3 replies Latest Post - ‏2013-07-01T12:50:46Z by UJ3W_Jeff_Whitlock
3 Posts

Pinned topic Encrypting SQL network traffic

‏2013-06-27T14:31:05Z |

I'm in the process of developing a Windows application using Visual Studio that accesses and updates database tables on the iSeries. Using the Client Access ADO .NET .dll's and things are working well.

However, a requirement has come up for encryption of traffic between the Windows app and the iSeries. I've been trying to enable SSL (or any type of secure encryption) in the connection string, but evidently I'm missing something in the setup on the iSeries side. Using SSL=True generates a communication error when trying to initiate the connection.

We don't typically use SSL for our iSeries traffic in general, so we haven't ever configured anything on the system side as it relates to SSL.

Does anyone have any experience using SSL, and if so, can you point me in the right direction on this (including some documentation links)? I've been trying to find something for the last day or so and am coming up empty.



  • krmilligan
    437 Posts

    Re: Encrypting SQL network traffic

    ‏2013-06-27T16:28:12Z  in response to UJ3W_Jeff_Whitlock

    Here's some SSL information from the IBM i Information Center:

  • UJ3W_Jeff_Whitlock
    3 Posts

    Re: Encrypting SQL network traffic

    ‏2013-07-01T12:50:46Z  in response to UJ3W_Jeff_Whitlock

    After going over the IBM documentation and trying some things out, finally gave in and called IBM support to get it configured. It's a bit more involved than the documentation lets on. Client Access has its own certificate store that both 5250 sessions and ADO .NET connections (that use the CA .DLL) use when SSL is specified for the connection.

    The basic steps you need to take to get SSL working are:

    - Get into the Digital Certificate Manager web page on the iSeries.

    - Make sure the *SYSTEM store and a local Certificate Authority are set up.

    - Create a certificate for the iSeries and apply all the applications needed for 5250 / ADO .NET to it.

    - On the PC or server you're going to connect to the iSeries from, start iSeries Navigator.

    - From the properties for the iSeries in iNav, go to the SSL tab and download the CA cert to the local .kdb store on the PC.

    - Restart the host services on the iSeries to enable it to pick up the ADO .NET connection. TCP/IP will need to be restarted in order for the 5250 session functionality to be recognized; we just waited until the next IPL for it to be picked up.

    There's more detail involved in each of these steps. IBM support can run you through those steps, or if anyone is interested, I can post more detail here.