Re: iSeries Access for MS-Windows

I called IBM support and they provided the last missing pieces.

To answer my own question, I can add a root cert to IA via the IBM Key
Management utility that comes with iSeries Access for MS-Windows. That tool
can be used to update C:\Documents and Settings\All
Users\Documents\IBM\Client Access\cwbssldf.kdb
The default password when prompted to open that file is 'ca400'. With that
file updated, I could drop cwbssldf.kdb and cwbssldf.sth into any other
MS-Windows system on the network and it'll trust the budget CA I bought the
cert from, too.

However, I wasn't even getting to the point where my SSL cert was being
distrusted. iSeries Access for MS-Windows requires that the certificate be
assigned in DCM to a lot more than just the telnet server in order for it to
operate. I was told to also assign the cert to Central Server, Database
Server, Data Queue Server, Network Print Server, Signon Server, Host
Servers, File Server, and Management Central Server. Having done that I'm
now getting a nice 'CWBCO1050 - The iSeries server application certificate
is not trusted' error.

Alfred

On Mon, Mar 23, 2009 at 08:58, Alfredo Delgado
<adelgado@xxxxxxxxxxxxxxxxx>wrote:

Is there a place where I can add the root cert to IA?

Alfred


On Mon, Mar 23, 2009 at 08:20, Porterfield, Sean <
SPorterfield@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

SSL client certificate is not required unless you configured the server to
require it. IA requires the server certificate to be trusted. Other
clients like tn5250 can connect without trusting the certificate.
--
Sean Porterfield


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:
midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Alfredo Delgado
Sent: Sunday, March 22, 2009 17:34
To: Midrange Systems Technical Discussion
Subject: Re: iSeries Access for MS-Windows

I reused one of the certs I bought for a web site so it is signed by a
trusted Certificate Authority as far as web browsers are concerned. I ask
about a "Client Certificate" in the context of client authentication which I
presently have set to "not required."

Is there a concise resource on what goes where locally for iSeries Access
for MS-Windows? For tn5250 I didn't have to do anything other than select
SSL when making the connection. The only configuration I've done was assign
a cert to the telnet application in the DCM.

Alfred

On Sun, Mar 22, 2009 at 14:29, Pete Helgren <Pete@xxxxxxxxxx> wrote:

The way I understand it, if you are using SSL and CA is not recognized
by the application, then you either download the certificate locally
or you don't connect. I am not aware of an SSL connection without a
client certificate. SSL is based on the exchange of certificate

information.

Could be that the CA that issued the certificate for the Telnet server
is already "known" by the client so the security warning and the
necessary download of the certificate doesn't occur (issued by Network
Solutions, GoDaddy, Thawt or many others). So that is why you may not
be prompted for anything while negotiating a connection using tn5250.
The same would apply to IA as well. My guess is that there is
something else going on causing the error on IA. But, it is just a

guess.

Pete

Alfredo Delgado wrote:

Is iSeries Access for MS-Windows able to make SSL connections
without

having

a client certificate?

I ask because I can start encrypted 5250 sessions with tn5250 on my
phone and a friend confirmed he could connect from his slackware

workstation.

However, when I try to connect with iSeries Access for MS-Windows I
get
'25406 - An IO error occurred on a data read or write.'

Thanks,
Alfred

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
Alfredo Delgado / Web Development
6800 Broken Sound Pkwy; Suite 150
Boca Raton, Florida 33487
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


This email is confidential, intended only for the named recipient(s) above
and may contain information that is privileged. If you have received this
message in error or are not the named recipient(s), please notify the sender
immediately and delete this email message from your computer as any and all
unauthorized distribution or use of this message is strictly prohibited.
Thank you.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
Alfredo Delgado / Web Development
6800 Broken Sound Pkwy; Suite 150
Boca Raton, Florida 33487