Manualshelf

Installation manual

ManualsBrandsRed Hat ManualsComputer equipmentNETSCAPE ENTERPRISE SERVER 6.0 - PROGRAMMER GUIDE TO SERVLETS
71727374757677787980
the CA certificate and not the site certificate. If the port is not responding, refer
to Configuring iSeries servers for secure connection. Repeat Step 3 for each
Telnet server.
4. To view the contents of the keyring, type the following (this command may
span two lines but should be entered as one line):
java -classpath .:/QIBM/ProdData/hostondemand/lib/sm.zip com.ibm.hodsslight.tools.keyrng
CustomizedCAs verify
5. Press F3 to exit qsh.
If you have multiple iSeries machines and would like to create a single
certificate that all the machines can use, consider cross certification. Refer to
iSeries Wired Security: Protecting Data over the Network, OS/400 Version 5
Release 1DCM and Cryptographic Enhancements (SG24-6168) for additional
information about cross certification.
Client authentication
For additional security, consider SSL with client authentication to tightly control
who can Telnet to your system over the Internet. For example, you can configure
the Telnet server to only allow authentication if the client certificate was issued by
your iSeries (through Digital Certificate Manager).
The client certificates have a limited validity period (for example, 90 days). When
the certificate expires, the user must perform the Client Certificate Download
process in order to continue. This process requires a valid iSeries user ID and
password.
Not all Telnet client software is capable of client authentication. When enabled,
all SSL-enabled Telnet connections to the iSeries require a user certificate.
OS/400 level Detailed instructions
Version 5 Release 1 Secure Telnet on the iSeries Web site.
Version 4 Release 4 and Version 4 Release 5 Telnet Server; SSL Client Authentication on
the TCP/IP for OS/400 Web site
Configuring the Host On-Demand OS/400 proxy for secure
connections
The OS/400 proxy can be configured to encrypt file transfer and Database
On-Demand connections. To do this, the following additional software must be
installed on each target iSeries:
v IBM Cryptographic Access Provider
v IBM Client Encryption
v Host Servers
v Digital Certificate Manager
1. You should control authorization of the users to the files. To help you to meet
the SSL legal responsibilities, you must change the authority of the directory
that contains the SSL files to control user access to the files. In order to change
the authority, do the following:
a. Enter the command wrklnk '/QIBM/ProdData/HTTP/Public/jt400/*'
b. Select option 9 in the directory (SSL40, SSL56, or SSL128).
1) Ensure *PUBLIC has *EXCLUDE authority.
72 Getting Started: Host On-Demand Version 6.0: Getting Started