1 SSL/TLS support in OS/400

SSL enabled application



Server

authentication



Client

authentication



HTTP Server (Original) and

(powered by Apache)



X



X



Java applications



X



LDAP Directory Services Server



X



X (New)



LDAP Directory Services Client



X (New)



X (New)



LDAP Directory Services Publishing



X



X (New)



Webserver Search Engine



X (New)



OS/400 TCP/IP Telnet Server 2 3



X



X (Changed)



OS/400 TCP/IP FTP Server 3



X (New)



X (New)



OS/400 Cluster Security



X (New)



X (New)



1



Client Access Express allows SSL protection based on single remote connections.

User-written applications that use Client Access Express APIs can also be protected

by SSL.



2



Currently the IBM Personal Communications V.5.0 product, the 5250 emulation of

the Client Access Express product, and Host On-Demand support the configuration

for SSL connections. Client authentication is supported in V5R1 5250 Emulation,

PCOMM V.5.0, and Host On-Demand 4.0 and higher.



3



SSL is supported only for the server application. The OS/400 TCP/IP Telnet and FTP

client do not support SSL yet. Client authentication for these server applications

requires that the certificates presented by the client are associated with an OS/400

user profile.



5.2 Enabling SSL for Telnet

The OS/400 TCP/IP Telnet server supports both server and client

authentication. There are three major Telnet client products that support SSL

with client authentication:

• PC5250 included in the Client Access Express

• IBM Personal Communications V5.0

• IBM WebSphere Host On-Demand

You can find more information on how to enable the Host On-Demand

client for client authentication in IBM SecureWay Host On-Demand 4.0:

Enterprise Communications in the Era of Network Computing, SG24-2149.



284



iSeries Wired Network Security



Enabling client authentication for the Telnet server requires all clients to

present a certificate during SSL session establishment. The certificate must

be associated with an OS/400 user profile. In this case, clients that do not

support client authentication cannot connect to the secure Telnet server.

However, if configured, unsecure connections can still be established through

the Telnet server port 23.

The following table shows the port numbers used for Telnet connections.

Table 8. The Telnet server port numbers



Connection



Port number



Service name



No SSL



23



telnet



SSL



992



telnet-ssl



Implementation tasks overview

The implementation tasks to enable SSL for IBM Personal Communications

V5.0 are as follows:

1. Be sure that you have all of the required license programs installed.

Refer to 2.1.1, “Installation prerequisites” on page 12, for the list of

required license programs.

2. Prepare a CA certificate and server certificate.

Refer to Chapter 2, “Digital Certificate Manager” on page 11, for

instructions on how to create certificates on the iSeries or AS/400 system.

Refer to Appendix D, “Creating a local Certificate Authority” on page 429,

for instructions on how to set up a local Certificate Authority.

3. Set up the OS/400 TCP/IP Telnet server to use SSL.

4. Set up IBM Personal Communications for SSL connections with client

authentication.



5.2.1 Objective

The objective of this section is to show you how to configure the OS/400

TCP/IP Telnet server to use SSL with client authentication. This scenario

uses the IBM Personal Communications V.5.0 product as the Telnet client

software. A server certificate issued by a private CA is used for establishing

SSL connection.



Chapter 5. Securing OS/400 application traffic with SSL/TLS



285



IBM Personal Communication to OS/400 V5R1



SSL connection

port 992



IBM Personal Communication 5250 client



OS/400 TCP/IP Telnet server



Figure 208. OS/400 TCP/IP Telnet server enabled for SSL



5.2.2 Configuring the iSeries server

You must enable SSL by setting the Telnet server attributes and associating

a server certificate with the OS/400 TCP/IP Telnet server application ID. In

the second step you need to update the application definition to enable client

authentication. Perform the steps in this section to configure the OS/400

TCP/IP Telnet server for SSL with client authentication.

5.2.2.1 Enabling SSL for the Telnet server

Enabling SSL for the Telnet server as described in the following steps is

necessary to open port 992 for SSL connections. However, without a server

certificate being assigned to the Telnet server, a secure connection cannot be

established. With V5R1 you can control whether the Telnet server supports

only unsecure connections, only secure connections, or both. Perform the

following steps to activate SSL support for the Telnet server:

1. Start the Operations Navigator.

2. Under the system name expand to Network->Servers and click TCP/IP to

display the list of TCP/IP server applications.

3. Right-click the TELNET server icon to display the context menu as shown

in Figure 209.



286



iSeries Wired Network Security



Figure 209. Operations Navigator expanded to Network->Servers->TCP/IP



4. Select Properties.

5. In the Properties window, click the General tab.



Figure 210. Telnet server properties: General tab



Chapter 5. Securing OS/400 application traffic with SSL/TLS



287



The new attributes allow you to control whether you allow unsecure,

secure, or both types of connections to the Telnet server. You can set the

attribute to the following values:

Secure only:



When Secure only is selected, the server listens on

port 992 only. No unsecure connections are accepted

by the Telnet server.



Non-secure only: SSL connections are not allowed. Only unsecure

connections are permitted through port 23.

Both secure and non-secure: Both SSL and non-SSL connections are

allowed. Both the ports 23 and 992 are in Listen state.

6. Select Both secure and non-secure to enable the Telnet server for

secure connections and at the same time allow non-secure connections. If

your security policies require secure connections and your infrastructure is

set up that all clients are also SSL-enabled you may want to operate the

Telnet server for SSL connections only. Another alternative is to use

OS/400 IP packet filtering to allow unsecure connections only from certain

IP addresses or subnets.

7. Click OK to save the configuration changes.

5.2.2.2 Assigning a server certificate to the Telnet server

The following steps guide you through assigning an existing server certificate

to the Telnet server. Refer to Chapter 2, “Digital Certificate Manager” on

page 11, for more information about assigning certificates to applications and

how to create certificates.

1. Start the Digital Certificate Manager through the Operations Navigator or

the AS/400 Tasks page. You need a user profile with *ALLOBJ and

*SECADM special authorities to perform the configuration.

2. Click Select a Certificate Store, then select the *SYSTEM certificate

store and click Continue.

3. Enter the certificate store password and click Continue.

4. On the DCM navigation pane, click Manage Applications.

5. From the available options under the Manage Applications group, click

Update certificate assignment.

6. As the application type, select Server and click Continue. The list of

applications registered in DCM is displayed as shown in Figure 211.



288



iSeries Wired Network Security



Figure 211. Digital Certificate Manager: Update Certificate Assignment window



7. Select the OS/400 TCP/IP Telnet Server and click Update Certificate

Assignment. The list of available certificates is displayed.



Figure 212. Digital Certificate Manager: Select a certificate



Chapter 5. Securing OS/400 application traffic with SSL/TLS



289



8. Select the certificate from the list that you want the Telnet server to use to

establish SSL connections between the Telnet server and client.

9. Click Assign New Certificate.

DCM displays a confirmation message as shown in Figure 213.



Figure 213. Digital Certificate Manager: Confirmation message



10.Click Cancel to return to the list of server applications.

5.2.2.3 Updating the application definition for client authentication

It is important to understand that when client authentication is set to Required

in the Telnet server application definition, each client that wants to connect

via a secure connection must present a certificate that is associated with an

OS/400 user profile.

The Telnet server client authentication support was already made available to

V4R4 by applying additional PTFs. A service program (QTVSSL) had to be

called to enable or disable required client authentication. In V5R1 you can

enable this support conveniently through the DCM configuration interface.

Perform the following steps to enable client authentication for the Telnet

server:

1. Start DCM.

2. From the DCM navigation pane, click Manage Applications.

3. From the Manage Applications group, click Update application

definition.

4. As the application type, select Server and click Continue. The list of

applications registered in DCM is displayed as shown in Figure 214.



290



iSeries Wired Network Security



Figure 214. Digital Certificate Manager: Update Application Definition window



5. Select the OS/400 TCP/IP Telnet Server and click Update Application

Definition.



Figure 215. Digital Certificate Manager: Selecting client authentication



Mostly, when referring to enabling the Telnet server for client

authentication, it means to configure the server to require client

authentication. The Telnet server application itself is always enabled for



Chapter 5. Securing OS/400 application traffic with SSL/TLS



291



client authentication; it just does not require it. As mentioned before, when

you configure the server so that clients must authenticate themselves by

presenting a certificate, clients without a valid certificate cannot establish

a secure connection. Be careful when configuring the Telnet server for

required client authentication.

6. Set Client authentication required to Yes and click Apply.

7. A DCM confirmation message is displayed. Click Cancel to return to the

list of server applications.

5.2.2.4 Update the CA trust list

In this last task of the server setup, you need to specify which client

certificates the Telnet server accepts for client authentication. That is, the

client certificates must be issued by a certificate authority that the Telnet

server trusts.

1. From the Manage Applications group, click Define CA trust list.

2. As the application type, select Server and click Continue. The list of

applications registered in DCM is displayed.

3. Select the OS/400 TCP/IP Telnet Server and click Define CA Trust List.



Figure 216. Digital Certificate Manager: Define CA Trust List



292



iSeries Wired Network Security



In the Define CA Trust List window, define the client or user certificates

that this server application accepts for client authentication. In other

words, only client or user certificates that are issued by a trusted CA are

accepted by the server application. The list of displayed CAs contains only

those CAs that are Enabled in the storewide CA list as defined in the Work

with CA certificates option from the Fast Path menu. This means, if you

installed a CA certificate, and it is not shown on the Define CA Trust List

window, you must ensure that the CA is enabled.

4. Select all CAs that issued user or client certificates you want the Telnet

server to accept. Note that these certificates still need to be associated

with an OS/400 user profile.

5. Click OK. The list of CAs is displayed again with a confirmation message

stating that the CAs have been trusted.

6. Click Done to return to the list of server applications.

7. Restart the Telnet server.

To activate these changes to the Telnet server, you must restart it using

the following commands:

- To stop: ENDTCPSVR SERVER(*TELNET)

- To start: STRTCPSVR SERVER(*TELNET)



Note



Take extra care when ending the Telnet server on the AS/400 system. All

active Telnet sessions will also be ended.



5.2.3 Configuring the PC

First, you must obtain a user or client certificate for the IBM Personal

Communications client. Every time the client establishes a connection the

certificate must be presented to the OS/400 TCP/IP Telnet server.

Next, you must import the private CA certificate into the key database file.

Note that if you use server and user certificates issued by a well-known CA,

you do not need to exchange CA certificates. They are usually preloaded on

all standard software applications.

The IBM Personal Communications (PComm) product has its own key

database file. After the CA certificate is imported, you have to import the



Chapter 5. Securing OS/400 application traffic with SSL/TLS



293



client or user certificate and then configure the particular emulation session to

use SSL.

5.2.3.1 Obtaining a user certificate and CA certificate

In this scenario we use a local OS/400 CA to create a user certificate. The

certificate will then automatically be associated with the user profile that

signed on to DCM. You could also obtain a certificate from a well-known CA

and manually associate the certificate using DCM to a particular OS/400 user

profile. The following steps show you how to create a user certificate:

1. Start DCM.

2. When prompted sign on with a user profile you want to create the user

certificate for. In this scenario we used a user profile without any special

authorities.

3. From the DCM navigation pane, click Create certificate.



Figure 217. Digital Certificate Manager: Create User Certificate



4. Enter the data for the certificate’s distinguished name. Note that the user

name is already filled in and cannot be altered. This assures that the new

certificate will automatically be associated with this user profile.



294



iSeries Wired Network Security