Discussion:
Telnet-SSL Questions
(too old to reply)
Cov
2006-06-24 03:21:19 UTC
Permalink
G'day,

I have successfully configured a 'telnet-ssl' session by using DCM to
create a *SYSTEM Certicate Store, associate the Certificate with
Telnet, restart the Telnet Server, copy the Certificate to a PC &
import it into the PC's PCOMM Key database using the "IBM Key
Management" utility under Client Access. I have then changed the PCOMM
5250 Emulator to use Port 992 & "enabled Security". In summary, all is
good: I can establish a 992 telnet-ssl session between a PC (actually,
the PC Console PC!) & the iSeries (820) Server.

My next step is to attempt the same connection from another PC to the
same iSeries Server. I have taken the same Key, copied it to another
PC, imported it into the PCOMM Key Database, updated the PCOMM 5250
session (as above), but my 5250 session just hangs saying (at the foot
of the emulator): "Secure Socket is connect to remote server/host
xxx.xxx.xxx.xxx using port 992..." with a blank screen.

If I display the jobog to a QTVTELNET job on the Host, I get the
following messages:
"A remote host did not respond within the timeout period."
"SSL Handshake exceeded timeout limit for client 10.19.99.166 port
1068"

What am I doing wrong? Have I missed something? Am I looking at it too
simply? With 27 iSeries machines to support, I'd ideally like to use
just the one CA for all PC & Servers. Creating multiple CAs & importing
them onto every PC would be a nightmare!

Any assistance would be greatly appreciated.
Thanks, Tony Covelle.
Bradley V. Stone
2006-06-27 03:47:48 UTC
Permalink
You should only need the one CA. But it sounds like this would be quite
a job to set up and update when the CA expires.

Try contacting support for the client software. That sounds like the
issue. The client doesn't need a certificate, it needs a Certificate
Authority (CA). Unless it's doing client authentication over SSL (which
I doubt and is overkill).

Since it's self-signed, you need to export the CA to your clients.
Should be fairly straightforward.

And maybe a VPN would be easier to set up and maintain?

Brad
www.bvstools.com
Post by Cov
G'day,
I have successfully configured a 'telnet-ssl' session by using DCM to
create a *SYSTEM Certicate Store, associate the Certificate with
Telnet, restart the Telnet Server, copy the Certificate to a PC &
import it into the PC's PCOMM Key database using the "IBM Key
Management" utility under Client Access. I have then changed the PCOMM
5250 Emulator to use Port 992 & "enabled Security". In summary, all is
good: I can establish a 992 telnet-ssl session between a PC (actually,
the PC Console PC!) & the iSeries (820) Server.
My next step is to attempt the same connection from another PC to the
same iSeries Server. I have taken the same Key, copied it to another
PC, imported it into the PCOMM Key Database, updated the PCOMM 5250
session (as above), but my 5250 session just hangs saying (at the foot
of the emulator): "Secure Socket is connect to remote server/host
xxx.xxx.xxx.xxx using port 992..." with a blank screen.
If I display the jobog to a QTVTELNET job on the Host, I get the
"A remote host did not respond within the timeout period."
"SSL Handshake exceeded timeout limit for client 10.19.99.166 port
1068"
What am I doing wrong? Have I missed something? Am I looking at it too
simply? With 27 iSeries machines to support, I'd ideally like to use
just the one CA for all PC & Servers. Creating multiple CAs & importing
them onto every PC would be a nightmare!
Any assistance would be greatly appreciated.
Thanks, Tony Covelle.
Cov
2006-06-27 11:51:41 UTC
Permalink
Brad, thaks for your comments. The "Client software" is IBM Personal
Communications (PCOMM), which I've successully setup between one PC &
my iSeries using 'telnet-ssl'. My main problem now is getting the
Certificate or CA to another PC & establishing a second connection. I
have pasted the Cert onto the 2nd PC & followed the same steps as I did
for the 1st PC & imported the Keys into CA/400's "IBM Key management",
but the connection just sits there & issues the listed messages. I
thought the process of 'propagating' the Certificates would be quite
simple, but it appears not. As you said, it shouldn't be too hard, as
creating the Certificate & CA on the iSeries using DCM was probably the
hardest part! Any further suggestions?

VPN could be tricky as eventually when I can get a dozen Client PC's
communicating to my iSeries using one Cert, then I have to restest it
all again thru a Firewall. I am on my employers network, while the
iSeries is on a Customers network. Currently, we are using NATs, which
Security have deemed as a breeech & have to be removed & replaced by
telnet-ssl.

I set the expiry to 7300 (days?), so hopefully I'll be retrenched or
retired by then! ;-)

Thanks, TC.
Post by Bradley V. Stone
You should only need the one CA. But it sounds like this would be quite
a job to set up and update when the CA expires.
Try contacting support for the client software. That sounds like the
issue. The client doesn't need a certificate, it needs a Certificate
Authority (CA). Unless it's doing client authentication over SSL (which
I doubt and is overkill).
Since it's self-signed, you need to export the CA to your clients.
Should be fairly straightforward.
And maybe a VPN would be easier to set up and maintain?
Brad
www.bvstools.com
Post by Cov
G'day,
I have successfully configured a 'telnet-ssl' session by using DCM to
create a *SYSTEM Certicate Store, associate the Certificate with
Telnet, restart the Telnet Server, copy the Certificate to a PC &
import it into the PC's PCOMM Key database using the "IBM Key
Management" utility under Client Access. I have then changed the PCOMM
5250 Emulator to use Port 992 & "enabled Security". In summary, all is
good: I can establish a 992 telnet-ssl session between a PC (actually,
the PC Console PC!) & the iSeries (820) Server.
My next step is to attempt the same connection from another PC to the
same iSeries Server. I have taken the same Key, copied it to another
PC, imported it into the PCOMM Key Database, updated the PCOMM 5250
session (as above), but my 5250 session just hangs saying (at the foot
of the emulator): "Secure Socket is connect to remote server/host
xxx.xxx.xxx.xxx using port 992..." with a blank screen.
If I display the jobog to a QTVTELNET job on the Host, I get the
"A remote host did not respond within the timeout period."
"SSL Handshake exceeded timeout limit for client 10.19.99.166 port
1068"
What am I doing wrong? Have I missed something? Am I looking at it too
simply? With 27 iSeries machines to support, I'd ideally like to use
just the one CA for all PC & Servers. Creating multiple CAs & importing
them onto every PC would be a nightmare!
Any assistance would be greatly appreciated.
Thanks, Tony Covelle.
Loading...