Securing Express Client and PC5250 Communications with SSL

Typography

Smaller Small Medium Big Bigger
Default Helvetica Segoe Georgia Times
Reading Mode

In 1998, IBM enhanced the PC5250 program to support the bypass sign-on option so that PC5250 users could automatically sign on to the AS/400 by using the default password contained in their Client Access for Windows 95/NT routers. In that implementation, the router password flowed to the AS/400 in the clear, meaning that, if you placed a line trace on your communications line, you could match an individual’s AS/400 user ID to its associated password by looking at what was transmitted over the “wire.” If the wire is an internal LAN, the security exposure is not large; however, if you are running over a TCP/IP network, this scenario could endanger your AS/400 security by allowing hackers to easily capture user IDs and passwords as they are transmitted. To combat this problem, IBM has programmed AS/400 Client Access Express for Windows (Express client) to use the Secure Sockets Layer (SSL) protocol to prevent information from being transmitted in the clear.

SSL provides a means of encrypting information so that hackers will not be able to snatch a user ID and password from the TCP/IP line flow. In this article, I’m going to look at SSL and how you implement it in your PC5250 sessions. I’ll define what SSL is, the software products required to run SSL, how you install it on your PC, and how you configure your Express client PCs to take advantage of this valuable feature. Please note, however, that I will only cover the basics of Express client PC5250 SSL here. To help you with some of the finer points of configuring PCs and the Express client for SSL, visit the AS/400 Information Center at publib.boulder.ibm.com/pubs/html/as400/infocenter.htm. Once you enter the Information Center, click on Client Access Express/Administering/Connection Administration/Secure Sockets Layers administration.

Okay, Just What Is SSL?

SSL is a popular security scheme that allows the PC client to do two things:

• Authenticate the identity of the computer you are attaching to
• Provide a method for encrypting all data and requests that pass between the client and the host server

It’s important to remember that an SSL-enabled session involves both authentication and encryption. Express client allows SSL communications with the AS/400 server at three levels of encryption (using 40-bit, 56-bit, and 128-bit encryption key technology). The encryption level you can use will vary depending on where your organization is geographically located. For example, IBM could ship 128-bit encryption to

Canada and the United States, while France, at least in the past, has only allowed a maximum of 40-bit encryption to be imported. The rest of Europe allowed 56-bit encryption.

In addition to the three levels of encryption, there are two types of authentication: server authentication (i.e., Are you really connecting to the server you think you are?) and client authentication (i.e., Is the client attaching to your AS/400 approved to access your server data?). Express client PC5250 supports server authentication. Server authentication is beneficial when you really need to establish the identity of the server you are talking to. For example, you probably want to ensure that, when you send your credit card number to
L.L. Bean, you are communicating with the L.L. Bean server and not some hacker’s

system.

How Does PC-AS/400 Encryption Work?

Encryption involves three keys: public, private, and negotiated. The public keys are provided to users who install SSL on their computers. Both public and private keys are used for encrypting and decrypting the data initially exchanged between the PC and the AS/400. Keys are exchanged via digital certificates. Data from the AS/400 is encrypted using the private key and anyone with the corresponding public key can decrypt the data sent from the server. Data sent from the PC is encrypted using the public key. This data can only be decrypted by the AS/400 that has the private key. This is called asymmetric (or public key) cryptography. Once the PC has authenticated that the server actually is who it claims to be and the two computers establish a session, the PC and the AS/400 negotiate a third key, which is then used for private communications throughout the rest of the conversation. When the negotiated key is used, this is call symmetric cryptography. Negotiated keys are required for each client and server connection and negotiated keys expire after 24 hours.

The public keys are provided via a digital certificate. A digital certificate validates the certificate’s owner. A “trusted” party (called a Certificate Authority) issues certificates for both the client and servers. Digital certificates can be obtained as follows:

• Purchased from well-known authorities such as Verisign and RSA
• Purchased from unknown authorities, i.e., those that are provided by authorities outside the generally accepted list provided by OS/400 or Client Access. (I wouldn’t recommend using these.)

• Created on your AS/400 by using the Digital Certificate Manager You can set up PC5250 to take advantage of SSL by doing the following:
• Setting up both your AS/400 and your PC to use SSL
• Providing digital certificates on both your AS/400 and PC
• Enabling your PC5250 configuration to use SSL

AS/400 Products to Order and Install

In order to use SSL in your Express client configurations, you must order and load the following AS/400 Licensed Program Products (LPP) on your AS/400:

• IBM Cryptographic Access Provider for AS/400 (5769-ACn; where n=1, 2,
3)—The n designation specifies the encryption level you are supporting. 1 = 40-bit encryption, 2 = 56-bit encryption, and 3 = 128-bit encryption. The encryption level you can order and install depends on what export controls are in force for encryption technology in your geographic area.

• IBM HTTP Server for AS/400 (5769-DG1)
• TCP/IP Connectivity Utilities for AS/400 (5769-TC1)
• Digital Certificate Manager (DCM), Option 34 of OS/400 (5769-SS1)
• IBM Client Access Express (5769-XE1)
• IBM Client Encryption (5769-CEn; where n=1, 2, 3) Configuring Express Client to Use SSL

Once these products are ordered and installed on your AS/400, there are three steps you must complete to enable your Express client users to use SSL security:

1. Set up your AS/400 to create, manage, register, and administer digital certificates to applications and users. Digital certificates are assigned through the Digital Certificate Manager, which runs under the IBM HTTP Server for AS/400. The DCM creates the Certificate Authority and manages system certificates on your AS/400. In addition, the DCM administers certificates for any AS/400-based applications (such as the Express client servers) that need certificates to establish an SSL session with a client. Configure the IBM HTTP Server and the Digital Certificate Manager on your AS/400 so that these applications can administer your SSL setup.

2. Configure the Express client servers on your AS/400 to use SSL. There are multiple AS/400-based Client Access Express application servers—including the Telnet server (which is used for PC5250 connections), the database and file servers, and the sign- on server—that provide services to Express client users. Each of these AS/400 servers that you want to configure for SSL usage must also be assigned a digital certificate from the Digital Certificate Manger.

3. On each Express client PC that uses SSL, you must install the SSL component of Express client and download a certificate authority file from your Certificate Authority on the AS/400. If you’re using a well-known Certificate Authority, such as Verisign, then a download of a certificate authority file is not required since this file is shipped along with Client Access Express.

Because of space limitations, I cannot go into detail on each of these steps but, fortunately, I don’t need to. The AS/400 Information Center Web site contains detailed instructions for performing these three necessary tasks. To find instructions for getting started with digital certificates, click on the Internet and Secure Networks/Digital certificate management drop-down at the AS/400 Information Center (publib.boulder.ibm. com/pubs/html/as400/infocenter.htm). To find the instructions for configuring your Express client servers and desktops to use SSL, click on the Internet and Secure Networks/Securing applications with SSL drop-down on the site.

There is one thing to remember when you’re working with certificates. For ease of use, ordering, and administration, all digital certificate administration and assignment must be performed through your AS/400. When you install the Express client SSL component, that installation must be performed from your AS/400, not from your Express client CDROM or from a prior installation on your network or on a PC. You will need to use the AS/400’s Digital Certificate Manager whenever you are working with AS/400-assigned certificates.

Downloading Your Own Certificates to a PC

If you use a well-known Certificate Authority (Verisign, Thawte, etc.) to provide your server certificates, you do not need to do anything except install SSL support on both the PC and the AS/400. The well-known Certificate Authorities certificates are shipped in the default Client Access Express key database and with the AS/400 Digital Certificate Manager.

However, you can also create your own certificates by using the AS/400 Digital Certificate Manager. These certificates will be stored on your AS/400. (Information on creating your own Digital Certificates can also be found at the AS/400 Information Center Web site under the Internet and Secure Networks/Digital Certificate Management/Using Digital Certificates drop-down.) Once your certificates are created, you can download the public certificates to your PCs by using a new tool provided by the Client Access development team, the AS/400 Certificate Authority Downloader utility (CwbCoSSL), which can be downloaded at the Client Access Download Web site at www.as400.ibm.com/clientaccess/cadownld.htm. The CwbCoSSL program (see Figure 1) automates the process of downloading your custom certificates to the Client Access

Express key database, which contains your digital certificate. The following is the default key database file for Express client:

C:Program FilesIBMClient AccessCWBSSLFD.KDB

The name of this database can be viewed or changed via the Client Access Properties page (Figure 2). The CwbCoSSL utility requires Client Access Express Service Pack SF55256 or above. Please read the cwbcossl.txt file for more information. The file is packaged in the self-extracting Zip file that comes with the download.

Setting Up Your Express Client Connections

After your Express client PC is ready for SSL, you can configure your PC so that each Express client connection between the PC and the AS/400 uses SSL. This is accomplished via the Operations Navigator properties for each system. (See Figure 3.) The Connections properties screen is accessed in Express client by right-clicking on the icon representing your AS/400, selecting Properties from the context menu that appears, and then selecting the Connections tab. On the Connections panel that appears, click on the Use Secure Sockets Layer (SSL) checkbox to indicate that each Express client connection to that AS/400 should be established under SSL. When using Operations Navigator, the left side of the panel will show any AS/400 systems that have been secured via SSL. Each AS/400 that is configured for SSL will have a lock displayed alongside its AS/400’s system icon.

To use SSL inside PC5250, go to the PC5250 Configuration panel (which is accessed by clicking on the Configure option of the Communication pull-down menu on the PC5250 menu bar). After selecting your AS/400 System name, clicking on the Properties button next to the AS/400 System Name will allow you to select your PC5250 SSL security through PC5250’s Connection screen (see Figure 4). You have three SSL options that you can specify on this screen: Not secured, Secured with Secured Sockets Layer (SSL), or Use same security as your Operations Navigator connection. The SSL setting you choose will override the setting you defined in your Operations Navigator connection for this AS/400. For example, if Operations Navigator has no security for this system, you can override that setting and specify that your PC5250 session run with SSL security. The default is to use the Operations Navigator SSL setting, as specified in the Use Secure Sockets Layer (SSL) check box described above.

Please note that there is very little performance degradation when using SSL in a display emulation session. This is logical because there is only a very small amount of data that flows between the PC and the AS/400 during an emulation session. However, there could be a larger performance degradation with PC5250 printer emulation if the print output is large.

And That’s It

As you can see, configuring your Express client and PC5250 setups to use SSL isn’t that difficult if you just know the ropes. By installing the correct products on your AS/400 and using the techniques and references in this article, you can easily start encrypting your Express client sessions for SSL today.

Related Materials

AS/400 Information Center Starting Point: publib.boulder.ibm.com/pubs/html/as400/infocenter.htm Client Access Download Web site: www.as400.ibm.com/clientaccess/cadownld.htm

Securing_Express_Client_and_PC5250_Communications_with_SSL05-00.jpg 400x277

Figure 1: The cwbcossl utility automates the process of downloading custom digital certificates to the Client Access Express key database.

Figure 2: The default encryption key database file can be changed by using the Client Access Properties page.

Securing_Express_Client_and_PC5250_Communications_with_SSL05-01.jpg 402x430

Securing_Express_Client_and_PC5250_Communications_with_SSL06-00.jpg 400x386

Figure 3: Using OpsNav, you can configure your PC so that each Express client connection between the PC and the AS/400 uses SSL.

Figure 4: Specify whether your Express client PC5250 session uses SSL with the Connection panel inside the Configure PC5250 panel.

Securing_Express_Client_and_PC5250_Communications_with_SSL06-01.jpg 400x287

Also Read

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Book Reviews

Book Review: Extract, Transform, and Load with SSIS

Do your business apps access different data sources? This book shows you how to make that task easier
Book Review: 21st Century RPG: /Free, ILE, and MVC

David Shirey’s first book is an educational and entertaining read for “modern” and “old” RPG programmers alike
Book Review: Developing Business Applications for the Web--With HTML, CSS, JSP, PHP, ASP.NET, and JavaScript

If you are ready to get into Web application development, take this book along as your guide
Book Review: DB2 10.5 Fundamentals for LUW: Certification Study Guide (Exam 615)

DBAs who use the book will find it very helpful first in their test study and later as a reference book.
Book Review: DB2 11 for z/OS Database Administration—Certification Study Guide

This is a well-written DB2 11 book that could easily stand on its own as a reference manual, not just a certification guide.
Book Review: Free-Format RPG IV, Third Edition

Jim Martin comes through for us again.
Book Review: IBM i Security Administration and Compliance, Second Edition
Book Review: Programming in ILE RPG, Fifth Edition

This book really hits the mark and is a must-read for all RPG developers.
Book Review: DB2 10.1/10.5 for Linux, UNIX, and Windows Database Administration: Certification Guide
Book Review: Subfiles in Free-Format RPG

Whether you're a newbie or a seasoned pro, this book has something for you.
Book Review: Evolve Your RPG Coding: Move from OPM to ILE ... and Beyond

This book provides an amazingly comprehensive introduction to the concepts while at the same time delivering enough technical detail to make you productive very quickly.
Book Review: Database Design and SQL for DB2
Book Review: The Chief Data Officer Handbook for Data Governance

When implemented appropriately, data governance is a powerful framework.
Book Review: DB2 10 for z/OS: The Smarter, Faster Way to Upgrade

Trying to figure out whether to upgrade? Read on.
Book Review: 5 Keys to Business Analytics Program Success
Book Review: DB2 11: The Ultimate Database for Cloud, Analytics, and Mobile
Book Review: Flexible Input, Dazzling Output with IBM i

Today, it's all about input and output. Getting data into the IBM i from non-traditional sources and then displaying it back out again in varied formats. But where can you go to learn all that you need to know about this critical skill?
Book Review: Advanced Guide to PHP on IBM i

Enterprise-level PHP skills and techniques have been adapted for IBM i developers in Kevin Schroeder's new book.
Book Review: Java for RPG Programmers

If you've been putting off learning Java, you have no excuse anymore!
Book Review: DB2 10.1 Fundamentals: Certification Study Guide

Too valuable to be classified as merely excellent certification material, this book should also rightly take its place on DB2 DBA bookshelves as a solid day-to-day DB2 reference.
Book Review: DB2 10 for Z/OS Database Administration: Certification Study Guide

Whether you're trying to get certified or you just need a great reference book, this is the book for you.
Book Review: Developing Web 2.0 Applications with EGL for IBM i

It's everything you need to know, from the bottom up.
Book Review: Advanced Integrated RPG

Isn't it about time somebody told us how to integrate RPG and Java?
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: The Remote System Explorer

This book speaks directly to the thousands of IBM i programmers who develop in RPG, COBOL, CL, and DDS every day.
Book Review: IBM System i APIs at Work, Second Edition

API expert Bruce Vining delivers the only comprehensive guide to APIs.
Book Review: Functions in Free-Format RPG IV

This one short volume manages to essentially be both a general introduction and a detailed reference.
Book Review: DB2 11: The Database for Big Data and Analytics
Book Review: IBM Mainframe Security: Beyond the Basics

Beginners will have a strong foundation after reading this book. Experienced professionals will reference it frequently.
Book Review: IBM InfoSphere: A Platform for Big Data Governance and Process Data Governance

Find out how IBM is addressing the challenges of big data.
Book Review: Fundamentals of Technology Project Management

Projects can be overwhelming, but taken in small, deliberate steps, all projects are achievable.
Book Review: Customer Experience Analytics

Use CEA as a strategic weapon to stay ahead of your competitors.
Book Review: Big Data Analytics: Disruptive Technologies for Changing the Game

The disciplines of data analytics are evolving to meet the new challenges of big data.
Book Review: IBM i Security: Administration and Compliance

If you have any interest in IBM i security, whether as an administrator, a programmer, or an auditor, then this book is the perfect resource.
Book Review: DB2 9.7 for Linux, UNIX, and Windows Database Administration (Exam 541)

This book, written by the creator of the certification exam, reveals exactly what you'll need to know to prep for the test.
Book Review: Selling Information Governance to the Business

Who governs the information that runs your company?
Book Review: You Want to Do WHAT with PHP?

If you're serious about programming in PHP, get a book that treats you that way.
Book Review: The IBM i Programmer's Guide to PHP

Both a primer and a reference, this book is a must-have for anyone who wants to program in PHP.
Book Review: JavaScript for the Business Developer

There's no faster, easier way to become proficient in JavaScript.
Book Review: SOA for the Business Developer

If you want to know how SOA works in the real world, this is your book.
Book Review: DB2 9 Fundamentals

Whether you want to obtain an IBM certified DB2 professional certification or simply become well-rounded in the fundamental concepts of DB2 and general database theory, this is your book.
Book Review: The Modern RPG IV Language, Fourth Edition

This book isn't a training manual; it's a reference book.

Resource Center

Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:
Profound Logic Solution Guide

More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
Power10 Power Hour

IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:
Comply in 5! Well, actually UNDER 5 minutes!!

TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Combating Ransomware: Building a Strategy to Prevent and Detect Attacks

Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Top IBM I Security Vulnerabilities and How to Address Them

IT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.
What Most IBM i Shops Get Wrong About the IFS

Can you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:
Backup and Recovery on IBM i: Your Strategy for the Unexpected

Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Manage IBM i Messages by Exception with Robot

Managing messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:
Easiest Way to Save Money? Stop Printing IBM i Reports

The thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:
Hassle-Free IBM i Operations around the Clock

For over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
Why Migrate When You Can Modernize?

Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
The Power of Coding in a Low-Code Solution

When it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:
Low Code: A Digital Transformation of Supply Chain and Logistics

Supply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:
Resource Center

The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit
Node Webinar Series Pt. 1: The World of Node.js on IBM i

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
IBM i Transformation Risks Every Business Leader Should Know

Join us for this hour-long webcast that will explore:
What to Do When Your AS/400 Talent Retires

IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

Analytics & Cognitive Categories

Latest Analytics & Cognitive News

Career Catgories

Latest Career News

Cloud Categories

Latest Cloud News

IT Infrastructure Categories

Latest IT Infrastructure News

News Categories

Latest News

Programming Categories

Latest Programming News

Security Categories

Latest Security News

Typography

Share This