Configuration details for securing Telnet with SSL

Here are the detailed configuration steps for securing Telnet with Secure Sockets Layer (SSL).

Step 1: Removing port restrictions

In releases before V5R1, port restrictions were used because Secure Sockets Layer (SSL) support was not available for Telnet. Now you can specify whether SSL, non-SSL, or both are to start. Therefore, there is no longer a need for port restrictions. If you have defined port restrictions in previous releases, you need to remove the port restrictions in order to use the SSL parameter.

To determine whether you have Telnet port restrictions and remove them so that you can configure the Telnet server to use SSL, follow these steps:

  1. To view any current port restrictions, start System i® Navigator and expand your system > Network.
  2. Right-click TCP/IP Configuration and select Properties.
  3. Click the Port Restrictions tab to see a list of port restriction settings.
  4. Select the port restriction that you want to remove.
  5. Click Remove.
  6. Click OK.

By default, the setting is to start SSL sessions on port 992 and non-SSL sessions on port 23. The Telnet server uses the service table entry for Telnet to get the non-SSL port and Telnet-SSL to get the SSL port.

Step 2: Creating and operating local certificate authority

To use Digital Certificate Manager (DCM) to create and operate a local certificate authority (CA) on the system, follow these steps:

  1. Start DCM.
  2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms. These forms guide you through the process of creating a Local CA and completing other tasks needed to begin using digital certificates for SSL, object signing, and signature verification.
  3. Complete all the forms that are displayed. There is a form for each of the tasks that you need to perform to create and operate a local CA on the system. Completing these forms allows you to:
    1. Choose how to store the private key for the local CA certificate. This step is included only if you have an IBM® 4758-023 PCI Cryptographic Coprocessor installed on your system. If your system does not have a cryptographic coprocessor, DCM automatically stores the certificate and its private key in the Local CA certificate store.
    2. Provide identifying information for the local CA.
    3. Install the local CA certificate on your PC or in your browser. This enables software to recognize the local CA and validate certificates that the CA issues.
    4. Choose the policy data for your local CA.
    5. Use the new local CA to issue a server or client certificate that applications can use for SSL connections. If you have an IBM 4758-023 PCI Cryptographic Coprocessor installed in the system, this step allows you to select how to store the private key for the server or client certificate. If your system does not have a coprocessor, DCM automatically places the certificate and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM certificate store as part of this task.
    6. Select the applications that can use the server or client certificate for SSL connections.
      Note: Be sure to select the application ID for the Telnet server (QIBM_QTV_TELNET_SERVER).
    7. Use the new local CA to issue an object signing certificate that applications can use to digitally sign objects. This creates the *OBJECTSIGNING certificate store, which you use to manage object signing certificates.
      Note: Although this scenario does not use object signing certificates, be sure to complete this step. If you cancel at this point in the task, the task ends and you need to perform separate tasks to complete your SSL certificate configuration.
    8. Select the applications that you want to trust the local CA.
      Note: Be sure to select the application ID for the Telnet server
      (QIBM_QTV_TELNET_SERVER).

After you have completed the forms for this guided task, you can configure the Telnet Server to require client authentication.

Step 3: Configuring Telnet server to require certificates for client authentication

To activate this support, the system administrator indicates how SSL support is handled. Use the Telnet Properties General panel in System i Navigator to indicate whether SSL, non-SSL, or support for both starts when the Telnet server starts. By default, the SSL and non-SSL support always starts.

The System Administrator has the ability to indicate whether the system requires SSL client authentication for all Telnet sessions. When SSL is active and the system requires client authentication, the presence of a valid client certificate means that the client is trusted.

To configure the Telnet server to require certificates for client authentication, follow these steps:

  1. Start DCM.
  2. Click Select a Certificate Store.
  3. Select *SYSTEM as the certificate store to open and click Continue.
  4. Enter the appropriate password for *SYSTEM certificate store and click Continue.
  5. When the left navigational menu refreshes, select Manage Applications to display a list of tasks.
  6. Select the Update application definition task to display a series of forms.
  7. Select Server application and click Continue to display a list of server applications.
  8. From the list of applications, select i5/OS TCP/IP Telnet Server.
  9. Click Update Application Definition.
  10. In the table that displays, select Yes to require client authentication.
  11. Click Apply. The Update Application Definition page displays with a message to confirm your changes.
  12. Click Done.

Now that you have configured the Telnet server to require certificates for client authentication, you can enable and start SSL for the Telnet server.

Step 4: Enabling and starting SSL on Telnet server

To enable SSL on the Telnet server, follow these steps:

  1. Open System i Navigator.
  2. Expand your system > Network > Servers > TCP/IP.
  3. Right-click Telnet.
  4. Select Properties.
  5. Select the General tab.
  6. Choose one of these options for SSL support:
    • Secure only

      Select this to allow only SSL sessions with the Telnet server.

    • Non-secure only

      Select this to an SSL port will not connect.

    • Both secure and non-secure

      Allows both secure and non-secure sessions with the Telnet server.

To start the Telnet server using System i Navigator, follow these steps:

  1. Expand your system > Network > Servers > TCP/IP.
  2. In the right pane, locate Telnet in the Server Name column.
  3. Confirm that Started appears in the Status column.
  4. If the server is not running, right-click Telnet and select Start.

Step 5: Enabling SSL on the Telnet client

To participate in an SSL session, the Telnet client must be able to recognize and accept the certificate that the Telnet server presents to establish the SSL session. To authenticate the server's certificate, the Telnet client must have a copy of the CA certificate in the IBM i key database. When the Telnet server uses a certificate from a local CA, the Telnet client must obtain a copy of the local CA certificate and install it in the IBM i key database.

To add a local CA certificate from the system so that the Telnet client can participate in SSL sessions with Telnet servers that use a certificate from the Local CA, follow these steps:

  1. Open System i Navigator.
  2. Right-click the name of your system.
  3. Select Properties.
  4. Select the Secure Sockets tab.
  5. Click Download. This downloads the IBM i certificate authority certificate automatically into the certificate key database.
  6. You are prompted for your key database password. Unless you have previously changed the password from the default, enter ca400. A confirmation message displays. Click OK.

The download button automatically updates the IBM Toolbox for Java™ PC key database.

Step 6: Enabling Telnet client to present certificate for authentication

You have configured SSL for the Telnet server, specified that the server should trust certificates that the present CA issues, and specified that it require certificates for client authentication. Now, users must present a valid and trusted client certificate to the Telnet server for each connection attempt.

Clients need to use the local CA to obtain a certificate for authentication to the Telnet server and import that certificate to the IBM Key Management database before client authentication works.

First, clients must use DCM to obtain a user certificate by following these steps:

  1. Start DCM.
  2. In the left navigation frame, select Create Certificate to display a list of tasks.
  3. From the task list, select User Certificate and click Continue.
  4. Complete the User Certificate form. Only those fields marked "Required" need to be completed. Click Continue.
  5. Depending on the browser you use, you are asked to generate a certificate that is loaded into your browser. Follow the directions provided by the browser.
  6. When the Create User Certificate page browser reloads, click Install Certificate. This installs the certificate in the browser.
  7. Export the certificate to your PC. You must store the certificate in a password-protected file.
    Note: Microsoft Internet Explorer 5 or Netscape 4.5 are required to use the export and import functions.

Next, you must import the certificate to the IBM Key Management database so that the Telnet client can use it for authenticating the certificate to the IBM key by following these steps:

You must add the import client that creates the client certificate to the PC key database; otherwise, the import operation of the client certificate does not work.

  1. Click Start > Programs > IBM i Access for Windows > IBM i Access for Windows Properties.
  2. Select the Secure Sockets tab.
  3. Click IBM Key Management.
  4. You are prompted for your key database password. Unless you have previously changed the password from the default, enter ca400. A confirmation message displays. Click OK.
  5. From the pull-down menu, select Personal certificates.
  6. Click Import.
  7. In the Import key display, enter the file name and path for the certificate. Click OK.
  8. Enter the password for the protected file. This is the same password that you specified when you create a user certificate in DCM. Click OK. When the certificate is successfully added to your personal certificates in IBM Key Management, you can use PC5250 emulator or any other Telnet application.

With these steps complete, the Telnet server can establish an SSL session with the Telnet client and the server can authenticate the user to resources based on the certificate that the client presents.