Scenario: Securing all connections to your Management Central server with SSL

 

This scenario explains how to use SSL to secure all connections with an System i™ model that is acting as a central system by using the iSeries™ Navigator Management Central server.

 

Situation:

A company has just set up a wide area network (WAN) that includes several System i models in remote locations (endpoints). The endpoints are centrally managed by one system (the central system), located at the main office. Tom is the company's security specialist. Tom wants use Secure Sockets Layer (SSL) to secure all of the connections between the Management Central server on the company's central system and all iSeries Access servers and clients.

 

Details:

Tom can manage all connections to the Management Central server securely, with SSL. To use SSL with the Management Central server, Tom needs to secure iSeries Navigator on the PC that he uses to access the central system.

Tom chooses from two authentication levels for the Management Central server:

Server authentication

Provides authentication of the server certificate. The client must validate the server, whether the client is iSeries Navigator on a PC, or the Management Central server on the central system. When iSeries Navigator connects to the central system, the PC is the SSL Client and the Management Central server running on the central system is the SSL Server. The central system acts as an SSL client when connecting to an endpoint system. The endpoint system acts as an SSL server. The server must prove its identity to the client by providing a certificate that was issued by a Certificate Authority that the client trusts. There must be a valid certificate issued by a trusted CA for every SSL server.

Client and server authentication

Provides authentication of both the central system and the endpoint system certificates. This is a stronger security level than the server authentication level. In other applications, this is known as client authentication, where the client must supply a valid trusted certificate. When the central system (SSL client) attempts to establish a connection with an endpoint system (SSL server), the central system and the endpoint system authenticate each other's certificates for certificate authority authenticity.

Client and server authentication only happens between two System i models. Client authentication is not performed by the server when the client is a PC.

Unlike other applications, Management Central also provides authentication through a validation list, called Trusted Group validation list. Generally the validation list stores information that identifies the user, such as a user identification, and authentication information, such as password, personal identification number, or digital certificate. This authentication information is encrypted.

Most applications typically do not specify that you enable both server and client authentication, because server authentication almost always occurs during SSL session enablement. Many applications have client authentication configuration options. Management Central uses the term "server and client authentication" instead of client authentication because of the dual role that the central system plays in the network. When PC users connect to the central system, the central system acts as a server. However, when the central system is connecting to an endpoint system, it acts as a client. The following illustration shows how the central system operates as both a server and client in a network.

In this illustration, the certificate associated with the Certificate Authority must be stored in the key database on the central system and on all of the endpoint systems. The Certificate Authority must on the central system, all the endpoints, as well as the PC.

 

Prerequisites and assumptions:

Tom must perform the following administration and configuration tasks, in order to secure all of the connections to the Management Central server:

  1. System A meets the prerequisites for SSL.

  2. The central system and all endpoint systems run V5R2 or later versions of OS/400® or i5/OS®. V5R4 i5/OS connections to V5R1 OS/400 systems are not allowed.

  3. The iSeries Navigator PC client runs V5R2 or later of iSeries Access for Windows®.

  4. Get a Certificate Authority (CA) forSystem i models.

  5. Create a certificate that is signed by the CA, for System A.

  6. Send the CA and a certificate to System A, and import them into the key database.

  7. Assign the certificates with the Management Central application identification, and the application identifications for all of the iSeries Access servers. The TCP central server, database server, data queue server, file server, network print server, remote command server and signon server are all iSeries Access servers.

    1. Start IBM® Digital Certificate Manager on the Management Central server. If Tom needs to obtain or create certificates, or otherwise set up or change his certificate system, he does so now.

    2. Click Select a Certificate Store.

    3. Select *SYSTEM and click Continue.

    4. Enter the *SYSTEM Certificate Store password, and click Continue. When the menu reloads, expand Manage Applications.

    5. Click Update certificate assignment.

    6. Select Server and click Continue.

    7. Select the Management Central server, and click Update certificate assignment. This assigns a certificate to the Management Central server to use.

    8. Choose the certificate you want to assign to the application, and click Assign New Certificate. DCM reloads to the Update certificate assignment page with a confirmation message.

    9. Click Cancel to return to the list of applications.

    10. Repeat this procedure for all iSeries Access servers.

  8. Download the CA to the iSeries Navigator PC client.

 

Configuration steps:

Before Tom can enable SSL on the Management Central server, he must install the prerequisite programs and set up digital certificates on the central system. See the Prerequisites and assumptions for this scenario before continuing. Once he has met the prerequisites, he can complete the following procedures to secure all connections to the Management Central server:

If SSL has been enabled for iSeries Navigator, Tom must disable it before he can enable SSL on the Management Central server. If SSL has been enabled for iSeries Navigator and not the Management Central server, attempts by iSeries Navigator to connect with the central system will fail.

  1. Step 1: Configure the central system for server authentication

  2. Step 2: Configure endpoint systems for server authentication

  3. Step 3: Restart the Management Central server on the central system

  4. Step 4: Restart the Management Central server on all endpoint systems

  5. Step 5: Activate SSL for the iSeries Navigator client

  6. Step 6: Configure the central system for client authentication

  7. Step 7: Configure endpoint systems for client authentication

  8. Step 8: Copy the validation list to the endpoint systems

  9. Step 9: Restart the Management Central server on the central system

  10. Step 10: Restart the Management Central server on all endpoint systems

 

Parent topic:

Scenarios

Related concepts
Scenario: Securing a client connection to your Management Central server with SSL SSL prerequisites Application security with SSL