Kisco Systems

Kisco U

Use SSL for TELNET to encrypt terminal sessions

Home : Kisco U : Use SSL for TELNET to encrypt terminal sessions

The IBM i uses Telnet to support 5250 terminal sessions. Therefore you can encrypt terminal sessions by implementing SSL for Telnet. This requires configuration of both the server and client.

Server Configuration

Requires option #34 (Digital Certificate Manager or DCM) of the base OS installed along with the HTTP server functions. Make sure you have installed all the latest PTFs for the HTTP server.

Here is the IBM procedure for congfiguring DCM:

And here is our little tutorial about working with DCM.

This process will require you to set up a self-issued digital certificate on your system and then assign it to several applications, including Telnet.

After configuring the certificate, update the Telnet Attributes on your system using the CHGTELNA (Change Telnet Attributes) command. When starting, make sure that the Allow Secure Socket Layer (ALWSSL) parameter is set to *YES. This will allow both SSL and non-SSL Telnet connections. Once you are satisfied with the way the SSL connection is working, you can consider changing this setting to *ONLY which will then refuse non-SSL connection attempts.

Client Configuration:

Here is the IBM documentation for Windows:

This process may require that you install additional Client Access components on your PC. The process will call for you to import the certificate you created into your PC and then reconfigure your terminal session to use SSL. When importing the certificate, there is a standard password to use. That instruction is easily missed, so watch out for it.

If you are using IBM i Access Client Solutions (ACS), the Java based access software, the instructions for the 5250 emulator are easier once the digital certificate has been established using DCM (above). Using ACS, create a terminal session. When the session has been created, select the Configuration option under the Communications drop down menu to update the protocols

Note that when the Protocol is changed to "Telnet - TLS/SSL", the "Destination Port" will be changed to 992. Click on OK and the session configuration change will be set correctly. Make sure that you now save it.