configuring ssl

www.skyviewpartners.com

(c) SkyView Partners, Inc, 2010. All Rights Reserved. 1

© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com1

Welcome to Coffee with Carol

Today’s topic is:

Configuring iSeries Access to use SSL

(c) SkyView Partners, Inc and NuBridges, 2009. All Rights Reserved. 1




Agenda

� How SSL works� Certificate authorities � Using DCM (Digital Certificate Manager)� Configuring HTTP

� Configuring IBM i (iSeries) Access servers� Considerations going forward




Sockets Layer (SSL) Handshake

1. Request is made of the server (e.g., IBM i telnet server) to make a secure connection.

2. Server must authenticate itself. 1. Encrypts data sent on request with private key2. Sends back encrypted data and digital certificate

3. If client trusts the certificate issuer, and data decrypts correctly, session keys are negotiated and the rest of the flow is encrypted.

The server is always required to be authenticated. This means that a digital certificate has to be assigned to the server. Then, to complete the handshake, the client must trust the entity that issued the certificate. The client does this by looking in its list of “trusted signers.” Most clients, whether it’s a browser or something like iSeries Navigator or telnet come configured with a list of signers (or issuers) from “well-known” certificate authorities such as Verisign, Thawte, etc.




Client:�IBM i Access for Windows�Browser

List of trusted signers1. Verisign2. Thawte3. SkyView_IBM_i

this day of , 199 ,by

DIGITAL CERTIFICATE

OWNER

We appreciate your contributions to our organization. In recognition of valuable achievements and hard work, we gladly present this

certificate of award.CA Express ServerIBM Corp

Sockets Layer (SSL) Handshake

IBM i� telnet� ODBC� http servers

Who’s going to issue this certificate?

Browser determines if it trusts the issuer of the server certificate by looking in the list of signers of certificates. If the server certificate's signer is not in this list, the certificate is not automatically trusted. This is the step that throws most users when using a self-signed server certificate. (That is, the server is using a certificate signed (or issued) by an iSeries.) To have this work, you've got to get the iSeries CA certificate into the browser's (or iSeries Access) list of trusted signers.

Also need to get the concept across that the server is always authenticated - it is optional whether you authenticate the client

Decision to be made when deciding to use SSL is what entity are you going to get the certificate from – a well-known certificate authority (CA) or a use a self-signed (or private) CA.




What entity will issue the certificates?

� Entity that issues the certificate is called a Certificate Authority (CA)

� A CA must be “trusted” or else transmission of encrypted data will not occur

� To be trusted, the CA must be in the client’s “List of trusted signers”� In IE, Trusted Root Certification Authorities� In Firefox, Certificate Manager – Authorities� In iSeries Access, Signer Certificates




Well-known vs Private CAs

� Well-known (Public) Certificate Authority:� CA is in clients’ list of trusted signers

� iSeries Access ships numerous well-known CAs with the client� Browsers have a list of well-known CAs

� Used for � Public websites� Full roll-out throughout the enterprise

� Must be purchased� Private Certificate Authorities (self-signed certificates):

� CA is NOT in clients’ list of trusted signers� Used for

� Limited roll-out� No (or reduced) fees

Never want to use a self-signed CA for a publically-facing Internet site. Visitors will receive a warning – certificate not valid. Doesn’t cast a good image. Only want to use a self-signed cert internally and probably only for limited number of users




Digital Certificate Manager (DCM)

Requirements� Option 34, DCM� IBM HTTP Server (5722-DG1)� HTTP *ADMIN instance must be started

� STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

� A profile with *ALLOBJ and *SECADM




CAs issue these types of certs

Certificate Authority (CA)

CertificateAuthority

(must be in listof trusted signers)

Server(must be

assigned to telnet, etc, servers

Object Signing User

This presentation will discuss Certificate Authority certs and Server certs



9

Option 1: Using a Private CA

(IBM i as the CA)

You have two options for obtaining a server certificate – one issued from a well-known CA or one issues from a private CA. The IBM i (iSeries can be a CA.)




Steps using IBM i as the CA

� Sign in to DCM (with a user that has *ALLOBJ and *SECADM)

� Create the Certificate Authority (CA) � Create the CA’s certificate

� (Note: This goes into the list of trusted signers so the clientcan trust the server.)

� Create a server certificate� (Note: This is assigned to the servers so it can be used as

part of the SSL handshake.)

� Assign the server certificate to the servers� Import the CA certificate to the clients

In other words, you’re going to use “self-signed” certificates since the certificates will be issued by a private CA (that is, the iSeries itself.)




On V6R1 and later, to sign on to Digital Certificate Manager, type

http://your_system_name:2001

Choose “Continue to this website”

This is what you’ll see when running V6 or later Open a browser and type http://your_system_name:2001 or substitute the IP address as in http://192.168.1.5:2001

It’s doing a re-direct to go to an https session. Go ahead and choose the option to Continue to this website.

(2001 is the port that the Admin instance of the webserver listens on.)




First sent to IBM Director

Log in (with a user that has *ALLOBJ and *SECADM special authorities)

In V6R1 and later you’ll be sent to IBM Director first.




At the bottom of the middle pane, click on i5/OS Tasks Page

This link is rather buried at the bottom of the middle pane.




Click on Digital Certificate Manager




At V5R4 and earlier, to sign on to Digital Certificate Manager, type

http://your_system_name:2001

Click on “Digital Certificate Manager’

This is the first screen you’ll see if you are running V5R4. Open a browser and type http://your_system_name:2001 or substitute the IP address as in http://192.168.1.5:2001

2001 is the port that the Admin instance of the webserver listens on.




Regardless of the release, the flow is the same from now on.

Click on Create a Certificate Authority (CA) – this is a configuration wizard that will walk you through the steps of creating the CA itself, the CA certificate, a server certificate and assigning the server certificate to the servers.




• Fill in all of the required fields

• Specify the maximum validity period




You can install the CA certificate into your browser if you are using server connections to the webserverrunning on the iSeries (https connections). Otherwise, this step is not necessary.




Specify the policy requirements of the CA –

Whether or not it can be used to issue user certificates and the validity period of the certificates issued.




The CA itself is now created. Click Continue to create a server certificate.




Not necessary to fill in the information in the Subject Alternative Name fields. Those are for certificates being used for VPN connections and that’s not the purpose of this certificate.




The server certificate is now created. Now you can assign the certificate to the servers. It doesn’t hurt anything to assign this certificate to all of the servers.




You can continue to create an object signing certificate if you want to – we won’t be using it, but it doesn’t hurt anything. Also, it will keep you going through the configuration wizard.




If you are going to require client authentication – that is, the client has to prove themselves to the server, then you’ll be interested in this screen. This allows you to add the CA’s certificate to the list of trusted signers for these servers. The list is shorter than the other lists you’ve seen because these are the only servers that support client authentication.




Configuration of the CA, is now complete and a CA certificate has been created, a server certificate has been created and assigned to the servers to use during the SSL handshake when a client requests an SSL connection.




There are now several certificate stores on the system (think of them as “containers of certificates”.)

To work with a certificate, you must select (and have the password for) the appropriate certificate store.



29

Option 2: Using a Well-Known CA




Steps using a well-known CA

� Sign in to DCM� Create a certificate store� Create a server certificate request to send to the

well-known CA � Import the server certificate from the well-known CA� Assign the server certificate to the servers




Click on Create New Certificate Store

Choose *SYSTEM

Continue




You don’t want to create a certificate, just the a place to hold the certificate you’re about to request




Choose Yes




If you are using a well-known CA, this will be your only choice. If you’ve configured the IBM i to be a CA, you’ll see that choice as well. Choose the VeriSign or other Internet CA option.




Choose Yes

When making the certificate request, you must copy and paste the ENTIRE request, including the leading and trailing dashes.




When you get the certificate from the CA (in your email), ftp it to the IFS

Sign back on to DCM

Select a Certificate Store (choose *SYSTEM)

Click on Import certificate




Enter the path and name and extension of the file sent from the CA

After importing you can assign the certificate to the servers.

If the options are not presented to assign the certificate, choose “Assign certificate”from the left nav area.



39

Configuring iSeries Access




Must first ensure that SSL is installed on the client. If it’s not, install it.




• Launch iSeries Navigator

• Right click on system name and choose Properties

• Choose Secure Sockets

• To get the CA certificate into the list of trusted signers, click Download

This functionality should be listed in the opposite order. You need to make sure to download the i5/OS certificate authority before testing the connection.




Enter password –by default, it’s CA400

Now click on Verify SSL Connection to test the configuration

Note: If you are running Windows Vista, you’ll need iSeries Access V6R1




Close iSeries Navigator. When you re-launch, all connections will be over SSL.

(check for the padlock which indicates an SSL connection.)




Ensuring ODBC connections will be using SSL –

IBM iSeries Access

Choose ODBC Admin

Choose the User DSN to be SSL enabled

Click on Connection options

Configure the Security settings, click OK




To configure telnet, choose Communication->Configuration

Click on Properties to configure SSL

Ensure the Port number is 992




Notes on Telnet

� Once you assign the certificate you will need to end and re-start the telnet server to have the assignment take affect

� To block all non-telnet traffic you need to block port 23 on IBM i

� To SSL-enable the i5/OS telnet client (in other words, you’re typing “telnet” from an i5/OS command line), you’ll need:� V7R1� V6R1 – PTF SI32527 (superceded)

� V5R4 – PTF SI32220 (superceded)

Support for SSL-enabled telnet client is integrated into V7R1 and ptfed into V6R1 and V5R4. These PTFs have been superceded but will want to read the coverlettersto understand how to use the function.




FTP considerations

� Need to have a an FTP ssl-enabled client on your PC

� IBM i supports SSL for both the FTP client and the FTP server

� Must alter your scripts to initiate SSL session� No alternate port for FTP and non-FTP sessions



48

Exporting/Importing Server Certificate to another iSeries




Click on “Select a Certificate Store”

Choose *SYSTEM

Enter the password when prompted

To copy the server certificate to another system




Open Manage Certificates

Click on Export certificate




Choose to export a Server of client certificate (the export process also exports the CA certificate)




Check the certificate to export

Click Export




Check to export to a file




Provide the path and file name (file should not already exist)

This is a path in the IFS – not on your PC




Go to Target System

� Copy certificate file from IFS on source system to target system

� Sign on to DCM on target system � Use a profile that has *ALLOBJ and *SECADM




Click on “Select a Certificate Store”

Choose *SYSTEM

Enter the password when prompted

Click on Import certificate

Choose Server or client




Specify the path name where you copied the exported certificate




Enter the password you used when you exported the certificate, click Continue

Once imported, click on Manage Applications then Update Certificate Assignment to assign this certificate to the servers




Save / Restore ConsiderationsTo make sure DCM (and the certificates) are backed

up, run:� Save (SAV) command to save all .KDB and .RDB files.

� DCM certificate stores are comprised of two files, one with a .KDB extension and one with a .RDB extension.

� Save system (SAVSYS) command or the save security data (SAVSECDTA) command to save the certificate store passwords.




For More Information

� IBM Information Center � Security->DCM

� Networking->Networking Security� SSL return codes

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaik/rzaiksslrc.htm

configuring ssl

Documents