Re: Telnet-SSL -- MIDRANGE-L

I have some questions.  My apologies if they are stupid.

My understanding - please correct me if I am wrong!
--> The telnet server can be configured to use telnet-ssl only, insecure telnet 
only, or both.
--> When this feature is ON the telnet server listens to the "telnet-ssl" port, 
but requires a client certificate before granting a connection.

1> What has to be done on the iSeries to configure the SSL?  I can't seem to 
get CA Express to connect
 
2> How does one go about issuing certificates to the clients?

3> Is this sufficient to allow one to turn on telnet-ssl access from the 
internet?

Thanks!


"Chris Bipes" <chris.bipes=DL2X/VYRpcvuT2QgWa/frQ@xxxxxxxxxxxxxxxx> wrote in 
message 
news:<E46D194BB76F194DB6F771496C4258BC39FD2F@xxxxxxxxxxxxxxxxxxxxxxxxxx>...
> Client will not do VPN to us.  I have no control over their network.  Our
> Sales VP have not been able to convince them that VPN is better.  Besides
> they only need TN5250, no other services from our network.  SSL works great
> for that but I want to lock it down further by using Digital Certificates.  
> 
> This works GREAT!
> 
> SSL client authentication is toggled ON or OFF using a service program
> (QTVSRV in library QSYS) to toggle the desired authentication state. When
> SSL client authentication is ON, the i400 Telnet server will authenticate
> client certificates for Telnet clients connecting on the SSL ("telnet-ssl")
> port. Telnet clients (printer or display) that do not send a valid client
> certificate when connecting on this port will fail to establish a session. 
> 
> This support mechanism requires a System Administrator (or other user with
> *SECADM and *ALLOBJ special authorities) to toggle the state using the
> supplied service tool. 
> 
> The System Administration can turn ON client authentication by issuing the
> following CL commands: 
> 
> CALL PGM(QSYS/QTVSRV) PARM(*SSLCERT) 
> ENDTCPSVR SERVER(*TELNET) 
> STRTCPSVR SERVER(*TELNET) 
> 
> -----Original Message-----
> From: Fritz Hayes [mailto:fhayes=/CzTsIfkJEdBDgjK7y7TUQ@xxxxxxxxxxxxxxxx] 
> Sent: Thursday, May 29, 2003 1:26 PM
> To: 'Midrange Systems Technical Discussion'
> Subject: RE: Telnet-SSL
> 
> 
> Why not use client (BP) to server (iSeries) VPN?  
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L=Zwy7GipZuJhWk0Htik3J/w@xxxxxxxxxxxxxxxx 
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l 
> or email: MIDRANGE-L-request=Zwy7GipZuJhWk0Htik3J/w@xxxxxxxxxxxxxxxx 
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> 
> 

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH 
IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL 
AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW.  If the reader of this message 
is not the intended recipient, or the employee or agent responsible for 
delivering the message to the intended recipient, you are hereby notified that 
any dissemination, distribution, copying, downloading, storing or forwarding of 
this communication is prohibited.  If you have received this communication in 
error, please notify us immediately via email and delete the message from your 
computer files and/or data base.  Thank you.