Telnet scenario: Securing Telnet with SSL

This configuration example describes how to use Secure Sockets Layer (SSL) to secure Telnet on your system.

Situation

Bob is in the process of creating a home-based brokerage business. He retires from his position as a stockbroker at a major trading firm, and wants to continue to offer brokerage services to a small number of clients from his home. He runs his business on a small system, which he would like to use to provide account access to his clients, through 5250 Telnet sessions. Bob is currently working on a way to allow his clients continuous access to their accounts, so that they can manage their shareholdings. Bob wants his clients to use 5250 Telnet sessions to access their accounts, but he is concerned about the security of his server, as well as the security of his clients' sessions. After researching the Telnet security options, Bob decides to use Secure Sockets Layer (SSL) to ensure the privacy of data over 5250 Telnet sessions between his server and clients.

Objectives

In this scenario, Bob wants to secure his brokerage clients' 5250 Telnet sessions to their shareholder accounts on his system. Bob wants to enable SSL to protect the privacy of client data as it passes through the Internet. He also wants to enable certificates for client authentication to ensure that his system verifies that only his clients are accessing their accounts. After Bob has configured the Telnet server for SSL and enabled client and server authentication, he can roll out this new account accessibility option to his clients, assuring them that their 5250 Telnet sessions are secure:

  • Secure the Telnet server with SSL.
  • Enable the Telnet server for client authentication.
  • Obtain a private certificate from a local certificate authority (CA) and assign it to the Telnet.

Details

In this scenario, the setup for the brokerage business is as follows:

  • The system runs IBM® i V5R4, or later, and provides shareholder account access over 5250 Telnet sessions.
  • The Telnet server application is started on the system.
  • The Telnet server initializes SSL, and checks the certificate information in the QIBM_QTV_TELNET_SERVER application ID.
  • If the Telnet certificate configuration is correct, the Telnet server begins listening on the SSL port for client connections.
  • A client initiates a request for access to the Telnet server.
  • The Telnet server responds by providing its certificate to the client.
  • The client software validates the certificate as an acceptable, trusted source communicating with the server.
  • The Telnet server requests a certificate from the client software.
  • The client software presents a certificate to the Telnet server.
  • The Telnet server validates the certificate, and recognizes the client's right to establish a 5250 session with the server.
  • The Telnet server establishes a 5250 session with the client.

Prerequisites and assumptions

This scenario makes the following assumptions:

  • The system is running IBM i 5.4 or later.
  • TCP/IP is configured.
  • Bob has *IOSYSCFG authority.
  • Bob addresses the issues in Configuring the Telnet server.
  • Bob addresses the issues in SSL prerequisites.
  • Bob creates a local certificate authority on his system.

Task steps

There are two sets of tasks that Bob must complete to implement this scenario: one set of tasks allows him to set up his system to use SSL and requires certificates for user authentication; the other set of tasks allows users on Telnet clients to participate in SSL sessions with Bob's Telnet server and to obtain certificates for user authentication.

Bob performs the following task steps to complete this scenario:

Telnet server task steps

To implement this scenario, Bob must perform these tasks on his system:

  1. Remove port restrictions. Refer to Removing port restrictions.
  2. Create and operate local certificate authority. Refer to Creating and operating local certificate authority.
  3. Configure Telnet server to require certificates for client authentication. Refer to Configuring Telnet server to require certificates for client authentication.
  4. Enable and start SSL on Telnet server. Refer to Enabling and starting SSL on Telnet server.

Client configuration task steps

To implement this scenario, each user who accesses the Telnet server on Bob's system must perform these tasks:

  1. Enable SSL on the Telnet client. Refer to Enabling SSL on the Telnet client.
  2. Enable Telnet client to present certificate for authentication. Refer to Enabling Telnet client to present certificate for authentication.

These tasks accomplish both SSL and client authentication by certificates, resulting in SSL-secured access to account information for Bob's clients using 5250 Telnet sessions.