Kisco Systems

Kisco U


Home : Kisco U : TELNET on IBM i

All of the system values shown in this blog post can be accessed at the same time using the following command (Work With System Values):


The display looks like this:

Or edit system values in Nav:

The easiest way to control access through network services is just to shut off the server function if you don't need it. But, you probably need TELNET, especially if you're running terminal sessions.

To establish control over how TELNET sessions are issued you can:

  • Turn off automatic configuration of virtual devices (QPADEVnnnn sessions)
    • Set system value QAUTOVRT to zero
    • You might want to check for active sessions before doing this

  • Deactivate automatic device configuration. Otherwise a user can configure a new device name just by using it in a new configuration.
    • Set system value QAUTOCFG to zero

  • Manually remove existing QPADEVnnnn sessions
    • CFGVRT menu option #3; or

  • Check on system value QAUTORMT, which is used to automatically create remote controller devices

For even more control use the TELNET exit point in the OS.

Our exit point firewall, SafeNet/i can be used to lock down TELNET.


The default TELNET configuration transmits data as open text when used for remote system access. You should encrypt that data stream. You an do this with SSL.

Server Configuration:
You must have the following options installed in the OS

  • OPTION 34 Digital Certificate Manager (DCM)
  • HTTP Server Functions

This process will require you to set up a self-issued digital certificate on your system and then assign it to several applications, including TELNET.

After configuration DCM, update TELNET attributes (command CHGTELNA)

Set Allow Secure Socket Layer (ALWSSL) parameter to *YES. This will allow both SSL and non-SSL Telnet connections. Once you are satisfied with the way the SSL connection is working, you can consider changing this setting to *ONLY which will then refuse non-SSL connection attempts.

You can configure TELNET settings in Nav:

Client Configuration:
Update Client Access configuration on the desktop. This process imports the certificate you created and reconfigures the terminal session to use SSL.

Using ACS, create a terminal session. When the session has been created, select the Configuration option under the Communications drop down menu to update the protocols. Note that when the Protocol is changed to "Telnet - TLS/SSL", the "Destination Port" will be changed to 992. Click on OK and the session configuration change will be set correctly. Make sure that you now save it.

Learn more about encryption here.