Configuring SSL

www.skyviewpartners.
com
(c) SkyView Partners, Inc, 2010. All
Rights Reserved. 1
Copyright SkyView Partners, Inc, 2010. All rights reserved.
www.skyviewpartners.com
1
Welcome to Coffee with
Carol
Todays topic is:
Configuring iSeries Access
to use SSL
(c) SkyView Partners, Inc and
NuBridges, 2009. All Rights Reserved. 1
Rights Reserved. 2
2
Agenda
How SSL works
Certificate authorities
Using DCM (Digital Certificate Manager)
Configuring HTTP
Configuring IBM i (iSeries) Access servers
Considerations going forward
Rights Reserved. 3
3
Sockets Layer (SSL) Handshake
1. Request is made of the server (e.g., IBM i telnet server) to
make a secure connection.
2. Server must authenticate itself.
1. Encrypts data sent on request with private key
2. Sends back encrypted data and digital certificate
3. If client trusts the certificate issuer, and data decrypts
correctly, session keys are negotiated and the rest of
the flow is encrypted.
The server is always required to be authenticated. This means that a digital
certificate has to be assigned to the server. Then, to complete the handshake, the
client must trust the entity that issued the certificate. The client does this by looking
in its list of trusted signers. Most clients, whether its a browser or something like
iSeries Navigator or telnet come configured with a list of signers (or issuers) from
well-known certificate authorities such as Verisign, Thawte, etc.
Rights Reserved. 4
4
Client:
IBM i Access for Windows
Browser
List of trusted signers
1. Verisign
2. Thawte
3. SkyView_IBM_i
this day of , 199 ,
by
DIGITAL
CERTIFICATE
OWNER
We appreciate your contributions to
our organization. In recognition of
valuable achievements and hard
work, we gladly present this
certificate of award. CA Express
Server
IBM Corp
Sockets Layer (SSL) Handshake
IBM i
telnet
ODBC
http servers
Whos going to
issue this
certificate?
Browser determines if it trusts the issuer of the server certificate by looking in the list
of signers of certificates. If the server certificate's signer is not in this list, the
certificate is not automatically trusted. This is the step that throws most users
when using a self-signed server certificate. (That is, the server is using a
certificate signed (or issued) by an iSeries.) To have this work, you've got to get
the iSeries CA certificate into the browser's (or iSeries Access) list of trusted
signers.
Also need to get the concept across that the server is always authenticated - it is
optional whether you authenticate the client
Decision to be made when deciding to use SSL is what entity are you going to get
the certificate from a well-known certificate authority (CA) or a use a self-signed
(or private) CA.
Rights Reserved. 5
5
What entity will issue the certificates?
Entity that issues the certificate is called a Certificate
Authority (CA)
A CA must be trusted or else transmission of
encrypted data will not occur
To be trusted, the CA must be in the clients
List of trusted signers
In IE, Trusted Root Certification Authorities
In Firefox, Certificate Manager Authorities
In iSeries Access, Signer Certificates
Rights Reserved. 6
6
Well-known vs Private CAs
Well-known (Public) Certificate Authority:
CA is in clients list of trusted signers
iSeries Access ships numerous well-known CAs with the client
Browsers have a list of well-known CAs
Used for
Public websites
Full roll-out throughout the enterprise
Must be purchased
Private Certificate Authorities (self-signed certificates):
CA is NOT in clients list of trusted signers
Used for
Limited roll-out
No (or reduced) fees
Never want to use a self-signed CA for a publically-facing Internet site. Visitors will
receive a warning certificate not valid. Doesnt cast a good image. Only want to
use a self-signed cert internally and probably only for limited number of users
Rights Reserved. 7
7
Digital Certificate Manager (DCM)
Requirements
Option 34, DCM
IBM HTTP Server (5722-DG1)
HTTP *ADMIN instance must be started
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
A profile with *ALLOBJ and *SECADM
Rights Reserved. 8
8
CAs issue these types of certs
Certificate
Authority (CA)
Certificate
Authority
(must be in list
of trusted signers)
Server
(must be
assigned to telnet,
etc, servers
Object Signing User
This presentation will discuss Certificate Authority certs and Server certs
Rights Reserved. 9
9
Option 1:
Using a Private CA
(IBM i as the CA)
You have two options for obtaining a server certificate one issued from a well-
known CA or one issues from a private CA. The IBM i (iSeries can be a CA.)
Rights Reserved. 10
10
Steps using IBM i as the CA
Sign in to DCM (with a user that has *ALLOBJ and *SECADM)
Create the Certificate Authority (CA)
Create the CAs certificate
(Note: This goes into the list of trusted signers so the client
can trust the server.)
Create a server certificate
(Note: This is assigned to the servers so it can be used as
part of the SSL handshake.)
Assign the server certificate to the servers
Import the CA certificate to the clients
In other words, youre going to use self-signed certificates since the certificates will
be issued by a private CA (that is, the iSeries itself.)
Rights Reserved. 11
11
On V6R1 and later, to sign on to Digital Certificate Manager, type
http://your_system_name:2001
Choose Continue to this website
This is what youll see when running V6 or later Open a browser and type
http://your_system_name:2001 or substitute the IP address as in
http://192.168.1.5:2001
Its doing a re-direct to go to an https session. Go ahead and choose the option to
Continue to this website.
(2001 is the port that the Admin instance of the webserver listens on.)
Rights Reserved. 12
12
First sent to IBM Director
Log in (with a user that has *ALLOBJ and *SECADM special
authorities)
In V6R1 and later youll be sent to IBM Director first.
Rights Reserved. 13
13
At the bottom of the middle pane, click on i5/OS Tasks Page
This link is rather buried at the bottom of the middle pane.
Rights Reserved. 14
14
Click on Digital Certificate Manager
Rights Reserved. 15
15
At V5R4 and earlier, to sign on to Digital Certificate Manager, type
http://your_system_name:2001
Click on Digital Certificate Manager
This is the first screen youll see if you are running V5R4. Open a browser and type
http://your_system_name:2001 or substitute the IP address as in
http://192.168.1.5:2001
2001 is the port that the Admin instance of the webserver listens on.
Rights Reserved. 16
16
Regardless of the release, the flow is the same from now on.
Click on Create a Certificate Authority (CA) this is a configuration wizard that will
walk you through the steps of creating the CA itself, the CA certificate, a server
certificate and assigning the server certificate to the servers.
Rights Reserved. 17
17
Fill in all of the required fields
Specify the maximum validity period
Rights Reserved. 18
18
You can install the CA certificate into your browser if
you are using server connections to the webserver
running on the iSeries (https connections).
Otherwise, this step is not necessary.
Rights Reserved. 19
19
Specify the policy requirements of the CA
Whether or not it can be used to issue user
certificates and the validity period of the certificates
issued.
Rights Reserved. 20
20
The CA itself is now created. Click Continue to
create a server certificate.
Rights Reserved. 21
21
Not necessary to fill in the information in the Subject Alternative Name fields. Those
are for certificates being used for VPN connections and thats not the purpose of
this certificate.
Rights Reserved. 22
22
The server certificate is now created. Now you can assign the certificate to the
servers. It doesnt hurt anything to assign this certificate to all of the servers.
Rights Reserved. 23
23
You can continue to create an object signing certificate if you want to we wont be
using it, but it doesnt hurt anything. Also, it will keep you going through the
configuration wizard.
Rights Reserved. 24
24
Rights Reserved. 25
25
Rights Reserved. 26
26
If you are going to require client authentication that is, the client has to prove
themselves to the server, then youll be interested in this screen. This allows you to
add the CAs certificate to the list of trusted signers for these servers. The list is
shorter than the other lists youve seen because these are the only servers that
support client authentication.
Rights Reserved. 27
27
Configuration of the CA, is now complete and a CA certificate has been created, a
server certificate has been created and assigned to the servers to use during the
SSL handshake when a client requests an SSL connection.
Rights Reserved. 28
28
There are now several certificate stores on the
system (think of them as containers of certificates.)
To work with a certificate, you must select (and have
the password for) the appropriate certificate store.
Rights Reserved. 29
29
Option 2:
Using a Well-Known CA
Rights Reserved. 30
30
Steps using a well-known CA
Sign in to DCM
Create a certificate store
Create a server certificate request to send to the
well-known CA
Import the server certificate from the well-known CA
Assign the server certificate to the servers
Rights Reserved. 31
31
Click on Create New Certificate Store
Choose *SYSTEM
Continue
Rights Reserved. 32
32
You dont want to create a certificate, just the a place
to hold the certificate youre about to request
Rights Reserved. 33
33
Choose Yes
Rights Reserved. 34
34
If you are using a well-known CA, this will be your only choice. If youve configured
the IBM i to be a CA, youll see that choice as well. Choose the VeriSign or other
Internet CA option.
Rights Reserved. 35
35
Rights Reserved. 36
36
Choose Yes
When making the certificate request, you must copy and paste the ENTIRE request,
including the leading and trailing dashes.
Rights Reserved. 37
37
When you get the certificate from the CA (in your
email), ftp it to the IFS
Sign back on to DCM
Select a Certificate Store (choose *SYSTEM)
Click on Import certificate
Rights Reserved. 38
38
Enter the path and name and extension of the file
sent from the CA
After importing you can assign the certificate to the
servers.
If the options are not presented to assign the certificate, choose Assign certificate
from the left nav area.
Rights Reserved. 39
39
Configuring iSeries Access
Rights Reserved. 40
40
Must first ensure that SSL is installed on the client. If
its not, install it.
Rights Reserved. 41
41
Launch iSeries Navigator
Right click on system
name and choose
Properties
Choose Secure Sockets
To get the CA certificate
into the list of trusted
signers, click Download
This functionality should be listed in the opposite order. You need to make sure to
download the i5/OS certificate authority before testing the connection.
Rights Reserved. 42
42
Enter
password
by default,
its CA400
Now click on Verify SSL
Connection to test the
configuration
Note: If you are running
Windows Vista, youll need
iSeries Access V6R1
Rights Reserved. 43
43
Close iSeries Navigator. When you re-
launch, all connections will be over SSL.
(check for the padlock which indicates an SSL connection.)
Rights Reserved. 44
44
Ensuring ODBC connections
will be using SSL
IBM iSeries Access
Choose ODBC Admin
Choose the User DSN to be
SSL enabled
Click on Connection options
Configure the Security
settings, click OK
Rights Reserved. 45
45
To configure telnet, choose
Communication->Configuration
Click on Properties to configure SSL
Ensure the Port number is 992
Rights Reserved. 46
46
Notes on Telnet
Once you assign the certificate you will need to end
and re-start the telnet server to have the assignment
take affect
To block all non-telnet traffic you need to block port
23 on IBM i
To SSL-enable the i5/OS telnet client (in other
words, youre typing telnet from an i5/OS
command line), youll need:
V7R1
V6R1 PTF SI32527 (superceded)
V5R4 PTF SI32220 (superceded)
Support for SSL-enabled telnet client is integrated into V7R1 and ptfed into V6R1
and V5R4. These PTFs have been superceded but will want to read the coverletters
to understand how to use the function.
Rights Reserved. 47
47
FTP considerations
Need to have a an FTP ssl-enabled client on your
PC
IBM i supports SSL for both the FTP client and the
FTP server
Must alter your scripts to initiate SSL session
No alternate port for FTP and non-FTP sessions
Rights Reserved. 48
48
Exporting/Importing Server
Certificate to another iSeries
Rights Reserved. 49
49
Click on Select a Certificate Store
Choose *SYSTEM
Enter the password when prompted
To copy the server certificate to another system
Rights Reserved. 50
50
Open Manage Certificates
Click on Export certificate
Rights Reserved. 51
51
Choose to export a Server of client certificate (the
export process also exports the CA certificate)
Rights Reserved. 52
52
Check the certificate to export
Click Export
Rights Reserved. 53
53
Check to export to a file
Rights Reserved. 54
54
Provide the path and file name (file should not already exist)
This is a path in the IFS not on your PC
Rights Reserved. 55
55
Rights Reserved. 56
56
Go to Target System
Copy certificate file from IFS on source
system to target system
Sign on to DCM on target system
Use a profile that has *ALLOBJ and *SECADM
Rights Reserved. 57
57
Click on Select a Certificate Store
Choose *SYSTEM
Enter the password when prompted
Click on Import certificate
Choose Server or client
Rights Reserved. 58
58
Specify the path name where you copied the
exported certificate
Rights Reserved. 59
59
Enter the password you used when you exported the certificate, click
Continue
Once imported, click on Manage Applications then Update Certificate
Assignment to assign this certificate to the servers
Rights Reserved. 60
60
Save / Restore Considerations
To make sure DCM (and the certificates) are backed
up, run:
Save (SAV) command to save all .KDB and .RDB files.
DCM certificate stores are comprised of two files, one with
a .KDB extension and one with a .RDB extension.
Save system (SAVSYS) command or the save security data
(SAVSECDTA) command to save the certificate store
passwords.
Rights Reserved. 61
61
For More Information
IBM Information Center
Security->DCM
Networking->Networking Security
SSL return codes
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?to
pic=/rzaik/rzaiksslrc.htm

Configuring SSL

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuring SSL

Hochgeladen von

Copyright:

Verfügbare Formate

www.skyviewpartners.

Das könnte Ihnen auch gefallen