access the box. What 
> I really like is you idea of needing to send the cert to someone you 
> want to access the AS400.

In it's original design, SSL was created to allow consumers to place orders
over the internet without compromising their credit card numbers. SSL
provides two different things, encryption and trust.  Certificates are
designed to handle the trust aspect.

When a desktop user connects to a server, the server sends a certificate to
the client.  The client looks in it's database of trusted certificates to
see if it trusts the person who "signed" that certificate (by "signed" I
mean that it placed it's digital signature in the certificate)

The goal of this was to protect consumers putting their credit card numbers
into a web site.  I could not set up a www.walmart.com on a computer in my
basement and tell everyone that I'm Walmart and get them to send me their
credit card numbers.  Why not?  Because they wouldn't trust
my certificate.   In order to establish that trust, I'd need to get
VeriSign to put their digital signature on a certificate saying "yes,
indeed, Scott Klement is Walmart" (and, presumably VeriSign wouldn't do
that)

Putting things back into a telnet perspective...  When you try to establish
a 5250 session with your iSeries, the certificate is used to check if the PC
trusts the iSeries.  Not the other way around!  In fact, many 5250 clients
don't even verify that the server's certificate is trusted simply because
they don't think you care :)  At least, this is the way that MochaSoft
worked last time I tried it.  RUMBA 7.0 worked this way...  My open-source
TN5250 works this way unless you specifically tell it to check the server's
certificate.

What you really want to do is require a separate certificate to be sent from
the client to the server, and have the server check THAT certificate to see
if it trusts it.

Client Access supports client authentication in this manner, and so does
the open-source TN5250.   AFIAK, Mocha and RUMBA do not.  I have no
experience with other 5250 clients.


> I have created a cert on the AS400 (a long time ago), and have a few
> questions:
> 1. Is there an option in the Telnet-SSL server that says "don't hand 
> out the cert"?

It would no longer be SSL if you didn't send the certificate. The client
would have no way of knowing whether you are who you say you are if you
didn't send the certificate, which would completely defeat the purpose of
SSL.

> 2. How do you extract the AS400 generated cert to send it to people?

You don't want to do that.

What you do want to do is generate user certificates (for client
authentication) the way I'd go about it is:

1) In the Digital Certificate Manager under "manage applications" and
"define trust"  tell the telnet server to ONLY trust certificates signed by
your iSeries' certificate authority.

2) Under "manage applications" again, under "Update application definition"
tell it to require client authentication.

3) For each user, create a separate "User Certificate" in the digital
certificate manager.  Set up the user's 5250 client to present that
certificate.

Details are in the Information Center:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaiw/rzaiwscenarioss
l.htm


> 3. Where on the PC side do you install the cert?  Is this done in 
> internet explorer?  Or in the Telnet client.

Ultimately, the telnet client.  But, you have to use the web browser to
extract the certificate from the DCM.  (Which is a really clumsy and awkward
system, thank you very much IBM.)  Of course, if you're setting up
SSL-secured Web access (rather than Telnet) then installing it into Internet
Explorer would be the ultimate goal.

HTH

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.