?
Solved

Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)

Posted on 2007-07-25
20
Medium Priority
?
1,397 Views
Last Modified: 2013-12-06
Following this Question: http://www.experts-exchange.com/OS/AS_-_400/Q_22712368.html

Thanks for the info Guys,

I have installed the following

    *  Digital Certificate Manager (DCM), option 34 of OS/400 (5769-SS1)
    * TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
    * IBM HTTP Server for AS/400 (5769-DG1)
    * IBM Cryptographic Access Provider products: 5722-AC3 (128-bit)

I setup the DCM with cert and assigned it to Telnet, I still cant get in using SSL 443 or 992.

Do I need to restart Telnet for the changes to take effect.

Thanks again, Joe
0
Comment
Question by:joe90kane
  • 9
  • 6
  • 3
  • +1
19 Comments
 
LVL 27

Expert Comment

by:tliotta
ID: 19570250
Joe:

The list of products seems just slightly odd. You show a set of "5769xxx" products along with "5722AC3". How did you determine what you have installed? I wasn't aware that 5722AC3 was valid with 5769SS1.

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19572780
Here is the correct list.

5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries

Can you answer the Telnet question Tom?
0
 
LVL 27

Accepted Solution

by:
tliotta earned 1000 total points
ID: 19577847
Joe:

I don't have a V5R3 system to test, so I can only guess. Technically, you're not _supposed to have to restart. The Info Center instructions show a fairly strong implication that all you need to do is _verify_ that the server is started.

However, there might be any number of variations depending on PTFs that might be applied or missing.

The general steps for troubleshooting are shown:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzaiw/rzaiwtroubles.htm

The left-hand navigation pane shows many related areas. There are references to "automatic" adaptation by the telnet server when SSL configurations are changed; those are some of the implied 'no need to restart' references.

The Troubleshooting topic describes how to track down potential joblog messages. It also points out that elements such as 'Number of servers to start=1' could interfere with SSL initialization.

First thing is to ensure that SSL _can_ start. Then verify that related joblog messages are attended to.

I hoped someone with a matching configuration would take this item, but I'll see what I can find out for certain.

Tom
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 13

Assisted Solution

by:_b_h
_b_h earned 1000 total points
ID: 19583834
Joe,

Just a few quick points:

After installing the licensed programs, did you re-install the cume and group PTF packages? There may be additional PTFs related to the newly installed licpgms.

To check if the telnet servers are listening on their ports, use:
NETSTAT *CNN
to check out ports 23 and 443.

You can force all telnet connections to use SSL by using the Change Telnet Attributes command:
CHGTELNA ALWSSL(*ONLY)

I will be able to help further when I return from vacation.
From the beach,
Barry
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19584070
Hi Barry,

NETSTAT *CNN doesnt show telnet-ssl / 443 or 992

Ive gone over the setup 10 times and it all looks right, I thinks its the PTF's

How do I find the PTF's for

5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager

Thanks, Joe
0
 
LVL 13

Expert Comment

by:_b_h
ID: 19584080
If you re-install the cume and hiper/database groups on your system, the PTFs will be in there.
To see what PTF levels are installed, use WRKPTFGRP and then find the CDs or images that were used to load them, so you can run them through again.

Barry
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19584110
There are about 1 year / 5 Gigs worth of updates,

Would these updates fix it:

SF99529   530 Group Hiper
SF99503   530 DB2 UDB for iSeries
SF99314   530 TCP/IP Group PTF
SF99269   530 Java
SF99099   530 IBM HTTP Server for iSeries

Thanks, Joe
0
 
LVL 13

Expert Comment

by:_b_h
ID: 19584126
Yes, if you press F11 you will see the levels, which will be on the CDs themselves.
You need the cume as well SF99530, which was not in the list on your post.

The cume CDs will look like Cxxxx530 where xxxx is the level, which actually a partial julian date. C7121530 was released 2007, the 121st day.

Its a good idea to keep relatively current with fixes. You can see the latest groups here:
http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&Start=1&Count=30&Expand=2#2
Info on the latest cume is here:
http://www-912.ibm.com/a_dir/as4ptf.nsf/a18db68aae4a7d81862566ba005d145c/19709e6bb455ea7a86256ead001605a2?OpenDocument&Highlight=2,sf99530

If you need  more help, post back!
Barry
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19683819
Thanks for the info BH,

I am unable to upgrade due to the nature of the application running 24x7/365

The software I installed:

5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries
5722ac3 V5R3M0 Crypto Access Provider 128-bit
5722ss1 V5R3M0 OS/400 - Digital Certificate Manager
5722tc1 V5R3M0 TCP/IP Connectivity Utilities for iSeries

Came with the AS400 when purchased so surly it should work without the need for upgrades???

I have tried everything but telnet-ssl will not appear.

Can anyone recommend what to do next???

Thanks, Joe

0
 
LVL 27

Expert Comment

by:tliotta
ID: 19687300
Joe:

>  ...it should work without the need for upgrades???

Agreed. It _should_ work. But... (1) Barry wasn't suggesting an upgrade; he was suggesting loading fixes He also mentioned pressing <F11> when viewing your list of cumulative fixes in order to see important Level info. And (2) every OS needs fixes from time to time.

It _should_ work, yes. Complex systems just are too complex to make work without fixes. Maybe the next generation...?

Note also that a critical 24/7/365 app might not be best to deploy until after desired fixes are located and installed. However, many fixes can be installed without disrupting running apps. If this is a problem that will be resolved by applying a cumulative package of fixes, it _might_ be possible (not necessarily a great chance) that individual fixes can be applied rather than applying the collected sets.

This would seem to be the time to call IBM Support and ask for some specific help. (And if you're running a critical 24/7/365 without support, we probably can't help enough.) Maybe it's really just an obscure configuration detail, a workaround might be known to IBM.

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19694741
OK I restarted TELNET and I have "telnet-ssl" in netstat *cnn

But im still unable to connect using port 992?

Do you have any idea what it might be.

Thanks again, Joe
0
 
LVL 27

Expert Comment

by:tliotta
ID: 19696529
Joe:

What client are you trying to connect with? Try something simple/easy such as the MochaSoft emulator --

http://www.mochasoft.dk/tn5250.htm

If you're trying to connect and the service shows as active and you're "unable to connect", how have you verified that you're actually reaching the port? I.e., numerous firewall types of blocks might be in place anywhere along the line. What does the client report as an error?

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19698761
Ok spoke to IBM -

"In DCM you need to assign the CA and the system certificate to the applications SIGNON server and CENTRAL server.
In addition if you are using client authentication you need to have 5722CE3 loaded.
Iseries Access use the central and signon servers when making the connection.
Once you have assigned the certificates you will need to end and restart those host servers"

Will do this tonight and post back.

Thanks, Joe

PS. I use the ACTIVEX version from mochasoft.dk excellent piece of software.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 19701831
Joe:

I'm a _little_ surprised at that info from IBM. I wouldn't think that the SIGNON and CENTRAL servers would have any connection to the MochaSoft emulator. I don't need either of them running when I connect via MochaSoft SSL on the V5R4 system I have available for this.

But even before V5R4, I was pretty sure MochaSoft never connected to them. IBM's info seems appropriate for the iSeries Access emulator as well as perhaps one or two others. But most TN5250E connections are handled directly through the telnet server.

Interesting if it works. V5R4 had _some_ related changes. I hadn't seen any like this one though.

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19702826
I turned off client authentication and restarted Telnet all working perfectly now.

So to answer my question "Assign SSL to Telnet AS400 (Do I need to Restart Telnet???)"

Yes Joe you need to restart telnet and check if client authentication is turned off unless you are using Iseries Client access.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 19702950
"Client authentication" makes a little more sense. I haven't looked into MochaSoft to see if it supports client authentication; I would've guessed that it didn't since client authentication is rarely used by anyone. Supporting it for 'free' would be a little surprising.

Unfortunately, turning it off is also a suggestion that we should've made here a long time ago. I suspect that it was assumed from the beginning of this back in the first question.

Tom
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19706661
I'm having this issue, I have opened port 992 to our AS400 server. When I try to connect from a public address it wont connect.

I think it is a routing issue, How would I add a global route so clients connecting from anywhere can connect.

Thanks, Joe
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19708317
It was a routing issue on the AS400 all working now.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20106477
Forced accept.

Computer101
EE Admin
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In this tutorial, we’re going to learn how to convert Youtube to mp3 for Free. We'll show you how easy it is to make an mp3 from your video clips so that you can enjoy them offline.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question