IBM i OS Telnet Client SSL Enablement

Troubleshooting

Problem

Resolving The Problem

The ability for the IBM i Telnet client to make an SSL connection to remote Telnet servers was added to OS400 v540 and v610 by using PTFs during the 2008/2009 timeframe. This ability was included with the base version of OS400 v710.

The APARs that document this new function are as follows:

o IBM i5/OS V5R4 = SE34089
o IBM i OS r6.1 = SE34479

It is expected that most IBM i customers will have the base enablement PTFs applied; however, because SSL Telnet is a client/server environment requiring a successful handshake between two systems, customers are recommended to verify that the latest superceding PTF for the above APAR is applied to the i.

Restrictions for using the secure connection (SSL/TLS) option are as follows:

1.	Must have the Digital Certificate Manager (Option 34) installed.
2.	Must have certificates set up for the client Telnet application. On IBM i5/OS V5R4M0 and IBM i OS r6.1, the required PTF adds that application as QIBM_QTV_TELNET_CLIENT. On IBM i OS r7.1, the application is there by default as IBM i TCP/IP Telnet Client. This application is registered on the installation of this PTF. Either a trust list or the remote server certificates need to be assigned to this application. The trust list should have the certificate authorities of the desired remote servers added.
3.	On IBM i5/OS V5R4 or IBM i OS r6.1, the current job performing the TELNET command must have environment variable QIBM_TELNET_CLIENT_SSL set to 'Y'. This may be added as a job level environment variable, or inherited as a system environment variable. On IBM i OS r7.1 and later, there is a Secure connection (SSL) parameter of the TELNET command that can be set to YES to tell the connection to use SSL. This parameter defaults to ENVVAR which means the above environment variable will be looked at to control the connection type.
4.	The remote port specified by the PORT keyword on the TELNET command must support implicit mode SSL/TLS for Telnet. This means that the remote server must be expecting a SSL/TLS handshake immediately after connection. SSL/TLS will not be negotiated.
5.	The DFT value for the PORT keyword of the TELNET* command will be interpreted as 992 if using SSL/TLS and 23 if using normal mode.
6.	A value of 23 for the PORT keyword will be interpreted as 992, if using SSL/TLS.

If you want all Telnet client users on your system to use SSL, you can set the QIBM_TELNET_CLIENT_SSL as a system level environment variable. System environment variables are inherited by all jobs and can be overridden by job level environment variables.

For more information on the Digital Certificate Manager or Environment Variables, you should access the IBM i OS Knowledge Center.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

640852445

Was this topic helpful?

Document Information

Modified date:
18 December 2019

UID

nas8N1010866

Tips