Re: SSL Client Access -- MIDRANGE-L

I don't have a better check list but have been there.

You can't install SSL unless you have 57xx-AC3 installed.
Your CAE setup won't include SSL unless your signon has authority to the SSL
directory.

If you have created your own Certificate Authority...

After you do the DCM to create the certificate, assign it to the servers (you
need more than just Telnet and it doesn't hurt to assign it to the rest) you
need to leave it running for the following. The first time I tried to connect
from outside the firewall with only the SSL Telnet port open and only the Telnet
server assigned the certificate I got an error that CAE was unable to retrieve
the usage history but was able to continue and work. After I opened more of the
SSL ports and assigned the certificate I got rid of this error also.

You then need to go into OPS NAV while connected inside the firewall and on the
host's properties select the "Secure Sockets" tab then download the OS/400
Certificate Authority. You need to be inside the firewall because this uses the
non-SSL ports.

Once you have downloaded the certificate you can use the IBM Key Manager to
export it and use that file to import it to PCs that are outside the firewall.

If you want to have user certificates this also needs to be done while DCM is
running. So far I haven't found a way to get the *ADMIN instance to run SSL so
have also been doing this part inside the firewall.

Initial connection of each session is slower than non-SSL but from then on seems
to run about the same speed.

I had asked on this list if anyone had a full check list before and didn't get
much response. I had planned to put it together and submit it to the MIDRANGE
FAQ but haven't got there yet. First I want to complete the project by getting
user certificates required to use Telnet. I want to end up being able allow home
based workers to log in. If they leave the company not only is their user
profile removed but their certificate is revoked so if by chance they know
someone else's user/password they still can not get in because it should be less
likely that XYZ also gave them the certificate file.

Roger Vicker, CCP

"Wills, Mike N. (TC)" wrote:

> Has anyone else set up SSL on CAE before (system and CAE @ V5R1)? Do you
> have better instructions than what IBM has. I can't get it to work :-(.
>
> -----Original Message-----
> From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]
> Sent: Tuesday, August 27, 2002 11:38 AM
> To: 'midrange-l@midrange.com'
> Subject: RE: SSL Client Access
>
> Grrr... Now I get an error 414 when I try to connect.
>
> -----Original Message-----
> From: John Ross [mailto:jross-ml@netshare400.com]
> Sent: Tuesday, August 27, 2002 10:53 AM
> To: midrange-l@midrange.com
> Subject: RE: SSL Client Access
>
> See if the following link helps
> http://www-912.ibm.com/s_dir/slkbase.nsf/1ac66549a21402188625680b0002037e/99
> df6a2e1f95bced86256b8200581f1e?OpenDocument&Highlight=0,ssl
>
> John Ross
>
> At 10:25 AM 8/27/2002 -0500, you wrote:
> >Am I missing something in my install. My 5250 session doesn't have the SSL
> >option. I have it working with MochaSoft's client though!
> >
> >-----Original Message-----
> >From: John Ross [mailto:jross-ml@netshare400.com]
> >Sent: Monday, August 26, 2002 8:14 PM
> >To: midrange-l@midrange.com
> >Subject: Re: SSL Client Access
> >
> >
> >I need to do this also, so I would like to hear how it goes.
> >Look
> >at
> >http://publib.boulder.ibm.com/pubs/html/as400/v5r1/ic2924/index.htm?info/rz
> a
> >in/rzainrzaintelntpi.htm
> >
> >John Ross
> >
> >At 05:33 PM 8/26/2002 -0500, you wrote:
> > >Can someone point in the right direction to get this setup?
> > >
> > >Thanks,
> > >Mike Wills
> > >_______________________________________________

--
*** Vicker Programming and Service *** Have bits will byte *** www.vicker.com
***
Death takes its toll. Please have exact change ready.