Configuration details: Secure all connections to your Management Central system with SSL
This topic shows the details for using SSL to secure all connections to your Management Central server.
The following information assumes that you have read through
the following information: Scenario:
Secure all connections to your Management Central server with SSL.
You now want to understand how to perform the steps required to secure all connections to the Management Central server. Follow along as Tom completes the scenario.
Before Tom can enable SSL
on the Management Central system, he must install the prerequisite
programs and set up digital certificates on the IBM i. Once he has met the
prerequisites, he can complete the following procedures to secure
all connections to the Management Central server.
Note: If SSL has
been enabled for System
i Navigator,
Tom must disable it before he can enable SSL on the Management Central
server. If SSL has been enabled for System
i Navigator, and not the Management
Central server, attempts by System
i Navigator to connect with the
central system will fail.
SSL allows Tom to secure transmissions between a central system and an endpoint system, as well as between the System i Navigator client and the central system. SSL provides transport and authentication of certificates and encryption of data. An SSL-connection can only occur between an SSL-enabled central system and an SSL-enabled endpoint system. Tom needs to configure server authentication before he can configure client authentication:
Step 1: Configure the central system for server authentication
Step 2: Configure endpoint systems for server authentication
After Tom configures the central system for server authentication,
he needs to configure the endpoint systems for server authentication.
He completes the following tasks:
Step 3: Restart the Management Central system on the central system
- In System i Navigator, expand My Connections.
- Expand the central system.
- Expand TCP/IP. and select
- Right-click Management Central and select Stop. The central system view collapses, and a message displays, explaining that you are not connected to the server.
- Once the Management Central server has stopped, click Start to restart it.
Step 4: Restart the Management Central system on all endpoint systems
- In System i Navigator, expand My Connections.
- Expand the endpoint system that you are restarting.
- Expand TCP/IP. and select
- Right-click Management Central and select Stop.
- Once the Management Central server has stopped, click Start to restart it.
- Repeat this procedure for each endpoint system.
Step 5: Activate SSL for the System i Navigator client
- In System i Navigator, expand My Connections.
- Right-click the central system, and select Properties.
- Click the Secure Sockets tab and select Use Secure Sockets Layer (SSL) for connection.
- Exit System i Navigator and restart it.
Note: After you have completed these steps, server authentication
is configured for your central and endpoint systems. You can optionally
configure your central and endpoint systems for client authentication
as well. Steps 6 through 10 should be completed if you want to enable
client authentication on your central and endpoint systems.
Step 6: Configure the central system for client authentication
Now that Tom has completed the configuration for server authentication,
he can opt to perform the following optional client authentication
procedures. Client authentication provides validation of Certificate
Authority and trusted group for both the endpoint systems and the
central system. When the central system (SSL client) tries to use
SSL to connect to an endpoint system (SSL server), the central system
and the endpoint system authenticate each other's certificates through
both server authentication and client authentication. This is also
referred to as Certificate Authority and Trusted Group authentication.
Note: You cannot complete client authentication configuration until
you have configured server authentication. If you have not configured
server authentication, go back and do so, now.
Step 7: Configure endpoint systems for client authentication
Compare and update system values for the endpoint systems:
Step 8: Copy the validation list to the endpoint systems
This task assumes that your central system
is running IBM i V5R3,
or later. On OS/400 V5R2, or earlier systems, QYPSVLDL.VLDL was located
in QUSRSYS.LIB, not QMGTC2.LIB. Therefore, if you have pre-V5R3 systems,
you will need to send the validation list to these systems and place
it in QUSRSYS.LIB, instead of QMGTC2.LIB. For V5R3 and greater systems,
continue with the following steps:
Step 9: Restart the Management Central system on the central system
- In System i Navigator, expand My Connections.
- Expand the central system.
- Expand TCP/IP. and select
- Right-click Management Central and select Stop. The central system view collapses, and a message displays, explaining that you are not connected to the server.
- Once the Management Central server has stopped, click Start to restart it.
Step 10: Restart the Management Central system on all endpoint systems
Note: Repeat this procedure for each endpoint system.
- In System i Navigator, expand My Connections.
- Expand the endpoint system that you are restarting.
- Expand TCP/IP. and select
- Right-click Management Central and select Stop.
- Once the Management Central server has stopped, click Start to restart it.