Hi Carl,

> I have been thinking about changing our internet access to our box via SSL.
> I like the idea of blocking port 23 in the firewall and opening up 992.  But
> if the AS400 just hands out the cert, then is it that much better?

Yes, because it protects the userid & password from being sniffed by a
network sniffer.  I think you misunderstand the purpose of the
certificate.  Read on...


> Anyone with a SSL enabled Telnet client can then access the box. What I
> really like is you idea of needing to send the cert to someone you want
> to access the AS400.

In it's original design, SSL was created to allow consumers to place
orders over the internet without compromising their credit card numbers.
SSL provides two different things, encryption and trust.  Certificates are
designed to handle the trust aspect.

When a desktop user connects to a server, the server sends a certificate
to the client.  The client looks in it's database of trusted certificates
to see if it trusts the person who "signed" that certificate (by "signed"
I mean that it placed it's digital signature in the certificate)

The goal of this was to protect consumers putting their credit card
numbers into a web site.  I could not set up a www.walmart.com on a
computer in my basement and tell everyone that I'm Walmart and get them to
send me their credit card numbers.  Why not?  Because they wouldn't trust
my certificate.   In order to establish that trust, I'd need to get
VeriSign to put their digital signature on a certificate saying "yes,
indeed, Scott Klement is Walmart" (and, presumably VeriSign wouldn't do
that)

Putting things back into a telnet perspective...  When you try to
establish a 5250 session with your iSeries, the certificate is used to
check if the PC trusts the iSeries.  Not the other way around!  In fact,
many 5250 clients don't even verify that the server's certificate is
trusted simply because they don't think you care :)  At least, this is the
way that MochaSoft worked last time I tried it.  RUMBA 7.0 worked this
way...  My open-source TN5250 works this way unless you specifically tell
it to check the server's certificate.

What you really want to do is require a separate certificate to be sent
from the client to the server, and have the server check THAT certificate
to see if it trusts it.

Client Access supports client authentication in this manner, and so does
the open-source TN5250.   AFIAK, Mocha and RUMBA do not.  I have no
experience with other 5250 clients.


> I have created a cert on the AS400 (a long time ago), and have a few
> questions:
> 1. Is there an option in the Telnet-SSL server that says "don't hand out
> the cert"?

It would no longer be SSL if you didn't send the certificate.
The client would have no way of knowing whether you are who you say you
are if you didn't send the certificate, which would completely defeat the
purpose of SSL.

> 2. How do you extract the AS400 generated cert to send it to people?

You don't want to do that.

What you do want to do is generate user certificates (for client
authentication) the way I'd go about it is:

1) In the Digital Certificate Manager under "manage applications" and
"define trust"  tell the telnet server to ONLY trust certificates signed by
your iSeries' certificate authority.

2) Under "manage applications" again, under "Update application
definition" tell it to require client authentication.

3) For each user, create a separate "User Certificate" in the digital
certificate manager.  Set up the user's 5250 client to present that
certificate.

Details are in the Information Center:
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaiw/rzaiwscenariossl.htm


> 3. Where on the PC side do you install the cert?  Is this done in
> internet explorer?  Or in the Telnet client.

Ultimately, the telnet client.  But, you have to use the web browser to
extract the certificate from the DCM.  (Which is a really clumsy and
awkward system, thank you very much IBM.)  Of course, if you're setting up
SSL-secured Web access (rather than Telnet) then installing it into
Internet Explorer would be the ultimate goal.

HTH


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.