IBM Support

V6 HMC Remote 5250 Console SSL Configuration for iSeries Access for Windows Emulator

Troubleshooting


Problem

This document describes how to configure the 5250 emulator included with IBM iSeries Access for Windows for a HMC Remote 5250 Console SSL connection.

Resolving The Problem

This document provides detailed instructions for configuring the 5250 emulator included with IBM iSeries Access for Windows for a HMC remote console secure socket layer (SSL) connection. For further information on remote 5250 console, refer to the IBM eServer Information Center topic 'Connecting to a 5250 console remotely' which can be found at:

IBM Power Systems Hardware Information Center

http://publib.boulder.ibm.com/infocenter/powersys/v3r1m5/index.jsp

Step 1: Verify the HMC Firewall Configuration.

The HMC firewall must be enabled for remote console, regardless of the type of emulator used.

1.In the navigation area, expand the HMC you want to work with. HMCs are listed by host name or TCP/IP address.
2.Expand HMC Management.
3.Click HMC Configuration.

Main menu of WebSM with HMC Configuration selected.
4.In the contents pane, click Customize network settings.
5.Click the LAN Adapters tab.

Customize network settings with LAN Adapters tab selected.
6.Select the LAN adapter you want to work with and click Details.
7.Click the Firewall tab.
8.Select the 5250 application in the top table. Click Allow Incoming to allow all TCP/IP addresses or click Allow Incoming by IP Address to allow only specific addresses. 5250 will now appear in the lower table. Click OK. Click OK again. A dialog might appear stating that Network Settings Changes will be applied after the next reboot. Click OK. A restart is not necessary for firewall changes. They go into effect immediately.

LAN adapter details page showing firewall options.

Step 2: Configure HMC System Manager Security

Remote 5250 console over SSL uses the same authentication and encryption method as the HMC remote system manager (WebSM). HMC System Manager Security must be configured as described in the eServer Information Center topic on 'Installing and Securing the Remote Client'. The following subset of that procedure pertains to 5250 remote console. If System Manager Security has already been configured, skip to Step 4 to copy the public key ring file to diskette.
1.Configuring one HMC as a certificate authority

This procedure defines a system as an internal certificate authority (CA) for HMC security and creates a public key ring file for the CA that you can distribute to all of the clients that access the servers.

1. Verify that you are using a local HMC and not the Web-based System Manager Remote Client.

2. Ensure that you are logged in as the hscroot user at the HMC that is being configured as the internal CA.

3. In the navigation area, expand the local HMC. It is the first HMC in the list.

4. Expand System Manager Security.

5. Click Certificate Authority.

6. In the System Manager Certificate Authority window, click Configure this system as a System Manager Certificate Authority. You can also select Configure from the Certificate Authority menu.

7. Use the online help to guide you through completing the task.

Note: Remember the password you set for the CA private key file. You will need this password when you generate private key ring files for the servers.

2Generating private key ring files for the servers

Use the certificate authority (CA) to generate private key ring files for the servers. The private key ring file consists of the private key and the server certificate.

Note: If the system defined as a CA will also be used in server mode, you must complete the steps for generating and installing private key ring files on that system.

1. In the navigation area, expand the local HMC. It is the first HMC in the list.

2. Expand System Manager Security.

3. Click Certificate Authority.

4. In the System Manager Certificate Authority window, click Generate Servers' Private Key Ring Files. You can also select Generate Keys from the Certificate Authority menu.

5. In the Password window, type the CA private key file password. This password was created when the HMC was configured as the CA.

6. Click OK.

7. In the Generate Server's Private Key Ring Files window, use the help information to guide you through completing the task.

8. Click OK when you are finished.

3Installing private key ring files on the servers

Follow these steps to correctly install private key ring files.

1. Copy the server private key ring files to removable media:

a. In the navigation area, expand the local HMC. It is the first HMC in the list.

b. Expand System Manager Security.

c. Click Certificate Authority.

d. In the System Manager Certificate Authority window, click Copy Servers' Private Key Ring Files to removable media. You can also select Copy Servers' Keys from the Certificate Authority menu.

e. When the Copy Server's Private Key to removable media dialog displays, insert the media.

f. Click OK to copy the servers' private key ring files to removable media.

2. Install the private key ring file on each server. Repeat the following steps for each server for which you generated a private key ring file:

a. In the navigation area, expand the local HMC. It is the first HMC in the list.

b. Expand System Manager Security.

c. Click Server Security.

d. In the System Manager Server Security window, click Install the private key ring file for this server. You can also select Install Key from the Server menu.

e. In the Install Private Key Ring File window, select removable media as the source for the server private key ring file. Insert the removable media containing the server's key into the removable media drive.

f. Click OK.

3. Configure the server as a secure System Manager server. Repeat the following steps for each server on which you installed a private key ring file:

a. In the navigation area, expand the local HMC. It is the first HMC in the list. HMCs are listed by hostname or IP address.

b. Expand System Manager Security.

c. Click Server Security.

d. In the System Manager Server Security window, click Configure this system as a Secure System Manager server. You can also select Configure from the Server menu.

e. Use the help to guide you through completing the task.



Note: The HMC must be restarted after the private king files have been installed on it for the 5250 daemon to be restarted and use the new files.
4Distributing the certificate authority's public key with Web-based System Manager Remote Client for Java Web Start

If you are using the Web-based System Manager Remote Client for Java Web Start, use the following instructions to copy the certificate authority (CA) public key ring file (SMpubkr.zip) to each server that you will use to download the remote client.

If the system defined as a CA will also be used in server mode, you must complete the steps for distributing the CA's public key for that system. Although the CA public key was created on this system, it is not in the correct location for the system to be used as a server.

1. On the CA system, perform the following steps to copy the CA's public key to removable media:

a. In the navigation area, expand the local HMC. It is the first HMC in the list.

b. Expand System Manager Security.

c. Click Certificate Authority.

d. In the System Manager Certificate Authority window, click Copy this Certificate Authority's Public Key Ring File to removable media. You can also select Copy out CA Public Key from the Certificate Authority menu.

e. When the Copy CA Public Key to Removable Media window opens, insert a diskette.

f. Select HMC or AIX client to write the file to a tar diskette.

g. Click OK to copy the public key ring file.

2. Copy a CA's public key from diskette to each server. Repeat the following steps for each client or server:

a. In the navigation area, expand the local HMC. It is the first HMC in the list.

b. Expand System Manager Security.

c. Click Certificate Authority.

d. In the System Manager Certificate Authority window, click Copy another Certificate Authority's Public Key Ring File from removable media. You can also select Copy in CA Public Key from the Certificate Authority menu.

e. When the Copy CA Public Key from removable media window opens, insert the removable media that contains the copied CA's public key ring file.

f. Click OK to copy the public key ring file.

5Copy the public key ring file, SM.pubkr, from the diskette to a temporary directory on the PC.
Note the location as it will be needed in Step 4.4. Coping the file to a temporary directory ensures the file will not corrupted by IBM Key Management.

Step 3: Verify iSeries Access for Windows Code Level

The iSeries Access for Windows emulator that is used must be at Version 5 Release 3 Service level SI13587 or later. Secure Socket Layer must be installed. To verify the service pack level, select Start > Programs > IBM iSeries Access for Windows > iSeries Access for Windows Properties.

Properties dialog window for iSeries Access for Windows.

Step 4: Import the HMC Certificate

1.Open the IBM Key Management utility. Select Start > Programs > IBM iSeries Access for Windows > IBM Key Management.
2.In the IBM Key Management dialog, select the menu option KeyDatabaseFile, Open. The Open dialog settings should contain the following values for the iSeries Access key database. If it does not, enter them as shown in the following figure and, if necessary, adjust the location to the Windows All Users path. Click OK.


IBM key management utility dialog box requesting file name and location of key file.
3.Type the keyring file password. The default password is ca400.


Dialog box to enter the keyring file password.
4.The iSeries Access for Windows key database file is displayed.

Under Key database content expand the drop-down list box and select Personal Certificates, then click the Import button. On the Import Key dialog, select a Key file type of PKCS12. Adjust the location and file name to the location of the SM.pubkr file exported from the HMC in Step 2.5. Click OK.

Note: Verify that a copy of the SM.pubkr file is used. The IBM Key Management import function will convert the file into a format that cannot be used by WebSM.

IBM Key Management program with the Import key dialog box open.
5.When prompted, type the password for the HMC public keyring file. The password is defp.

Password prompt dialog box for the public keyring file.
6.Click OK to accept the new certificate.

Warning message for the acceptance of teh new certificate.
7.The HMC certificate now appears in the list of Signer Certificates. Close and exit the IBM Key Management utility.

IBM Key Management application displaying key database content.

Step 5: Configure the PC5250 Remote Console Session
1.Select Start > Programs > IBM iSeries Access for Windows > Emulator > Start or Configure Session.
2.From the IBM Personal Communications - Session Manager dialog that appears, press the New Session... button.
3.In the Configure PC5250 dialog:

a Update the System Name to the HMC host name or TCP/IP address.
b Set the port number to 2301. 
c Press the Properties button.

Configuration dialog box for a PC5250 connection.
4.The properties button will launch the Connection dialog shown below.

a Set the User ID sign on information to Use default User ID, prompt as needed.
b Set the User ID to Q#HMC.
c Set the Security to Use Secured Sockets Layer (SSL).
d Set the Client certificate to use to Select certificate when connecting.
e Click OK. Click OK again.

Dialog box of the properties of the PC5250 connection definition.
5.Save the profile.

To save the workstation profile configuration for future use, click the Menu option, File then Save. Type a profile name, and click OK. The workstation save creates two files. Both file names are the same as the profile name with extensions of .ws and .cae.

Note: Do not move or copy only the workstation profile file (extension .ws). Moving only this file will result in the loss of the connection information, which causes a cwbco1048 connection error. When possible, create a shortcut to the profile rather than a copy. If the profile must be moved or copied, copy both files to the new location.

After connecting, the SSL connection is indicated in the status messages in the lower left corner of the emulator.

Emulator session at language selection screen,

[{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"HMC","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0;6.1.1;6.1.0;5.4.5;5.4.0;5.3.5;5.3.0","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

368280385

Document Information

Modified date:
22 September 2021

UID

nas8N1015694