Attempting to login with iSeries Access using SSL

Jeff Klipa
Jeff Klipa used Ask the Experts™
on
Hi iSeries gurus...

I have a need to allow some external consultants to connect via VPN to our iSeries to perform some work for us...
Our security team won't allow this connection to be unsecured...
So, I'm taking a crash course on the use of Digital Certificate Manager to get a SSL Certificate created to allow the SSL connection...

I believe I've got the SSL Cert Store and Cert created...
I Created the Certificate Authority (CA), and the Certificate, and Enabled it.
I downloaded the Cert to my local PC, and installed it into the MMC on my Win7 laptop... (Not sure this was necessary)
Changed the 5250 session config to use SSL...

When I try to connect, I'm getting the generic error CWBCO1049 error "IBM I server application is not started or the connection was blocked by a firewall"

I checked that the System I Access servers are started for "Sign on" and "Server Mapper" - STRHOSTSVR SERVER(*ALL)

I'm thinking that there is something wrong in the Certificate configuration I did...
I'm not sure...

If I use the fully qualified Domain Name in the session config the error pops up right away...
If I connect my 5250 emulation session with the IP address instead, I get the "IBM i signon" dialogue box first, I can enter my credentials, and then when I click OK, I get the CWBCO1049 error popup box... This indicates to me that the connection is working, and it's not a firewall problem...

I've never worked with SSL 5250 emulation with iSeries Access before, so I'm kind of stumped right now...
Any guidance would be greatly appreciated...

Thanks,
Jeff K.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary PattersonVP Technology / Senior Consultant

Commented:
Hi Jeff.  A VPN is generally a secure connection, in and of itself.  Your security team is telling you that in addition to connecting to your network via VPN, you also need to further encrypt the connection to the IBM i (the connection that is already running over an encrypted VPN connection)?

Don't get me wrong, it is a good idea to use a secure connection inside your network, but it doesn't really provide more protection in the case you describe.

But you aren't here for me to pick a fight with your security team - who are just trying to protect the network, after all.

You shouldn't need the SSL certificate on your Windows box.
Try bouncing the host servers - shutdown and restart them.
VP Technology / Senior Consultant
Commented:
Did you follow this procedure and assign the certificate to the IBM i TCP/IP Telnet server ?

http://www-01.ibm.com/support/docview.wss?uid=nas8N1010449

Also bounce the Telnet server.

Author

Commented:
Hi Gary,

I'm actually going to use your comments to pick that fight...
Thanks...

The link you provided was also extremely helpful...
I did not do those steps to configure the Telnet App yet...

This is scaring me a little bit because I'm starting to think that once I configure the Telnet app to use SSL, that I will no longer be able to connect to the iSeries with unsecured connection...

That would blow 80 of my internal users off the system...

Can you confirm that if I configure Telnet to use SSL that I will still be able to emulate 5250 without an SSL cert via iSeries Access, like we're doing today...? I don't want to require all of my internal users to use SSL, only the external 3rd party consultants...

Thanks,
Jeff K.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Gary PattersonVP Technology / Senior Consultant

Commented:
In recent versions of the OS, you can select to start SSL only, unencrypted only, or both.

https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzaiw/rzaiwscenariossldetails.htm

Author

Commented:
Hi Gary,

I wanted to take a moment to express my gratitude for your kind assistance in my journey to iSeries Access connection via SSL...
I was finally able to get the connection to work...

Had to bounce the Telnet server as you mentioned, and also load the Certificate onto the PC via the iSeries Navigator Properties Secure Sockets tab... It's very gratifying to have arrived at the finish line...

Thanks again,
Jeff

Author

Commented:
This was a challenging adventure and I really appreciate the assistance from Gary...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial