Attempting to login with iSeries Access using SSL

Hi iSeries gurus...

I have a need to allow some external consultants to connect via VPN to our iSeries to perform some work for us...
Our security team won't allow this connection to be unsecured...
So, I'm taking a crash course on the use of Digital Certificate Manager to get a SSL Certificate created to allow the SSL connection...

I believe I've got the SSL Cert Store and Cert created...
I Created the Certificate Authority (CA), and the Certificate, and Enabled it.
I downloaded the Cert to my local PC, and installed it into the MMC on my Win7 laptop... (Not sure this was necessary)
Changed the 5250 session config to use SSL...

When I try to connect, I'm getting the generic error CWBCO1049 error "IBM I server application is not started or the connection was blocked by a firewall"

I checked that the System I Access servers are started for "Sign on" and "Server Mapper" - STRHOSTSVR SERVER(*ALL)

I'm thinking that there is something wrong in the Certificate configuration I did...
I'm not sure...

If I use the fully qualified Domain Name in the session config the error pops up right away...
If I connect my 5250 emulation session with the IP address instead, I get the "IBM i signon" dialogue box first, I can enter my credentials, and then when I click OK, I get the CWBCO1049 error popup box... This indicates to me that the connection is working, and it's not a firewall problem...

I've never worked with SSL 5250 emulation with iSeries Access before, so I'm kind of stumped right now...
Any guidance would be greatly appreciated...

Thanks,
Jeff K.
Jeff KlipaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Hi Jeff.  A VPN is generally a secure connection, in and of itself.  Your security team is telling you that in addition to connecting to your network via VPN, you also need to further encrypt the connection to the IBM i (the connection that is already running over an encrypted VPN connection)?

Don't get me wrong, it is a good idea to use a secure connection inside your network, but it doesn't really provide more protection in the case you describe.

But you aren't here for me to pick a fight with your security team - who are just trying to protect the network, after all.

You shouldn't need the SSL certificate on your Windows box.
Try bouncing the host servers - shutdown and restart them.
0
Gary PattersonVP Technology / Senior Consultant Commented:
Did you follow this procedure and assign the certificate to the IBM i TCP/IP Telnet server ?

http://www-01.ibm.com/support/docview.wss?uid=nas8N1010449

Also bounce the Telnet server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff KlipaAuthor Commented:
Hi Gary,

I'm actually going to use your comments to pick that fight...
Thanks...

The link you provided was also extremely helpful...
I did not do those steps to configure the Telnet App yet...

This is scaring me a little bit because I'm starting to think that once I configure the Telnet app to use SSL, that I will no longer be able to connect to the iSeries with unsecured connection...

That would blow 80 of my internal users off the system...

Can you confirm that if I configure Telnet to use SSL that I will still be able to emulate 5250 without an SSL cert via iSeries Access, like we're doing today...? I don't want to require all of my internal users to use SSL, only the external 3rd party consultants...

Thanks,
Jeff K.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Gary PattersonVP Technology / Senior Consultant Commented:
In recent versions of the OS, you can select to start SSL only, unencrypted only, or both.

https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzaiw/rzaiwscenariossldetails.htm
0
Jeff KlipaAuthor Commented:
Hi Gary,

I wanted to take a moment to express my gratitude for your kind assistance in my journey to iSeries Access connection via SSL...
I was finally able to get the connection to work...

Had to bounce the Telnet server as you mentioned, and also load the Certificate onto the PC via the iSeries Navigator Properties Secure Sockets tab... It's very gratifying to have arrived at the finish line...

Thanks again,
Jeff
0
Jeff KlipaAuthor Commented:
This was a challenging adventure and I really appreciate the assistance from Gary...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.