IBM Support

Configuring an IBM i Access for Windows SSL to Use Client Authentication

Troubleshooting


Problem

This document provides information about configuring an IBM iAccess for Windows SSL connection that leverages the optional Client Authentication.

Resolving The Problem

NOTICE: Access for Windows is no longer supported. Here are the steps for configuring Client Certificates with Access Client Solutions: Using Client Certificates with Access Client Solutions
To establish a secure 5250 session over SSL using IBM i Access for Windows, the Telnet server and IBM i Access Host Servers must be configured to use Secure Sockets. For further information on configuring Secure Sockets and what LPPs must be installed, refer to the IBM i Knowledge Center at the following Web site:

Client Authentication is optional. It is not required to make an SSL connection with encrypted data. Regular SSL connections use one-way authentication and encrypt data in transit. Client Authentication adds two-way authentication during the ssl handshake. If you are just looking to encrypt data across a network, one-way authentication is all you need.

If you want to add Client Authentication into your SSL connections, you first need to create a user certificate before you can use client authentication. Refer to IBM i Technote document N1019315, Creating User Certificate. To link to document N1019315 immediately, click here Database 'DCF Technotes (IBM i)', View 'Products', Document 'Creating User Certificate'.

This document covers exporting the user certificate, importing the user certificate to the IBM Key Management DB, and configuring PC5250 to use client authentication.

Exporting User Certificate

The Web browser being used determines how you export the user certificate. If you are using Microsoft Internet Explorer 6.0 or higher, click on Tools > Internet Options and go to the Content tab.

Click Certificates, and click OK.

This is the Internet Explorer Internet Options window.

Highlight the certificate you want to export, and click on Export.

This window shows the Internet Explorer Certificates.

Click Next.

This is the Welcome to the Internet Explorer Certificate Export Wizard window.

Ensure Yes, export the private key is selected, and click Next.

Internet Explorer Certificate Export Wizard has "Yes, export the private key" selected.


Ensure Personal Information Exchange is selected, and click Next.

The Internet Explorer Certificate Export Wizard has "Personal Information Exchange" selected.

Type a password, confirm the password, and click Next.

This is the Internet Explorer Certificate Export Wizard window to assign a password to the certificate.

Browse to where you want to export the certificate to type the name you want to save. Ensure the save as type is Personal Information Exchange (*.pfx), and click Next.

In the Internet Explorer Certificate Export Wizard, select where to export the certificate file to.

Click Next.

Specify the certificate file name in the Internet Explorer Certificate Export Wizard .

Click Finish.

This is the Completing the Certificate Export Wizard window.

Click OK.

This is the Internet Explorer Certificate Export Wizard completion message.


Importing the User Certificate

Before you can import the certificate make sure you have downloaded the parent Certificate Authority. Refer to IBM i Technote document N1019336, Configuring Access for Windows to Use Secure Sockets. To link to document N1019336 immediately, click here Database 'DCF Technotes (IBM i)', View 'Products', Document 'Configuring iSeries Access for Windows (Client Access Express) to Use Secure Sockets'.

To open the IBM Key Management click on Start > Programs > IBM i Access for Windows > IBM Key Management.

This is the IBM Key Management window.

Click on File > Open, and open the cwbssldf.kdb file. The PC operating system determines the location of the cwbssldf.kdb file. On Microsoft Windows 2000 and XP it is located in C:/Document and in the Settings/All Users/Documents/IBM Client Access folder.

The default password is ca400 (unless it was changed). Click OK.

For IBM Key Managment, type the Password for the Key Database.

Click on the down arrow, and click on Personal Certificates.


For the IBM Key Management, select Personal Certificates.

Click on Import.

For IBM Key Management, select Import.

The Web Browser type will determine the extension to use. If you used Netscape, use an extension of *.p12. If you are using Internet Explorer, change the extension to *.pfx. Click on Browse, and browse to where you exported the certificate.

This is the IBM Key Managment Import Key window to find the exported certificate.

Click OK.

IBM Key Management Import Key window has the file name specified.

Type in the same password you used when you exported the certificate, and click OK.

This is the IBM Key Management Import Key Password window.

You should have the certificate installed. If you have more than one certificate installed, change which certificate is the default certificate by clicking on the certificate. Then, click on View > Edit.


The IBM Key Managment window shows the imported Personal Certificate.

Check Set the certificate as the default, and click OK.


The IBM Key Management window has "Set the certificate as the default" selected.


Configuring PC5250

Before you can use client authentication, ensure the Telnet Server is configured for client authentication. Refer to IBM i Technote document N1010449, Configuring the SSL Telnet and Host Servers for Server Authentication for the First Time. To link to document N1010449 immediately, click here Database 'DCF Technotes (IBM i)', View 'Products', Document 'Securing Telnet and Client Access Host Servers'. If Client authentication required is set to No, change it to Yes, and click apply. Recycle the Telnet server for the change to take effect.

If you already have configured a previous PC5250 session to use non-SSL, click on Communication > Configure. If you do not have a PC5250 session configured, create one using Start > Configure or use the Create desktop icon wizard.

Click on Properties.

This is the Properties window for IBM iSeries Access for Windows PC5250 Emulator.

Select Use Secured Sockets Layer (SSL). Under Client certificate to use, if you have multiple user certificates and want the user to select which certificate to use, select Select certificate when connecting; otherwise, select Use Default and click OK.

This is the iSeries Access for Windows PC5250 Connection Properties window.

The port should have changed from 23 to 992. Ensure the rest of the PC5250 configuration options are set correctly, and click OK.

The iSeries Access for Windows PC5250 Properties window shows port 992.

If changing an existing PC5250 session, the below message is issued. If creating a new PC5250 session, the message is not issued. Click OK.

The iSeries Access for Windows PC5250 window has message PCSCC041.

If you selected Select certificate when connecting, you will get the following screen; otherwise, PC5250 will start.
Click the down arrow for Select Personal Certificate Label Name, and you can select which certificate you want to use. Click OK.

In this window, select the Personal Certificate.

Notice the padlock is locked indicating PC5250 is using Secure Sockets to connect.

The iSeries Access for Windows PC5250 session has a secure connection as shown by the padlock in the lower left corner.

For problems connecting iSeries Navigator or PC5250 using Secure Sockets, refer to the IBM i Access User's Guide with the message ID and return code.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

29490916

Document Information

Modified date:
09 October 2023

UID

nas8N1019316