configuring ssl
DESCRIPTION
sslTRANSCRIPT
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 1
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com1
Welcome to Coffee with Carol
Today’s topic is:
Configuring iSeries Access to use SSL
(c) SkyView Partners, Inc and NuBridges, 2009. All Rights Reserved. 1
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 2
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com2
Agenda
� How SSL works� Certificate authorities � Using DCM (Digital Certificate Manager)� Configuring HTTP
� Configuring IBM i (iSeries) Access servers� Considerations going forward
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 3
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com3
Sockets Layer (SSL) Handshake
1. Request is made of the server (e.g., IBM i telnet server) to make a secure connection.
2. Server must authenticate itself. 1. Encrypts data sent on request with private key2. Sends back encrypted data and digital certificate
3. If client trusts the certificate issuer, and data decrypts correctly, session keys are negotiated and the rest of the flow is encrypted.
The server is always required to be authenticated. This means that a digital certificate has to be assigned to the server. Then, to complete the handshake, the client must trust the entity that issued the certificate. The client does this by looking in its list of “trusted signers.” Most clients, whether it’s a browser or something like iSeries Navigator or telnet come configured with a list of signers (or issuers) from “well-known” certificate authorities such as Verisign, Thawte, etc.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 4
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com4
Client:�IBM i Access for Windows�Browser
List of trusted signers1. Verisign2. Thawte3. SkyView_IBM_i
this day of , 199 ,by
DIGITAL CERTIFICATE
OWNER
We appreciate your contributions to our organization. In recognition of valuable achievements and hard work, we gladly present this
certificate of award.CA Express ServerIBM Corp
Sockets Layer (SSL) Handshake
IBM i� telnet� ODBC� http servers
Who’s going to issue this certificate?
Browser determines if it trusts the issuer of the server certificate by looking in the list of signers of certificates. If the server certificate's signer is not in this list, the certificate is not automatically trusted. This is the step that throws most users when using a self-signed server certificate. (That is, the server is using a certificate signed (or issued) by an iSeries.) To have this work, you've got to get the iSeries CA certificate into the browser's (or iSeries Access) list of trusted signers.
Also need to get the concept across that the server is always authenticated - it is optional whether you authenticate the client
Decision to be made when deciding to use SSL is what entity are you going to get the certificate from – a well-known certificate authority (CA) or a use a self-signed (or private) CA.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 5
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com5
What entity will issue the certificates?
� Entity that issues the certificate is called a Certificate Authority (CA)
� A CA must be “trusted” or else transmission of encrypted data will not occur
� To be trusted, the CA must be in the client’s “List of trusted signers”� In IE, Trusted Root Certification Authorities� In Firefox, Certificate Manager – Authorities� In iSeries Access, Signer Certificates
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 6
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com6
Well-known vs Private CAs
� Well-known (Public) Certificate Authority:� CA is in clients’ list of trusted signers
� iSeries Access ships numerous well-known CAs with the client� Browsers have a list of well-known CAs
� Used for � Public websites� Full roll-out throughout the enterprise
� Must be purchased� Private Certificate Authorities (self-signed certificates):
� CA is NOT in clients’ list of trusted signers� Used for
� Limited roll-out� No (or reduced) fees
Never want to use a self-signed CA for a publically-facing Internet site. Visitors will receive a warning – certificate not valid. Doesn’t cast a good image. Only want to use a self-signed cert internally and probably only for limited number of users
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 7
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com7
Digital Certificate Manager (DCM)
Requirements� Option 34, DCM� IBM HTTP Server (5722-DG1)� HTTP *ADMIN instance must be started
� STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
� A profile with *ALLOBJ and *SECADM
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 8
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com8
CAs issue these types of certs
Certificate Authority (CA)
CertificateAuthority
(must be in listof trusted signers)
Server(must be
assigned to telnet, etc, servers
Object Signing User
This presentation will discuss Certificate Authority certs and Server certs
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 9
9
Option 1: Using a Private CA
(IBM i as the CA)
You have two options for obtaining a server certificate – one issued from a well-known CA or one issues from a private CA. The IBM i (iSeries can be a CA.)
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 10
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com10
Steps using IBM i as the CA
� Sign in to DCM (with a user that has *ALLOBJ and *SECADM)
� Create the Certificate Authority (CA) � Create the CA’s certificate
� (Note: This goes into the list of trusted signers so the clientcan trust the server.)
� Create a server certificate� (Note: This is assigned to the servers so it can be used as
part of the SSL handshake.)
� Assign the server certificate to the servers� Import the CA certificate to the clients
In other words, you’re going to use “self-signed” certificates since the certificates will be issued by a private CA (that is, the iSeries itself.)
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 11
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com11
On V6R1 and later, to sign on to Digital Certificate Manager, type
http://your_system_name:2001
Choose “Continue to this website”
This is what you’ll see when running V6 or later Open a browser and type http://your_system_name:2001 or substitute the IP address as in http://192.168.1.5:2001
It’s doing a re-direct to go to an https session. Go ahead and choose the option to Continue to this website.
(2001 is the port that the Admin instance of the webserver listens on.)
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 12
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com12
First sent to IBM Director
Log in (with a user that has *ALLOBJ and *SECADM special authorities)
In V6R1 and later you’ll be sent to IBM Director first.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 13
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com13
At the bottom of the middle pane, click on i5/OS Tasks Page
This link is rather buried at the bottom of the middle pane.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 14
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com14
Click on Digital Certificate Manager
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 15
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com15
At V5R4 and earlier, to sign on to Digital Certificate Manager, type
http://your_system_name:2001
Click on “Digital Certificate Manager’
This is the first screen you’ll see if you are running V5R4. Open a browser and type http://your_system_name:2001 or substitute the IP address as in http://192.168.1.5:2001
2001 is the port that the Admin instance of the webserver listens on.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 16
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com16
Regardless of the release, the flow is the same from now on.
Click on Create a Certificate Authority (CA) – this is a configuration wizard that will walk you through the steps of creating the CA itself, the CA certificate, a server certificate and assigning the server certificate to the servers.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 17
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com17
• Fill in all of the required fields
• Specify the maximum validity period
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 18
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com18
You can install the CA certificate into your browser if you are using server connections to the webserverrunning on the iSeries (https connections). Otherwise, this step is not necessary.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 19
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com19
Specify the policy requirements of the CA –
Whether or not it can be used to issue user certificates and the validity period of the certificates issued.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 20
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com20
The CA itself is now created. Click Continue to create a server certificate.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 21
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com21
Not necessary to fill in the information in the Subject Alternative Name fields. Those are for certificates being used for VPN connections and that’s not the purpose of this certificate.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 22
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com22
The server certificate is now created. Now you can assign the certificate to the servers. It doesn’t hurt anything to assign this certificate to all of the servers.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 23
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com23
You can continue to create an object signing certificate if you want to – we won’t be using it, but it doesn’t hurt anything. Also, it will keep you going through the configuration wizard.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 24
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com24
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 25
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com25
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 26
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com26
If you are going to require client authentication – that is, the client has to prove themselves to the server, then you’ll be interested in this screen. This allows you to add the CA’s certificate to the list of trusted signers for these servers. The list is shorter than the other lists you’ve seen because these are the only servers that support client authentication.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 27
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com27
Configuration of the CA, is now complete and a CA certificate has been created, a server certificate has been created and assigned to the servers to use during the SSL handshake when a client requests an SSL connection.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 28
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com28
There are now several certificate stores on the system (think of them as “containers of certificates”.)
To work with a certificate, you must select (and have the password for) the appropriate certificate store.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 29
29
Option 2: Using a Well-Known CA
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 30
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com30
Steps using a well-known CA
� Sign in to DCM� Create a certificate store� Create a server certificate request to send to the
well-known CA � Import the server certificate from the well-known CA� Assign the server certificate to the servers
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 31
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com31
Click on Create New Certificate Store
Choose *SYSTEM
Continue
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 32
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com32
You don’t want to create a certificate, just the a place to hold the certificate you’re about to request
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 33
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com33
Choose Yes
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 34
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com34
If you are using a well-known CA, this will be your only choice. If you’ve configured the IBM i to be a CA, you’ll see that choice as well. Choose the VeriSign or other Internet CA option.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 35
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com35
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 36
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com36
Choose Yes
When making the certificate request, you must copy and paste the ENTIRE request, including the leading and trailing dashes.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 37
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com37
When you get the certificate from the CA (in your email), ftp it to the IFS
Sign back on to DCM
Select a Certificate Store (choose *SYSTEM)
Click on Import certificate
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 38
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com38
Enter the path and name and extension of the file sent from the CA
After importing you can assign the certificate to the servers.
If the options are not presented to assign the certificate, choose “Assign certificate”from the left nav area.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 39
39
Configuring iSeries Access
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 40
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com40
Must first ensure that SSL is installed on the client. If it’s not, install it.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 41
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com41
• Launch iSeries Navigator
• Right click on system name and choose Properties
• Choose Secure Sockets
• To get the CA certificate into the list of trusted signers, click Download
This functionality should be listed in the opposite order. You need to make sure to download the i5/OS certificate authority before testing the connection.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 42
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com42
Enter password –by default, it’s CA400
Now click on Verify SSL Connection to test the configuration
Note: If you are running Windows Vista, you’ll need iSeries Access V6R1
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 43
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com43
Close iSeries Navigator. When you re-launch, all connections will be over SSL.
(check for the padlock which indicates an SSL connection.)
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 44
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com44
Ensuring ODBC connections will be using SSL –
IBM iSeries Access
Choose ODBC Admin
Choose the User DSN to be SSL enabled
Click on Connection options
Configure the Security settings, click OK
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 45
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com45
To configure telnet, choose Communication->Configuration
Click on Properties to configure SSL
Ensure the Port number is 992
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 46
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com46
Notes on Telnet
� Once you assign the certificate you will need to end and re-start the telnet server to have the assignment take affect
� To block all non-telnet traffic you need to block port 23 on IBM i
� To SSL-enable the i5/OS telnet client (in other words, you’re typing “telnet” from an i5/OS command line), you’ll need:� V7R1� V6R1 – PTF SI32527 (superceded)
� V5R4 – PTF SI32220 (superceded)
Support for SSL-enabled telnet client is integrated into V7R1 and ptfed into V6R1 and V5R4. These PTFs have been superceded but will want to read the coverlettersto understand how to use the function.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 47
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com47
FTP considerations
� Need to have a an FTP ssl-enabled client on your PC
� IBM i supports SSL for both the FTP client and the FTP server
� Must alter your scripts to initiate SSL session� No alternate port for FTP and non-FTP sessions
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 48
48
Exporting/Importing Server Certificate to another iSeries
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 49
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com49
Click on “Select a Certificate Store”
Choose *SYSTEM
Enter the password when prompted
To copy the server certificate to another system
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 50
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com50
Open Manage Certificates
Click on Export certificate
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 51
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com51
Choose to export a Server of client certificate (the export process also exports the CA certificate)
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 52
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com52
Check the certificate to export
Click Export
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 53
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com53
Check to export to a file
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 54
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com54
Provide the path and file name (file should not already exist)
This is a path in the IFS – not on your PC
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 55
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com55
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 56
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com56
Go to Target System
� Copy certificate file from IFS on source system to target system
� Sign on to DCM on target system � Use a profile that has *ALLOBJ and *SECADM
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 57
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com57
Click on “Select a Certificate Store”
Choose *SYSTEM
Enter the password when prompted
Click on Import certificate
Choose Server or client
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 58
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com58
Specify the path name where you copied the exported certificate
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 59
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com59
Enter the password you used when you exported the certificate, click Continue
Once imported, click on Manage Applications then Update Certificate Assignment to assign this certificate to the servers
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 60
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com60
Save / Restore ConsiderationsTo make sure DCM (and the certificates) are backed
up, run:� Save (SAV) command to save all .KDB and .RDB files.
� DCM certificate stores are comprised of two files, one with a .KDB extension and one with a .RDB extension.
� Save system (SAVSYS) command or the save security data (SAVSECDTA) command to save the certificate store passwords.
www.skyviewpartners.com
(c) SkyView Partners, Inc, 2010. All Rights Reserved. 61
© Copyright SkyView Partners, Inc, 2010. All rights reserved. www.skyviewpartners.com61
For More Information
� IBM Information Center � Security->DCM
� Networking->Networking Security� SSL return codes
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaik/rzaiksslrc.htm