Skip to main content

Country/region [ select ] Home Solutions

A smarter planet

By industry

Aerospace and defense Automotive Banking Chemicals and petroleum Construction Consumer products Education Electronics Energy and utilities Financial markets Forest and paper Government Healthcare Insurance Life sciences Media and entertainment Metals and mining Retail Telecommunications Travel and transportation By business need

Business analytics and optimization Business intelligence Enterprise resource planning

Product lifecycle management Security Strategy and change By IT issue

Business process management Collaboration Commerce Connectivity and integration Content management Data management Enterprise application integration Enterprise architecture Information governance Regulatory compliance Security Virtualization Workforce productivity By Business Partner

IBM and Cisco IBM and Dassault Systmes IBM and Oracle IBM and SAP More Alliance Partners Business Partner solutions

o o o o o o

Find a Business Partner Business consulting Cloud computing Energy & environment Financing Service oriented architecture (SOA) Smarter computing

Small and medium business

o More Services

IT services

All IT services Business continuity and resiliency services Data center services Integrated communications services Maintenance and technical support services Security services Strategy and design services Workplace services IT services A-Z Business consulting

Global Business Services Business analytics and optimization Strategy and transformation Thought leadership Application services

All application services Custom application development and system integration Application management Outsourcing services

Applications outsourcing Business process outsourcing IT outsourcing and hosting Training

Small and medium business

Other services

Asset recovery

Software services Systems lab services

More Products

Special offers

Software

Software overview Products Trials and demos Events and conferences

Business Analytics - Cognos - SPSS Enterprise Content Management Information Management - DB2 - Informix - InfoSphere Lotus Rational Tivoli WebSphere System z software Storage

All storage Disk systems Tape systems Storage area networks Network attached storage Storage software Hard drives/microdrives Storage A to Z Servers & systems

All servers and systems Systems software Power Systems (AIX, IBM i, Linux) System z (Mainframe) System x (xSeries) BladeCenter Cluster systems

UNIX servers Linux servers

Intel processor-based servers AMD processor-based servers

OEM systems Internet security

Networking

Personal computers

Point of sale

Printing systems from InfoPrint

Semiconductors

Upgrades, accessories & parts

Certified used servers & storage

Communities

Small business products

Medium business products

Hardware Software

More

Support & downloads

Download

Fixes, updates and drivers Trials and demos Troubleshoot

Search

Documentation

Communities

Plan

Install

Use

Open a technical service request

Orders, invoices and more

Former IBM products

Printing systems from InfoPrint Lenovo ThinkPads and ThinkCentres

More

My IBM

My accounts

My profile

My interests

My community spaces

My technical support

My customer support

Shopping cart Contracts Orders and delivery Inventory and maintenance Invoices and payments Self-service tools More customer support Subscriptions

More

Welcome [ IBM Sign in ] [ Register ]

IBM Software Technical Document

_______________________________________________________________

Document Information Document Number: Functional Area: Subfunctional Area: Sub-Subfunctional Area: OS/400 Release: Product: Product Release: 368280385 HMC 5250 Console Remote Console V5R3M0; V5R3M5; V5R4M0; V5R4M5; V6R1M0; V6R1M1 PLATFORM FIRMWARE (9100HMC00) N/A

_______________________________________________________________ Document Title HMC Remote 5250 Console SSL Configuration for iSeries Access for Windows Emulator Document Description This document provides detailed instructions for configuring the 5250 emulator included with IBM iSeries Access for Windows for a HMC remote console secure socket layer (SSL) connection. For further information on remote 5250 console, refer to the IBM eServer Information Center topic 'Connecting to a 5250 console remotely' which can be found at:

IBM Power Systems Hardware Information Center http://publib.boulder.ibm.com/infocenter/powersys/v3r1m5/index.jsp Step 1: Verify the HMC Firewall Configuration. The HMC firewall must be enabled for remote console, regardless of the type of emulator used. 1. In the navigation area, expand the HMC you want to work with. HMCs are listed by host name or TCP/IP address. 2. Expand HMC Management. 3. Click HMC Configuration.

4.In the contents pane, click Customize network settings. 5.Click the LAN Adapters tab.

6.Select the LAN adapter you want to work with and click Details. 7.Click the Firewall tab. 8.Select the 5250 application in the top table. Click Allow Incoming to allow all TCP/IP addresses or click Allow Incoming by IP Address to allow only specific addresses. 5250 will now appear in the lower table. Click OK. Click OK again. A dialog might appear stating that Network Settings Changes will be applied after the next reboot. Click OK. A restart is not necessary for firewall changes. They go into effect immediately.

Step 2: Configure HMC System Manager Security Remote 5250 console over SSL uses the same authentication and encryption method as the HMC remote system manager (WebSM). HMC System Manager Security must be configured as described in the eServer Information Center topic on 'Installing and Securing the Remote Client'. The following subset of that procedure pertains to 5250 remote console. If System Manager Security has already been configured, skip to Step 4 to copy the public key ring file to diskette. 1. Configuring one HMC as a certificate authority This procedure defines a system as an internal certificate authority (CA) for HMC security and creates a public key ring file for the CA that you can distribute to all of the clients that access the servers. 1. Verify that you are using a local HMC and not the Web-based System Manager Remote Client. 2. Ensure that you are logged in as the hscroot user at the HMC that is being configured as the internal CA. 3. In the navigation area, expand the local HMC. It is the first HMC in the list. 4. Expand System Manager Security.

5. Click Certificate Authority. 6. In the System Manager Certificate Authority window, click Configure this system as a System Manager Certificate Authority. You can also select Configure from the Certificate Authority menu. 7. Use the online help to guide you through completing the task. Note: Remember the password you set for the CA private key file. You will need this password when you generate private key ring files for the servers. Generating private key ring files for the servers Use the certificate authority (CA) to generate private key ring files for the servers. The private key ring file consists of the private key and the server certificate. Note: If the system defined as a CA will also be used in server mode, you must complete the steps for generating and installing private key ring files on that system. 1. In the navigation area, expand the local HMC. It is the first HMC in the list. 2. Expand System Manager Security. 3. Click Certificate Authority. 4. In the System Manager Certificate Authority window, click Generate Servers' Private Key Ring Files. You can also select Generate Keys from the Certificate Authority menu. 5. In the Password window, type the CA private key file password. This password was created when the HMC was configured as the CA. 6. Click OK. 7. In the Generate Server's Private Key Ring Files window, use the help information to guide you through completing the task. 8. Click OK when you are finished. Installing private key ring files on the servers Follow these steps to correctly install private key ring files. 1. Copy the server private key ring files to removable media: a. In the navigation area, expand the local HMC. It is the first HMC in the list. b. Expand System Manager Security. c. Click Certificate Authority. d. In the System Manager Certificate Authority window, click Copy Servers' Private

Key Ring Files to removable media. You can also select Copy Servers' Keys from the Certificate Authority menu. e. When the Copy Server's Private Key to removable media dialog displays, insert the media. f. Click OK to copy the servers' private key ring files to removable media. 2. Install the private key ring file on each server. Repeat the following steps for each server for which you generated a private key ring file: a. In the navigation area, expand the local HMC. It is the first HMC in the list. b. Expand System Manager Security. c. Click Server Security. d. In the System Manager Server Security window, click Install the private key ring file for this server. You can also select Install Key from the Server menu. e. In the Install Private Key Ring File window, select removable media as the source for the server private key ring file. Insert the removable media containing the server's key into the removable media drive. f. Click OK. 3. Configure the server as a secure System Manager server. Repeat the following steps for each server on which you installed a private key ring file: a. In the navigation area, expand the local HMC. It is the first HMC in the list. HMCs are listed by hostname or IP address. b. Expand System Manager Security. c. Click Server Security. d. In the System Manager Server Security window, click Configure this system as a Secure System Manager server. You can also select Configure from the Server menu. e. Use the help to guide you through completing the task. Note: The HMC must be restarted after the private king files have been installed on it for the 5250 daemon to be restarted and use the new files. Distributing the certificate authority's public key with Web-based System Manager Remote Client for Java Web Start If you are using the Web-based System Manager Remote Client for Java Web Start, use the following instructions to copy the certificate authority (CA) public key ring file (SMpubkr.zip) to each server that you will use to download the remote client.

If the system defined as a CA will also be used in server mode, you must complete the steps for distributing the CA's public key for that system. Although the CA public key was created on this system, it is not in the correct location for the system to be used as a server. 1. On the CA system, perform the following steps to copy the CA's public key to removable media: a. In the navigation area, expand the local HMC. It is the first HMC in the list. b. Expand System Manager Security. c. Click Certificate Authority. d. In the System Manager Certificate Authority window, click Copy this Certificate Authority's Public Key Ring File to removable media. You can also select Copy out CA Public Key from the Certificate Authority menu. e. When the Copy CA Public Key to Removable Media window opens, insert a diskette. f. Select HMC or AIX client to write the file to a tar diskette. g. Click OK to copy the public key ring file. 2. Copy a CA's public key from diskette to each server. Repeat the following steps for each client or server: a. In the navigation area, expand the local HMC. It is the first HMC in the list. b. Expand System Manager Security. c. Click Certificate Authority. d. In the System Manager Certificate Authority window, click Copy another Certificate Authority's Public Key Ring File from removable media. You can also select Copy in CA Public Key from the Certificate Authority menu. e. When the Copy CA Public Key from removable media window opens, insert the removable media that contains the copied CA's public key ring file. f. Click OK to copy the public key ring file. Copy the public key ring file, SM.pubkr, from the diskette to a temporary directory on the PC. Note the location as it will be needed in Step 4.4. Coping the file to a temporary directory ensures the file will not corrupted by IBM Key Management.

Step 3: Verify iSeries Access for Windows Code Level The iSeries Access for Windows emulator that is used must be at Version 5 Release 3 Service level SI13587 or later. Secure Socket Layer must be installed. To verify the service pack

level, select Start > Programs > IBM iSeries Access for Windows > iSeries Access for Windows Properties.

Step 4: Import the HMC Certificate 1.Open the IBM Key Management utility. Select Start > Programs > IBM iSeries Access for Windows > IBM Key Management. 2.In the IBM Key Management dialog, select the menu option KeyDatabaseFile, Open. The Open dialog settings should contain the following values for the iSeries Access key database. If it does not, enter them as shown in the following figure and, if necessary, adjust the location to the Windows All Users path. Click OK.

3.Type the keyring file password. The default password is ca400.

4.The iSeries Access for Windows key database file is displayed. Under Key database content expand the drop-down list box and select Personal Certificates, then click the Import button. On the Import Key dialog, select a Key file type of PKCS12. Adjust the location and file name to the location of the SM.pubkr file exported from the HMC in Step 2.5. Click OK. Note: Verify that a copy of the SM.pubkr file is used. The IBM Key Management import function will convert the file into a format that cannot be used by WebSM.

5. When prompted, type the password for the HMC public keyring file. The password is defp.

6. Click OK to accept the new certificate.

7. The HMC certificate now appears in the list of Signer Certificates. Close and exit the IBM Key Management utility.

Step 5: Configure the PC5250 Remote Console Session 1 Select Start > Programs > IBM iSeries Access for Windows > Emulator > Start or . Configure Session. 2 From the IBM Personal Communications - Session Manager dialog that appears, press . the New Session... button. 3 In the Configure PC5250 dialog: . a Update the System Name to the HMC host name or TCP/IP address. b Set the port number to 2301. c Press the Properties button.

4 The properties button will launch the Connection dialog shown below. . a Set the User ID sign on information to Use default User ID, prompt as needed. b Set the User ID to Q#HMC. c Set the Security to Use Secured Sockets Layer (SSL). d Set the Client certificate to use to Select certificate when connecting. e Click OK. Click OK again.

5 Save the profile. . To save the workstation profile configuration for future use, click the Menu option, File then Save. Type a profile name, and click OK. The workstation save creates two files. Both file names are the same as the profile name with extensions of .ws and .cae. Note: Do not move or copy only the workstation profile file (extension .ws). Moving only this file will result in the loss of the connection information, which causes a cwbco1048 connection error. When possible, create a shortcut to the profile rather than a copy. If the profile must be moved or copied, copy both files to the new location. After connecting, the SSL connection is indicated in the status messages in the lower left corner of the emulator.

__________________________________________________________________ PMR Number: Related APARs: Related Public Documents:

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Content navigation

IBM System i support Technical databases o APARs o Preventive Service Planning - PSP o PTF Cover Letters o Software Knowledge Base o Registered Software Knowledge Base

Related links

Register Feedback

About IBM Privacy Contact Terms of use IBM Feeds Jobs