IBM Support

How to configure IBM i Access Client Solutions client to use TLS/SSL

How To


Summary

This document discusses how to set connections of the IBM i Access Client Solutions base package to use TLS/SSL. This assumes the IBM i Host Servers and the IBM i Telnet server have already been configured to use TLS/SSL within Digital Certificate Manager.

Objective

Explain the available options to configure Access Client Solutions Base Package to use TLS/SSL.

Environment

IBM i Access Client Solutions Base Package.

Steps

Configuring Access Client Solutions base package to use SSL for a single user and workstation.

  1.  Using the System Configuration global setting: This will set all connections (5250, Data Transfer, Integrated File System tool, and Printer Output tool) to this specific system to use SSL. By default all 5250 sessions and Data Transfers are set to "Use IBM i Access Client Solutions setting." and will follow the Global Setting unless modified. The following steps will need to be completed for each System Configuration.
- Launch the IBM i Access Client Solutions main menu
- Select System Configurations from the Management section
image-20190402093150-4
- Highlight the entry for your system and select "Edit" button from the bottom. If you do not have a System Configuration for your system created, select "New" to create one. Enter in the system name or system IP address in the "System Name:" field.
- On the General tab, check the box for "Use SSL for connection"
image-20190402093027-3
- Select the "Verify Connection" button to test an TLS/SSL connection to this system name. If this is the first attempt to connect to this system with SSL enabled, ACS will prompt to accept and add the Certificate Authority to the trusted set. You will have to select "Yes" to accept and trust the certificate authority. ACS will add the certificate authority to the Key Management database for you by selecting "Yes".
image-20190402094327-7
-The results of the Verify Connection should show as follows if successful: (NOTE: The Navigator for i and Secure Shell (SSH) services are not used in the same fashion. Please disregard if either Navigator for i or Secure Shell (SSH) are reporting failures) Verify that Central, Command, Database, Data Queues, File, Print, Record-level access, Signon, Telnet, and Port Mapper services all succeed.
image-20190402093849-6
- Click "OK" to proceed.
- Click "OK" on the Edit Selected System screen to complete the process.
- You have now enabled SSL for all connections (5250, Data Transfer, Integrated File System tool, and Printer Output tool) to this same System Name. At this point, no further changes are needed. ACS is now set to TLS/SSL during connections. (NOTE: This assumes the default setting of "Use IBM i Access Client Solutions setting" has not been modified within each 5250 session or Data Transfer.
- Many customers go to Communication > Configure > TLS/SSL from the emulator and select to enable Server and or Client Authentication. The settings here provide different uses of TLS/SSL beyond the basic configuration. Most customers will not be using these settings from this section so we suggest leaving them as default unless you are specifically using Server or Client Authentication. The default/basic configuration of TLS/SSL for 5250 does not use these settings. Default Settings are:
image-20190408163433-1
2. Configuring a single 5250 session or Data Transfer to use TLS/SSL: Each 5250 session and Data Transfer can be set individually to use TLS/SSL. As mentioned above the default 5250 sessions and Data Transfers are set to the Global Setting. Use the following steps to modify individual 5250 sessions or Data Transfers.
5250 Sessions:
- Open the ACS 5250 session and select Communication > Configure from the menu options. This will open the 5250 Display settings menu.
image-20190402144347-1
- The 5250 Display menu will open to the "Connection" settings by default. Notice the "Protocol" setting is set to "Use IBM i Access Client Solutions setting."
image-20190402144908-2
- To set this 5250 session to use TLS/SSL individually, change the "Protocol" setting to "Telnet - TLS/SSL." You will notice the Destination Port will change from 23 to 992 (SSL port used by Telnet) after changing this setting.
image-20190402145130-3
- Click "OK" on the 5250 Display settings page.
- Save the 5250 session to keep the change for future use. If you do not save the 5250 session, the Protocol setting will not be saved.
Data Transfers:
- Open the Data Transfer and select "Properties" near the bottom.
image-20190402145806-4
- Select the "Connection" tab. Change the "Security" setting to "Use Secure Sockets Layer (SSL)"
image-20190402145933-5
- Click "Apply"  and "OK" to set the change.
- Save the Data Transfer to keep the change for future use.

Using the AcsConfig.Properties file to enable Default Communication to SSL.

- The com.ibm.iaccess.DefaultCommunicationToSSL=true parameter can be set within the AcsConfig.Properties file to set default communications of new System Configurations for SSL. All newly created System Configurations will have the "Use SSL for connection" check box on the System Configuration General tab checked by default.
- This will not affect existing System Configurations.
- This method can be used on computers with Access Client Solutions base package already installed, but it is more effective if used before the installation. Modifying the AcsConfig.properties file before installation will save this setting for future calls of the install script.
-The AcsConfig.properties file needs to be edited manually (before or after installation). The AcsConfig.properties file can be edited with any text editor (NotePad or NotePad ++ are suggested).
- Edit the AcsConfig.Properties and either enable the com.ibm.iaccess.DefaultCommunicationToSSL=true by removing the "#" on the existing entry or manually add in a new com.ibm.iaccess.DefaultCommunicationToSSL=true anywhere in the AcsConfig.properties file that is not commented out with a "#".
image-20190408111039-1

Specifying one location for the Access Client Solutions Keystore to share for multiple users.

- The com.ibm.iaccess.CertFile: parameter within the AcsConfig.Properties file can be used to shared one SSL Keystore to multiple users.
- Review the following documentation for further details: http://www-01.ibm.com/support/docview.wss?uid=nas8N1021360

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSRQKY","label":"IBM i Access Client Solutions"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
30 January 2023

UID

ibm10879601

Page Feedback