joe90kane
asked on
Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)
Following this Question: https://www.experts-exchange.com/questions/22712368/Telnet-to-AS400-from-internet-Is-it-secure.html
Thanks for the info Guys,
I have installed the following
* Digital Certificate Manager (DCM), option 34 of OS/400 (5769-SS1)
* TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
* IBM HTTP Server for AS/400 (5769-DG1)
* IBM Cryptographic Access Provider products: 5722-AC3 (128-bit)
I setup the DCM with cert and assigned it to Telnet, I still cant get in using SSL 443 or 992.
Do I need to restart Telnet for the changes to take effect.
Thanks again, Joe
Thanks for the info Guys,
I have installed the following
* Digital Certificate Manager (DCM), option 34 of OS/400 (5769-SS1)
* TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
* IBM HTTP Server for AS/400 (5769-DG1)
* IBM Cryptographic Access Provider products: 5722-AC3 (128-bit)
I setup the DCM with cert and assigned it to Telnet, I still cant get in using SSL 443 or 992.
Do I need to restart Telnet for the changes to take effect.
Thanks again, Joe
ASKER
Here is the correct list.
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
Can you answer the Telnet question Tom?
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
Can you answer the Telnet question Tom?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Barry,
NETSTAT *CNN doesnt show telnet-ssl / 443 or 992
Ive gone over the setup 10 times and it all looks right, I thinks its the PTF's
How do I find the PTF's for
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
Thanks, Joe
NETSTAT *CNN doesnt show telnet-ssl / 443 or 992
Ive gone over the setup 10 times and it all looks right, I thinks its the PTF's
How do I find the PTF's for
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
Thanks, Joe
If you re-install the cume and hiper/database groups on your system, the PTFs will be in there.
To see what PTF levels are installed, use WRKPTFGRP and then find the CDs or images that were used to load them, so you can run them through again.
Barry
To see what PTF levels are installed, use WRKPTFGRP and then find the CDs or images that were used to load them, so you can run them through again.
Barry
ASKER
There are about 1 year / 5 Gigs worth of updates,
Would these updates fix it:
SF99529 530 Group Hiper
SF99503 530 DB2 UDB for iSeries
SF99314 530 TCP/IP Group PTF
SF99269 530 Java
SF99099 530 IBM HTTP Server for iSeries
Thanks, Joe
Would these updates fix it:
SF99529 530 Group Hiper
SF99503 530 DB2 UDB for iSeries
SF99314 530 TCP/IP Group PTF
SF99269 530 Java
SF99099 530 IBM HTTP Server for iSeries
Thanks, Joe
Yes, if you press F11 you will see the levels, which will be on the CDs themselves.
You need the cume as well SF99530, which was not in the list on your post.
The cume CDs will look like Cxxxx530 where xxxx is the level, which actually a partial julian date. C7121530 was released 2007, the 121st day.
Its a good idea to keep relatively current with fixes. You can see the latest groups here:
http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&Start=1&Count=30&Expand=2#2
Info on the latest cume is here:
http://www-912.ibm.com/a_dir/as4ptf.nsf/a18db68aae4a7d81862566ba005d145c/19709e6bb455ea7a86256ead001605a2?OpenDocument&Highlight=2,sf99530
If you need more help, post back!
Barry
You need the cume as well SF99530, which was not in the list on your post.
The cume CDs will look like Cxxxx530 where xxxx is the level, which actually a partial julian date. C7121530 was released 2007, the 121st day.
Its a good idea to keep relatively current with fixes. You can see the latest groups here:
http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&Start=1&Count=30&Expand=2#2
Info on the latest cume is here:
http://www-912.ibm.com/a_dir/as4ptf.nsf/a18db68aae4a7d81862566ba005d145c/19709e6bb455ea7a86256ead001605a2?OpenDocument&Highlight=2,sf99530
If you need more help, post back!
Barry
ASKER
Thanks for the info BH,
I am unable to upgrade due to the nature of the application running 24x7/365
The software I installed:
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
Came with the AS400 when purchased so surly it should work without the need for upgrades???
I have tried everything but telnet-ssl will not appear.
Can anyone recommend what to do next???
Thanks, Joe
I am unable to upgrade due to the nature of the application running 24x7/365
The software I installed:
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
Came with the AS400 when purchased so surly it should work without the need for upgrades???
I have tried everything but telnet-ssl will not appear.
Can anyone recommend what to do next???
Thanks, Joe
Joe:
> ...it should work without the need for upgrades???
Agreed. It _should_ work. But... (1) Barry wasn't suggesting an upgrade; he was suggesting loading fixes He also mentioned pressing <F11> when viewing your list of cumulative fixes in order to see important Level info. And (2) every OS needs fixes from time to time.
It _should_ work, yes. Complex systems just are too complex to make work without fixes. Maybe the next generation...?
Note also that a critical 24/7/365 app might not be best to deploy until after desired fixes are located and installed. However, many fixes can be installed without disrupting running apps. If this is a problem that will be resolved by applying a cumulative package of fixes, it _might_ be possible (not necessarily a great chance) that individual fixes can be applied rather than applying the collected sets.
This would seem to be the time to call IBM Support and ask for some specific help. (And if you're running a critical 24/7/365 without support, we probably can't help enough.) Maybe it's really just an obscure configuration detail, a workaround might be known to IBM.
Tom
> ...it should work without the need for upgrades???
Agreed. It _should_ work. But... (1) Barry wasn't suggesting an upgrade; he was suggesting loading fixes He also mentioned pressing <F11> when viewing your list of cumulative fixes in order to see important Level info. And (2) every OS needs fixes from time to time.
It _should_ work, yes. Complex systems just are too complex to make work without fixes. Maybe the next generation...?
Note also that a critical 24/7/365 app might not be best to deploy until after desired fixes are located and installed. However, many fixes can be installed without disrupting running apps. If this is a problem that will be resolved by applying a cumulative package of fixes, it _might_ be possible (not necessarily a great chance) that individual fixes can be applied rather than applying the collected sets.
This would seem to be the time to call IBM Support and ask for some specific help. (And if you're running a critical 24/7/365 without support, we probably can't help enough.) Maybe it's really just an obscure configuration detail, a workaround might be known to IBM.
Tom
ASKER
OK I restarted TELNET and I have "telnet-ssl" in netstat *cnn
But im still unable to connect using port 992?
Do you have any idea what it might be.
Thanks again, Joe
But im still unable to connect using port 992?
Do you have any idea what it might be.
Thanks again, Joe
Joe:
What client are you trying to connect with? Try something simple/easy such as the MochaSoft emulator --
http://www.mochasoft.dk/tn5250.htm
If you're trying to connect and the service shows as active and you're "unable to connect", how have you verified that you're actually reaching the port? I.e., numerous firewall types of blocks might be in place anywhere along the line. What does the client report as an error?
Tom
What client are you trying to connect with? Try something simple/easy such as the MochaSoft emulator --
http://www.mochasoft.dk/tn5250.htm
If you're trying to connect and the service shows as active and you're "unable to connect", how have you verified that you're actually reaching the port? I.e., numerous firewall types of blocks might be in place anywhere along the line. What does the client report as an error?
Tom
ASKER
Ok spoke to IBM -
"In DCM you need to assign the CA and the system certificate to the applications SIGNON server and CENTRAL server.
In addition if you are using client authentication you need to have 5722CE3 loaded.
Iseries Access use the central and signon servers when making the connection.
Once you have assigned the certificates you will need to end and restart those host servers"
Will do this tonight and post back.
Thanks, Joe
PS. I use the ACTIVEX version from mochasoft.dk excellent piece of software.
"In DCM you need to assign the CA and the system certificate to the applications SIGNON server and CENTRAL server.
In addition if you are using client authentication you need to have 5722CE3 loaded.
Iseries Access use the central and signon servers when making the connection.
Once you have assigned the certificates you will need to end and restart those host servers"
Will do this tonight and post back.
Thanks, Joe
PS. I use the ACTIVEX version from mochasoft.dk excellent piece of software.
Joe:
I'm a _little_ surprised at that info from IBM. I wouldn't think that the SIGNON and CENTRAL servers would have any connection to the MochaSoft emulator. I don't need either of them running when I connect via MochaSoft SSL on the V5R4 system I have available for this.
But even before V5R4, I was pretty sure MochaSoft never connected to them. IBM's info seems appropriate for the iSeries Access emulator as well as perhaps one or two others. But most TN5250E connections are handled directly through the telnet server.
Interesting if it works. V5R4 had _some_ related changes. I hadn't seen any like this one though.
Tom
I'm a _little_ surprised at that info from IBM. I wouldn't think that the SIGNON and CENTRAL servers would have any connection to the MochaSoft emulator. I don't need either of them running when I connect via MochaSoft SSL on the V5R4 system I have available for this.
But even before V5R4, I was pretty sure MochaSoft never connected to them. IBM's info seems appropriate for the iSeries Access emulator as well as perhaps one or two others. But most TN5250E connections are handled directly through the telnet server.
Interesting if it works. V5R4 had _some_ related changes. I hadn't seen any like this one though.
Tom
ASKER
I turned off client authentication and restarted Telnet all working perfectly now.
So to answer my question "Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)"
Yes Joe you need to restart telnet and check if client authentication is turned off unless you are using Iseries Client access.
So to answer my question "Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)"
Yes Joe you need to restart telnet and check if client authentication is turned off unless you are using Iseries Client access.
"Client authentication" makes a little more sense. I haven't looked into MochaSoft to see if it supports client authentication; I would've guessed that it didn't since client authentication is rarely used by anyone. Supporting it for 'free' would be a little surprising.
Unfortunately, turning it off is also a suggestion that we should've made here a long time ago. I suspect that it was assumed from the beginning of this back in the first question.
Tom
Unfortunately, turning it off is also a suggestion that we should've made here a long time ago. I suspect that it was assumed from the beginning of this back in the first question.
Tom
ASKER
I'm having this issue, I have opened port 992 to our AS400 server. When I try to connect from a public address it wont connect.
I think it is a routing issue, How would I add a global route so clients connecting from anywhere can connect.
Thanks, Joe
I think it is a routing issue, How would I add a global route so clients connecting from anywhere can connect.
Thanks, Joe
ASKER
It was a routing issue on the AS400 all working now.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
The list of products seems just slightly odd. You show a set of "5769xxx" products along with "5722AC3". How did you determine what you have installed? I wasn't aware that 5722AC3 was valid with 5769SS1.
Tom