Jeff Klipa
asked on
Attempting to login with iSeries Access using SSL
Hi iSeries gurus...
I have a need to allow some external consultants to connect via VPN to our iSeries to perform some work for us...
Our security team won't allow this connection to be unsecured...
So, I'm taking a crash course on the use of Digital Certificate Manager to get a SSL Certificate created to allow the SSL connection...
I believe I've got the SSL Cert Store and Cert created...
I Created the Certificate Authority (CA), and the Certificate, and Enabled it.
I downloaded the Cert to my local PC, and installed it into the MMC on my Win7 laptop... (Not sure this was necessary)
Changed the 5250 session config to use SSL...
When I try to connect, I'm getting the generic error CWBCO1049 error "IBM I server application is not started or the connection was blocked by a firewall"
I checked that the System I Access servers are started for "Sign on" and "Server Mapper" - STRHOSTSVR SERVER(*ALL)
I'm thinking that there is something wrong in the Certificate configuration I did...
I'm not sure...
If I use the fully qualified Domain Name in the session config the error pops up right away...
If I connect my 5250 emulation session with the IP address instead, I get the "IBM i signon" dialogue box first, I can enter my credentials, and then when I click OK, I get the CWBCO1049 error popup box... This indicates to me that the connection is working, and it's not a firewall problem...
I've never worked with SSL 5250 emulation with iSeries Access before, so I'm kind of stumped right now...
Any guidance would be greatly appreciated...
Thanks,
Jeff K.
I have a need to allow some external consultants to connect via VPN to our iSeries to perform some work for us...
Our security team won't allow this connection to be unsecured...
So, I'm taking a crash course on the use of Digital Certificate Manager to get a SSL Certificate created to allow the SSL connection...
I believe I've got the SSL Cert Store and Cert created...
I Created the Certificate Authority (CA), and the Certificate, and Enabled it.
I downloaded the Cert to my local PC, and installed it into the MMC on my Win7 laptop... (Not sure this was necessary)
Changed the 5250 session config to use SSL...
When I try to connect, I'm getting the generic error CWBCO1049 error "IBM I server application is not started or the connection was blocked by a firewall"
I checked that the System I Access servers are started for "Sign on" and "Server Mapper" - STRHOSTSVR SERVER(*ALL)
I'm thinking that there is something wrong in the Certificate configuration I did...
I'm not sure...
If I use the fully qualified Domain Name in the session config the error pops up right away...
If I connect my 5250 emulation session with the IP address instead, I get the "IBM i signon" dialogue box first, I can enter my credentials, and then when I click OK, I get the CWBCO1049 error popup box... This indicates to me that the connection is working, and it's not a firewall problem...
I've never worked with SSL 5250 emulation with iSeries Access before, so I'm kind of stumped right now...
Any guidance would be greatly appreciated...
Thanks,
Jeff K.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Gary,
I'm actually going to use your comments to pick that fight...
Thanks...
The link you provided was also extremely helpful...
I did not do those steps to configure the Telnet App yet...
This is scaring me a little bit because I'm starting to think that once I configure the Telnet app to use SSL, that I will no longer be able to connect to the iSeries with unsecured connection...
That would blow 80 of my internal users off the system...
Can you confirm that if I configure Telnet to use SSL that I will still be able to emulate 5250 without an SSL cert via iSeries Access, like we're doing today...? I don't want to require all of my internal users to use SSL, only the external 3rd party consultants...
Thanks,
Jeff K.
I'm actually going to use your comments to pick that fight...
Thanks...
The link you provided was also extremely helpful...
I did not do those steps to configure the Telnet App yet...
This is scaring me a little bit because I'm starting to think that once I configure the Telnet app to use SSL, that I will no longer be able to connect to the iSeries with unsecured connection...
That would blow 80 of my internal users off the system...
Can you confirm that if I configure Telnet to use SSL that I will still be able to emulate 5250 without an SSL cert via iSeries Access, like we're doing today...? I don't want to require all of my internal users to use SSL, only the external 3rd party consultants...
Thanks,
Jeff K.
In recent versions of the OS, you can select to start SSL only, unencrypted only, or both.
https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzaiw/rzaiwscenariossldetails.htm
https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzaiw/rzaiwscenariossldetails.htm
ASKER
Hi Gary,
I wanted to take a moment to express my gratitude for your kind assistance in my journey to iSeries Access connection via SSL...
I was finally able to get the connection to work...
Had to bounce the Telnet server as you mentioned, and also load the Certificate onto the PC via the iSeries Navigator Properties Secure Sockets tab... It's very gratifying to have arrived at the finish line...
Thanks again,
Jeff
I wanted to take a moment to express my gratitude for your kind assistance in my journey to iSeries Access connection via SSL...
I was finally able to get the connection to work...
Had to bounce the Telnet server as you mentioned, and also load the Certificate onto the PC via the iSeries Navigator Properties Secure Sockets tab... It's very gratifying to have arrived at the finish line...
Thanks again,
Jeff
ASKER
This was a challenging adventure and I really appreciate the assistance from Gary...
Don't get me wrong, it is a good idea to use a secure connection inside your network, but it doesn't really provide more protection in the case you describe.
But you aren't here for me to pick a fight with your security team - who are just trying to protect the network, after all.
You shouldn't need the SSL certificate on your Windows box.
Try bouncing the host servers - shutdown and restart them.