Link to home
Start Free TrialLog in
Avatar of joe90kane
joe90kane

asked on

Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)

Following this Question: https://www.experts-exchange.com/questions/22712368/Telnet-to-AS400-from-internet-Is-it-secure.html

Thanks for the info Guys,

I have installed the following

    *  Digital Certificate Manager (DCM), option 34 of OS/400 (5769-SS1)
    * TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
    * IBM HTTP Server for AS/400 (5769-DG1)
    * IBM Cryptographic Access Provider products: 5722-AC3 (128-bit)

I setup the DCM with cert and assigned it to Telnet, I still cant get in using SSL 443 or 992.

Do I need to restart Telnet for the changes to take effect.

Thanks again, Joe
Avatar of Member_2_276102
Member_2_276102

Joe:

The list of products seems just slightly odd. You show a set of "5769xxx" products along with "5722AC3". How did you determine what you have installed? I wasn't aware that 5722AC3 was valid with 5769SS1.

Tom
Avatar of joe90kane

ASKER

Here is the correct list.

5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries

Can you answer the Telnet question Tom?
ASKER CERTIFIED SOLUTION
Avatar of Member_2_276102
Member_2_276102

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Barry Harper
Barry Harper
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Barry,

NETSTAT *CNN doesnt show telnet-ssl / 443 or 992

Ive gone over the setup 10 times and it all looks right, I thinks its the PTF's

How do I find the PTF's for

5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager

Thanks, Joe
If you re-install the cume and hiper/database groups on your system, the PTFs will be in there.
To see what PTF levels are installed, use WRKPTFGRP and then find the CDs or images that were used to load them, so you can run them through again.

Barry
There are about 1 year / 5 Gigs worth of updates,

Would these updates fix it:

SF99529   530 Group Hiper
SF99503   530 DB2 UDB for iSeries
SF99314   530 TCP/IP Group PTF
SF99269   530 Java
SF99099   530 IBM HTTP Server for iSeries

Thanks, Joe
Yes, if you press F11 you will see the levels, which will be on the CDs themselves.
You need the cume as well SF99530, which was not in the list on your post.

The cume CDs will look like Cxxxx530 where xxxx is the level, which actually a partial julian date. C7121530 was released 2007, the 121st day.

Its a good idea to keep relatively current with fixes. You can see the latest groups here:
http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&Start=1&Count=30&Expand=2#2
Info on the latest cume is here:
http://www-912.ibm.com/a_dir/as4ptf.nsf/a18db68aae4a7d81862566ba005d145c/19709e6bb455ea7a86256ead001605a2?OpenDocument&Highlight=2,sf99530

If you need  more help, post back!
Barry
Thanks for the info BH,

I am unable to upgrade due to the nature of the application running 24x7/365

The software I installed:

5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries

Came with the AS400 when purchased so surly it should work without the need for upgrades???

I have tried everything but telnet-ssl will not appear.

Can anyone recommend what to do next???

Thanks, Joe

Joe:

>  ...it should work without the need for upgrades???

Agreed. It _should_ work. But... (1) Barry wasn't suggesting an upgrade; he was suggesting loading fixes He also mentioned pressing <F11> when viewing your list of cumulative fixes in order to see important Level info. And (2) every OS needs fixes from time to time.

It _should_ work, yes. Complex systems just are too complex to make work without fixes. Maybe the next generation...?

Note also that a critical 24/7/365 app might not be best to deploy until after desired fixes are located and installed. However, many fixes can be installed without disrupting running apps. If this is a problem that will be resolved by applying a cumulative package of fixes, it _might_ be possible (not necessarily a great chance) that individual fixes can be applied rather than applying the collected sets.

This would seem to be the time to call IBM Support and ask for some specific help. (And if you're running a critical 24/7/365 without support, we probably can't help enough.) Maybe it's really just an obscure configuration detail, a workaround might be known to IBM.

Tom
OK I restarted TELNET and I have "telnet-ssl" in netstat *cnn

But im still unable to connect using port 992?

Do you have any idea what it might be.

Thanks again, Joe
Joe:

What client are you trying to connect with? Try something simple/easy such as the MochaSoft emulator --

http://www.mochasoft.dk/tn5250.htm

If you're trying to connect and the service shows as active and you're "unable to connect", how have you verified that you're actually reaching the port? I.e., numerous firewall types of blocks might be in place anywhere along the line. What does the client report as an error?

Tom
Ok spoke to IBM -

"In DCM you need to assign the CA and the system certificate to the applications SIGNON server and CENTRAL server.
In addition if you are using client authentication you need to have 5722CE3 loaded.
Iseries Access use the central and signon servers when making the connection.
Once you have assigned the certificates you will need to end and restart those host servers"

Will do this tonight and post back.

Thanks, Joe

PS. I use the ACTIVEX version from mochasoft.dk excellent piece of software.
Joe:

I'm a _little_ surprised at that info from IBM. I wouldn't think that the SIGNON and CENTRAL servers would have any connection to the MochaSoft emulator. I don't need either of them running when I connect via MochaSoft SSL on the V5R4 system I have available for this.

But even before V5R4, I was pretty sure MochaSoft never connected to them. IBM's info seems appropriate for the iSeries Access emulator as well as perhaps one or two others. But most TN5250E connections are handled directly through the telnet server.

Interesting if it works. V5R4 had _some_ related changes. I hadn't seen any like this one though.

Tom
I turned off client authentication and restarted Telnet all working perfectly now.

So to answer my question "Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)"

Yes Joe you need to restart telnet and check if client authentication is turned off unless you are using Iseries Client access.
"Client authentication" makes a little more sense. I haven't looked into MochaSoft to see if it supports client authentication; I would've guessed that it didn't since client authentication is rarely used by anyone. Supporting it for 'free' would be a little surprising.

Unfortunately, turning it off is also a suggestion that we should've made here a long time ago. I suspect that it was assumed from the beginning of this back in the first question.

Tom
I'm having this issue, I have opened port 992 to our AS400 server. When I try to connect from a public address it wont connect.

I think it is a routing issue, How would I add a global route so clients connecting from anywhere can connect.

Thanks, Joe
It was a routing issue on the AS400 all working now.
Forced accept.

Computer101
EE Admin