Security Secure Sockets Layer (SSL)

System

i

Security

Secure

Sockets

Layer

(SSL)

Version

5

Release

4

System

i

Security

Secure

Sockets

Layer

(SSL)

Version

5

Release

4

Note

Beforeusingthisinformationandtheproductitsupports,read theinformationin“Notices,”on page19.

SixthEdition(February2006)

Thiseditionappliestoversion5,release4,modification0ofi5/OS(5722–SS1)andtoallsubsequentreleasesand modificationsuntilotherwiseindicatedinneweditions.Thisversiondoesnotrunonallreducedinstructionset computer(RISC)modelsnordoesitrunonCISCmodels.

Contents

Secure

Sockets

Layer

(SSL)

.

.

.

.

.

. 1

What’snewforV5R4 . . . 1

PrintablePDF . . . 1

Scenarios . . . 1

Scenario:Securingaclientconnectiontoyour ManagementCentralserverwithSSL . . . 2

Configurationdetails:Secureaclient connectiontoyourManagementCentralserver withSSL. . . 4

Step1:DeactivateSSLfortheiSeries Navigatorclient . . . 4

Step2:Settheauthenticationlevelforthe ManagementCentralserver . . . 4

Step3:RestarttheManagementCentral serveronthecentralsystem . . . 4

Step4:ActivateSSLfortheiSeries Navigatorclient . . . 4

Optionalstep:DeactivateSSLfortheiSeries Navigatorclient . . . 5

Scenario:Securingallconnectionstoyour ManagementCentralserverwithSSL . . . 5

Configurationdetails:Secureallconnectionsto yourManagementCentralserverwithSSL . . 9

Step1:Configurethecentralsystemfor serverauthentication . . . 9

Step2:Configureendpointsystemsfor serverauthentication . . . 10

Step3:RestarttheManagementCentral serveronthecentralsystem. . . 10

Step4:RestarttheManagementCentral serveronallendpointsystems . . . 10

Step5:ActivateSSLfortheiSeries Navigatorclient . . . 11

Step6:Configurethecentralsystemfor clientauthentication . . . 11

Step7:Configureendpointsystemsfor clientauthentication . . . 11

Step8:Copythevalidationlisttothe endpointsystems . . . 12

Step9:RestarttheManagementCentral serveronthecentralsystem. . . 12

Step10:RestarttheManagementCentral serveronallendpointsystems . . . 12

SSLconcepts . . . 13

HistoryofSSL . . . 13

HowSSLworks . . . 13

SupportedSSLandTransportLayerSecurity (TLS)protocols . . . 13 Serverauthentication . . . 15 Clientauthentication . . . 15 PlanningSSL . . . 15 SSLprerequisites . . . 16 Digitalcertificates . . . 16

ApplicationsecuritywithSSL . . . 16

TroubleshootingSSL . . . 17

RelatedinformationforSecureSocketsLayer(SSL) 17

Appendix.

Notices

.

.

.

.

.

.

.

.

.

. 19

Trademarks . . . 21

Termsandconditions . . . 21

Secure

Sockets

Layer

(SSL)

Thistopicdescribes howtouseSSLonyourserver.

SecureSockets Layer(SSL)hasbecomeanindustrystandardforenabling applicationsfor secure communicationsessionsoveranunprotectednetwork, suchastheInternet.

What’s

new

for

V5R4

Thistopicdescribes whatisnewtotheSecureSocketsLayer(SSL)thisrelease.

Product

withdrawn:

IBM

Cryptographic

Access

Provider

product,

5722-AC3

(128-bit)

TheIBMCryptographicAccessProviderproduct,5722-AC3(128-bit)isnolongerrequired. Thisisanew developmentfortheV5R4releaseofi5/OS®.All V5R4systemsarecapable ofthefunction thatwas previouslyprovidedinthe5722-AC3product.

How

to

see

what’s

new

or

changed

Tohelpyouseewheretechnicalchanges havebeen made,this informationuses: v The

imagetomarkwhereneworchangedinformationbegins. v The

imagetomarkwhereneworchangedinformationends.

Printable

PDF

Usethistoview andprintaPDFofthis information.

ToviewordownloadthePDFversionofthisdocument,selectSecureSocketsLayer(SSL).

Saving

PDF

files

Tosavea PDFonyour workstationforviewingorprinting:

1. Right-clickthePDFinyourbrowser(right-click thelinkabove).

2. Click theoption thatsavesthePDFlocally.

3. Navigatetothedirectoryinwhichyouwanttosave thePDF.

4. Click Save.

Downloading

Adobe

Reader

YouneedAdobe Readerinstalledonyoursystem tovieworprintthesePDFs.Youcandownloada free copyfromtheAdobeWebsite(www.adobe.com/products/acrobat/readstep.html)

.

Scenarios

TheSSLscenariosaredesigned tohelpyoumaximizethebenefitsofenabling SSLonyourSystemi™ platform.

ReadtheSSLscenariostoincreaseyour understandingofSSLontheiSeries™serverbyproviding possibleexamplesofhow SSLcanworkforyou.

©CopyrightIBMCorp.2002,2006

1

| | | | |

Related information

Scenario:SecureTelnetwithSSL

Scenario:EnhanceiSeriesSSLperformance

Scenario:Protect privatekeyswithcryptographic hardware

Scenario:

Securing

a

client

connection

to

your

Management

Central

server

with

SSL

Thisscenarioexplainshow touseSSLto securetheconnectionbetweena remoteclientandan Systemi modelthatisacting asacentralsystem byusingtheiSeriesNavigatorManagement Centralserver.

Situation:

Acompanyhasalocalareanetwork(LAN)thatincludesseveraliSeriesservers intheiroffice.This company’ssystemadministrator, Bob,hasspecified oneoftheiSeries serversasthecentral system (hereafterreferredtoasSystemA)fortheLAN.BobusestheManagement CentralserveronSystemAto managealloftheotherendpoints onhis LAN.

BobisconcernedaboutconnectingtotheManagement CentralserveronSystemAfroma network connectionthatisexternaltohiscompany’sLAN.Bobtravelsforworka lot,andrequiresa secure connectiontotheManagementCentralserverwhileheisaway.Hewantstoensuretheconnection betweenhisPCandtheManagementCentralserverissecurewhenheisnotinthecompanyoffice.Bob decidestoenableSSLonhis PCandontheSystemA’sManagement Centralserver.WithSSLenabledin thisway,Bobcanbecertainthathis connectiontotheManagementCentralserverissecurewhenheis traveling.

Objectives:

BobwantstosecuretheconnectionbetweenhisPCandtheManagementCentral server.Bobdoesnot requireadditionalsecurityfortheconnectionbetweentheManagement CentralserveronSystemAand theendpointsthatareontheLAN.Otheremployeesthatworkfromthecompanyofficedo notneed additionalsecurityfortheirconnectionstotheManagementCentralserver,either.Bob’splanisto configurehisPCandtheManagementCentralserveronSystemA, sothathis connectionusesserver authentication.ConnectionstotheManagement CentralserverfromotherPCsoriSeries serversonthe LANarenotsecuredwith SSL.

Details:

Thefollowingtableillustratesthetypesof authenticationused,based ontheenabling ordisablingofSSL onaPCclient:

Table1.RequiredelementsforanSSL-securedconnectionbetweenaclientandtheManagementCentralserver

SSLstatusonBob’sPC Specifiedauthenticationlevelforthe ManagementCentralserveronSystemA

SSLconnectionenabled?

SSLoff Any No

SSLon Any Yes(serverauthentication)

ServerauthenticationmeansthatBob’sPCauthenticatestheManagementCentralserver’s certificate. Bob’sPCactsasanSSLclientwhenconnecting totheManagement Centralserver.TheManagement CentralserveractsasanSSLserverand mustprove itsidentity.TheManagementCentral serverdoes thisbyprovidingacertificate issuedbyaCertificateAuthority(CA)thatBob’sPCtrusts.

Prerequisites

and

assumptions

Bobmust performtheseadministrationand configurationtasks inordertosecuretheconnectionbetween hisPCandtheManagementCentralserveronSystemA:

1. SystemAmeetstheprerequisitesfor SSL.

2. OS/400

®_{V5R3oralaterversionofi5/OSisinstalledonSystemA.}

3. The iSeriesNavigatorPCclientrunsV5R3or laterofiSeriesAccessforWindows

®_.

4. Get aCertificateAuthority(CA)foriSeries servers.

5. Createa certificatethatissignedbytheCA,forSystemA.

6. SendtheCAand acertificate toSystemA,and importthemintothekeydatabase.

7. Assignthecertificatewith theManagementCentralserveridentification,andtheapplication

identificationsforalloftheiSeriesAccessservers. TheTCPcentralserver,databaseserver,dataqueue server,fileserver,networkprintserver,remotecommandserverand signonserverareall iSeries Accessservers.

a. On SystemA,StartIBM DigitalCertificateManager.Bobobtainsorcreatecertificates,orotherwise

setsuporchangeshis certificatesystemnow. b. ClickSelecta CertificateStore.

c. Select*SYSTEMand clickContinue.

d. Enterthe*SYSTEMCertificateStore password,andclick Continue.Whenthemenureloads,expand

ManageApplications.

e. ClickUpdatecertificate assignment.

f. SelectServerandclick Continue.

g. SelecttheManagementCentralServer,and clickUpdatecertificateassignment.Thisassignsa

certificate totheManagement Centralservertouse.

h. ClickAssign NewCertificate.DCM reloadstotheUpdatecertificate assignmentpagewith a

confirmationmessage. i. ClickDone.

j. Assignthecertificatetoalloftheclientaccessservers.

8. Download theCAtothePCclient.

BeforeBobcanenable SSLontheManagement Centralserver,hemust installtheSSLPrerequisitesand setupdigitalcertificatesonthesystem.Once hehasmettheprerequisites,hecancompletethefollowing procedurestoenableSSLfortheManagementCentralserver.

Configuration

steps

BobneedstocompletethefollowingstepsinordertosecurehisPCclientconnectiontotheManagement CentralserveronSystemA,with SSL:

1. “Step 1:DeactivateSSLfortheiSeriesNavigatorclient”onpage4

2. “Step 2:SettheauthenticationlevelfortheManagement Centralserver”onpage4

3. “Step 3:RestarttheManagement Centralserveronthecentral system”onpage4

4. “Step 4:ActivateSSLfortheiSeriesNavigatorclient”onpage4

5. “Optional step:DeactivateSSLfortheiSeriesNavigatorclient”onpage5 Related concepts

“SSLprerequisites”onpage16 Related information

ConfigureDCM

StartDigital CertificateManager

Configuration

details:

Secure

a

client

connection

to

your

Management

Central

server

with

SSL

Thistopicshowstheexpandedconfigurationsstepsfor usingSSLtosecureaclientconnectiontoyour ManagementCentralserver.

Thefollowinginformationassumesyouhavereadthrough theScenario:Securea clientconnectionto yourManagement CentralserverwithSSL.

Inthisscenario,an Systemi modelisspecified asthecentralsystemin acompany’slocalareanetwork (LAN).BobusestheManagementCentralserveronthecentralsystem(referredtohereasSystemA)to managetheendpointsonthecompanynetwork.Thefollowinginformationexplainshowtoperform the stepsrequiredtosecureanexternal clientconnectiontotheManagementCentralserver.Followalong as Bobcompletesthescenarioconfigurationsteps.

Related concepts

“SSLprerequisites”onpage16

“Scenario:Securingallconnectionstoyour ManagementCentralserverwith SSL”onpage5

ThisscenarioexplainshowtouseSSLtosecureallconnectionswithanSystemimodelthatisacting asa centralsystembyusingtheiSeriesNavigatorManagementCentralserver.

Related information

Setupcertificatesforthefirsttime

Step1:DeactivateSSLfortheiSeriesNavigatorclient:

Thisstep isonlynecessaryifyouhavealreadyenabled SSLfortheiSeriesNavigatorclient. 1. IniSeriesNavigator, expandMyConnections.

2. Right-clickSystemAandselectProperties.

3. ClicktheSecureSockets taband deselectUseSecureSocketsLayer(SSL) forconnection.

4. ExitiSeriesNavigatorand restartit.

ThepadlockdisappearsfromtheManagementCentralcontaineriniSeries Navigator,indicatingan unsecuredconnection.ThisindicatestoBobthathenolongerhasanSSL-securedconnectionbetweenhis clientandthecentralsystemof hiscompany.

Step2:SettheauthenticationlevelfortheManagementCentralserver:

1. IniSeriesNavigator, right-clickManagementCentral,and selectProperties.

2. ClicktheSecuritytab,and selectUseSecureSocketsLayer(SSL).

3. SelectAnyfortheauthentication level(available onV5R3orlaterofiSeriesAccessforWindows).

4. ClickOKtosetthis valueonthecentralsystem.

Step3:RestarttheManagementCentralserveronthecentralsystem:

1. IniSeriesNavigator, expandMyConnections.

2. OnSystemA, expandNetwork-->Serversand selectTCP/IP.

3. Right-clickManagementCentralandselectStop.Thecentralsystemview collapses,and amessage

displays,explainingyouare notconnected totheserver.

4. AftertheManagementCentralserverhasstopped,clickStart torestartit.

Step4:ActivateSSLfortheiSeriesNavigator client:

1. IniSeriesNavigator, expandMyConnections.

2. Right-clickSystemAandselectProperties.

3. ClicktheSecureSockets taband selectUseSecureSocketsLayer(SSL) forconnection.

Apadlockappearsnext totheManagement CentralserveriniSeriesNavigator,indicatinganSSL-secured connection.ThisindicatestoBobthathehassuccessfullyactivatedanSSL-securedconnection between hisclientand thecentralsystem ofhiscompany.

Note: ThisprocedureonlysecurestheconnectionbetweenonePCandtheManagementCentralserver.

Other clientconnectionswith theManagement Centralserver,aswell asconnectionsfrom endpoints totheManagement Centralserver,willnotbesecure.Tosecureotherclients,ensure theymeet theprerequisites andrepeat “Step4:ActivateSSLfortheiSeriesNavigatorclient”on page4.TosecureotherconnectionswiththeManagementCentralserver,seeScenario: Secureall connectionstoyourManagementCentral serverwithSSL.

Optionalstep:Deactivate SSLfortheiSeriesNavigatorclient:

IfBobwantstoworkfromthecompanyofficeand doesnotwantanSSLconnectionaffecting the performanceofhis PC,hecaneasilydeactivateit byperformingthefollowingsteps:

1. IniSeriesNavigator,expand MyConnections.

2. Right-clickSystemAandselectProperties.

3. Click theSecureSockets tabanddeselectUseSecureSocketsLayer(SSL) forconnection.

4. Exit iSeriesNavigatorand restartit.

Scenario:

Securing

all

connections

to

your

Management

Central

server

with

SSL

Thisscenarioexplainshow touseSSLtosecureall connectionswith anSystemimodelthatisactingasa centralsystembyusingtheiSeriesNavigatorManagementCentralserver.

Situation:

Acompanyhasjustset upawideareanetwork(WAN)thatincludesseveralSystemimodelsinremote locations(endpoints).Theendpoints arecentrallymanagedbyonesystem(thecentralsystem),locatedat themainoffice.Tomisthecompany’ssecurityspecialist.TomwantsuseSecureSocketsLayer(SSL)to securealloftheconnectionsbetweentheManagementCentralserveronthecompany’scentralsystem andalliSeriesAccessserversandclients.

Details:

TomcanmanageallconnectionstotheManagementCentralserversecurely,with SSL.TouseSSLwith theManagementCentralserver,Tom needstosecureiSeriesNavigatoronthePCthatheusestoaccess thecentralsystem.

TomchoosesfromtwoauthenticationlevelsfortheManagementCentralserver:

Serverauthentication

Providesauthenticationof theservercertificate.Theclient mustvalidatetheserver,whetherthe clientisiSeries NavigatoronaPC, ortheManagementCentralserveronthecentralsystem. WheniSeriesNavigatorconnectstothecentralsystem,thePCistheSSLClientandthe

ManagementCentralserverrunningonthecentralsystem istheSSLServer.Thecentral system actsasanSSLclientwhenconnecting toanendpointsystem.Theendpointsystemacts asanSSL server.Theservermust proveitsidentitytotheclientbyprovidinga certificatethatwasissued bya CertificateAuthoritythattheclienttrusts.Theremust beavalidcertificate issuedbya trustedCAforeverySSLserver.

Clientandserverauthentication

Providesauthenticationof boththecentralsystem andtheendpointsystemcertificates.Thisisa strongersecuritylevelthantheserverauthentication level.Inotherapplications,thisisknownas clientauthentication,wheretheclientmustsupplya validtrustedcertificate.Whenthecentral

system(SSLclient)attemptstoestablisha connectionwithanendpointsystem (SSLserver),the centralsystemandtheendpointsystem authenticateeachother’scertificatesforcertificate authorityauthenticity.

Note: Clientand serverauthenticationonlyhappens betweentwoSystemimodels.Client

authentication isnotperformedbytheserverwhentheclientisaPC.

Unlikeotherapplications,ManagementCentralalsoprovides authenticationthrougha validation list,calledTrusted Groupvalidationlist.Generallythevalidationliststoresinformationthat identifiestheuser,suchasa useridentification,and authenticationinformation,suchas

password,personalidentificationnumber,ordigitalcertificate.Thisauthenticationinformationis encrypted.

Mostapplicationstypicallydonotspecifythatyouenablebothserverand clientauthentication,because serverauthenticationalmost alwaysoccursduringSSLsessionenablement.Manyapplicationshaveclient authenticationconfigurationoptions.Management Centralusestheterm″server andclient

authentication″insteadof clientauthenticationbecauseofthedualrolethatthecentralsystem playsin thenetwork.WhenPCusersconnecttothecentralsystem,thecentral systemactsasaserver.However, whenthecentralsystemisconnectingtoanendpointsystem,it actsasaclient.Thefollowingillustration showshowthecentralsystemoperatesasbotha serverandclientina network.

Note: Inthisillustration,thecertificateassociatedwiththeCertificateAuthoritymustbe storedinthe

keydatabaseonthecentralsystemand onalloftheendpointsystems.TheCertificateAuthority must onthecentralsystem,all theendpoints, aswell asthePC.

Prerequisites

and

assumptions:

Tommustperform thefollowingadministrationand configurationtasks,in ordertosecureallofthe connectionstotheManagementCentralserver:

1. SystemAmeetstheprerequisites forSSL.

2. Thecentralsystemandallendpoint systemsrunV5R2or laterversions ofOS/400ori5/OS.V5R4

i5/OSconnectionstoV5R1OS/400systemsarenotallowed.

3. TheiSeriesNavigatorPCclientrunsV5R2orlaterof iSeriesAccessforWindows.

4. GetaCertificateAuthority(CA)forSystemi models.

5. Createa certificatethatissignedbytheCA,forSystemA.

6. SendtheCAandacertificate toSystemA,and importthemintothekeydatabase.

7. AssignthecertificateswiththeManagementCentralapplication identification,andtheapplication

identificationsforalloftheiSeriesAccessservers.TheTCPcentralserver,databaseserver,dataqueue server,fileserver,networkprintserver,remotecommandserverand signonserverareall iSeries Accessservers.

a. StartIBM DigitalCertificateManager ontheManagementCentral server.IfTomneedstoobtain

orcreatecertificates,orotherwisesetuporchange hiscertificatesystem,hedoessonow. b. ClickSelecta CertificateStore.

c. Select*SYSTEMand clickContinue.

d. Enterthe *SYSTEMCertificate Store password, andclick Continue.Whenthemenu reloads,

expandManageApplications. e. ClickUpdatecertificate assignment.

f. SelectServerandclick Continue.

g. Select theManagementCentral server,and clickUpdate certificateassignment.Thisassignsa

certificate totheManagement Centralservertouse.

h. Choosethecertificate youwanttoassigntotheapplication,andclick AssignNew Certificate.

DCM reloadstotheUpdatecertificate assignmentpagewitha confirmationmessage. i. ClickCanceltoreturntothelistofapplications.

j. RepeatthisprocedureforalliSeriesAccessservers.

8. DownloadtheCAtotheiSeriesNavigatorPCclient.

Configuration

steps:

BeforeTomcanenableSSLontheManagementCentral server,hemustinstall theprerequisiteprograms andset updigitalcertificatesonthecentralsystem.SeethePrerequisitesand assumptionsforthis scenariobeforecontinuing.Oncehehasmet theprerequisites,hecancompletethefollowingprocedures tosecureallconnectionstotheManagement Centralserver:

Note: IfSSLhasbeenenabled foriSeriesNavigator,Tommust disableitbeforehecanenableSSLonthe

Management Centralserver.IfSSLhasbeenenabled foriSeriesNavigatorand notthe

Management Centralserver,attemptsbyiSeriesNavigatortoconnectwith thecentral systemwill fail.

1. “Step1:Configurethecentralsystem forserverauthentication”onpage9

2. “Step2:Configureendpoint systemsforserverauthentication”onpage10

3. “Step3:RestarttheManagementCentralserveronthecentralsystem”onpage10

4. “Step4:RestarttheManagementCentralserveronallendpointsystems”onpage10

5. “Step5:ActivateSSLfortheiSeries Navigatorclient”onpage11

6. “Step6:Configurethecentralsystem forclientauthentication”onpage11

7. “Step7:Configureendpoint systemsforclientauthentication”onpage11

8. “Step8:Copythevalidation listtotheendpointsystems” onpage12

9. “Step9:RestarttheManagementCentralserveronthecentralsystem”onpage12

10. “Step10:RestarttheManagement Centralserveronallendpointsystems”onpage12 Related concepts

“SSLprerequisites”onpage16

“ApplicationsecuritywithSSL” onpage16

Reviewthefollowinglisttoseetheapplicationsthatyoucanusetosecurewith SSLontheSystemi platform.

Related tasks

“Configurationdetails: Securea clientconnectiontoyour ManagementCentralserverwithSSL” on

page4

ThistopicshowstheexpandedconfigurationsstepsforusingSSLtosecureaclient connectiontoyour Management Centralserver.

“Configurationdetails: Secureall connectionstoyourManagement CentralserverwithSSL”

ThistopicshowsthedetailsforusingSSLtosecureall connectionstoyour ManagementCentral server.

Related information

V5R1InformationCenter,″SecuringManagementCentral″ Using DigitalCertificateManager

Setupcertificatesforthefirsttime

Configuration

details:

Secure

all

connections

to

your

Management

Central

server

with

SSL

ThistopicshowsthedetailsforusingSSLtosecureallconnectionstoyourManagementCentral server. Thefollowinginformationassumesthatyouhavereadthrough thefollowinginformation:Scenario: SecureallconnectionstoyourManagement CentralserverwithSSL.

Younowwanttounderstandhowtoperform thestepsrequiredtosecureallconnectionstothe ManagementCentralserver.FollowalongasTom completesthescenario.

BeforeTomcanenableSSLontheManagementCentralserver,hemustinstall theprerequisiteprograms andsetupdigitalcertificatesontheSystemimodel.Oncehehasmet theprerequisites, hecancomplete thefollowingprocedurestosecureall connectionstotheManagementCentralserver.

Note: IfSSLhasbeenenabled foriSeriesNavigator,Tommust disableitbeforehecanenableSSLonthe

Management Centralserver.IfSSLhasbeenenabled foriSeriesNavigator,andnotthe

Management Centralserver,attemptsbyiSeriesNavigatortoconnectwith thecentral systemwill fail.

SSLallowsTomtosecuretransmissions betweena centralsystemand anendpointsystem,aswellas betweentheiSeriesNavigatorclientandthecentralsystem.SSLprovidestransportandauthentication of certificatesandencryptionofdata.AnSSL-connectioncanonlyoccurbetweenanSSL-enabledcentral systemandan SSL-enabledendpointsystem.Tomneedsto configureserverauthentication beforehecan configureclientauthentication:

Related concepts

“SSLprerequisites”onpage16

“Scenario:Securingallconnectionstoyour ManagementCentralserverwith SSL”onpage5

ThisscenarioexplainshowtouseSSLtosecureallconnectionswithanSystemimodelthatisacting asacentral systembyusingtheiSeriesNavigatorManagementCentralserver.

Related information

Setupcertificatesforthefirsttime

Step1:Configurethecentralsystemforserverauthentication:

1. IniSeriesNavigator,right-click ManagementCentraland selectProperties.

2. ClicktheSecuritytabandselectUseSecureSocketsLayer (SSL)

3. SelectServerastheauthentication level.

4. ClickOKtosetthis valueonthecentralsystem.

Note: DoNOTrestarttheManagementCentralserveruntiltoldtodoso,later. Ifyourestart the

servernow,youwillnotbe abletocontact yourendpointservers.Youmustcompletemore configurationtasksbeforetheservercanberestarted, activatingSSL.Youmust propagatethe SSLconfigurationtotheendpointsystemsfirst, withthecompareandupdatetask.

Step2:Configureendpointsystemsforserverauthentication:

AfterTom configuresthecentralsystemforserverauthentication,heneedstoconfiguretheendpoint systemsforserverauthentication. Hecompletesthefollowingtasks:

1. ExpandManagementCentral.

2. Compareandupdatesystemvaluesfortheendpointsystems:

a. UnderEndpointSystems,right-click thecentralsystem andselectInventory→Collect.

b. Check theSystemValuesoptiononthecollectdialogbox,inordertocollectthesystemvalues

inventoryforthecentralsystem.Deselectanyotheroptions. ClickOKandwaitfortheinventory tasktocomplete.

c. Right-clickSystemGroups→ NewSystemGroup.

d. Definea newsystemgroupthatincludesalltheendpointsystemstoconnectto,usingSSL.Name

thisnew systemgroup’Trusted Group.’

e. Todisplaythenewgroup,’TrustedGroup,’ expandthelistof systemgroups.

f. Afterthecollection iscomplete, right-clickthenewsystem groupandselectSystemValues→

CompareandUpdate.

g. Verifythatthecentralsystemdisplays intheModelSystemfield.

h. IntheCategoryfield,selectManagementCentral.

i. VerifythatUseSecureSockets LayerissettoYesandselectUpdatetopropagatethisvalue tothe

’Trusted Group’.

j. VerifythatSSLAuthenticationLevel isset toServerandselectUpdatetopropagatethisvalueto

the’TrustedGroup’.

Note: Ifthesevaluesarenotset,completeStep1: Configurethecentralsystem forserver

authentication.

k. Click OK.Wait untiltheCompareandUpdatecompletesprocessingbefore continuingtothenext

step.

Step3:RestarttheManagementCentralserveronthecentralsystem:

1. IniSeriesNavigator, expandMyConnections.

2. Expandthecentral system.

3. ExpandNetwork→ ServersandselectTCP/IP.

4. Right-clickManagementCentralandselectStop.Thecentralsystemview collapses,and amessage

displays,explainingthatyouarenotconnectedtotheserver.

5. OncetheManagementCentralserverhasstopped, clickStart torestartit.

Step4:RestarttheManagementCentralserveronallendpoint systems:

1. IniSeriesNavigator, expandMyConnections.

2. Expandtheendpoint systemthatyouare restarting.

3. ExpandNetwork→ ServersandselectTCP/IP.

4. Right-clickManagementCentralandselectStop.

5. OncetheManagementCentralserverhasstopped, clickStart torestartit.

| | | | | | | | |

6. Repeatthisprocedureforeachendpointsystem.

Step5:ActivateSSLfortheiSeriesNavigator client:

1. IniSeriesNavigator,expand MyConnections.

2. Right-clickthecentralsystem,andselectProperties.

3. Click theSecureSockets tabandselectUseSecureSocketsLayer(SSL)forconnection.

4. Exit iSeriesNavigatorand restartit.

Note: Afteryouhavecompletedthesesteps, serverauthenticationisconfiguredforyourcentraland

endpointsystems.Youcanoptionallyconfigureyourcentraland endpointsystemsfor client authentication aswell. Steps6through 10shouldbe completedifyouwanttoenableclient authentication onyourcentralandendpoint systems.

Step6:Configurethecentralsystemforclientauthentication:

NowthatTomhascompletedtheconfigurationforserverauthentication,hecanopttoperformthe followingoptionalclientauthenticationprocedures.Clientauthentication providesvalidationof

CertificateAuthorityandtrustedgroupforboththeendpointsystemsandthecentralsystem.Whenthe centralsystem(SSLclient) triestouseSSLtoconnecttoanendpointsystem (SSLserver),thecentral systemandtheendpointsystemauthenticate eachother’scertificatesthroughbothserverauthentication andclientauthentication.ThisisalsoreferredtoasCertificateAuthorityand TrustedGroup

authentication.

Note: Youcannotcompleteclientauthentication configurationuntil youhaveconfiguredserver

authentication.Ifyouhavenotconfigured serverauthentication,gobackanddo so,now. 1. IniSeriesNavigator,right-click ManagementCentraland selectProperties.

2. Click theSecuritytabandselectUseSecureSocketsLayer (SSL).

3. Select Clientandserverfortheauthenticationlevel.

4. Click OKtosetthis valueonthecentralsystem.

Note: DoNOTrestarttheManagementCentralserveruntiltoldtodoso,later. Ifyourestart the

servernow,youwillnotbe abletocontact yourendpointservers.Youmustcompletemore configurationtasksbeforetheservercanberestarted, activatingSSL.Youmust propagatethe SSLconfigurationtotheendpointsystemsfirst, withthecompareandupdatetask.

Step7:Configureendpointsystemsforclientauthentication:

Compareandupdatesystemvaluesfortheendpointsystems: 1. Expand ManagementCentral.

2. Compare andupdatesystemvaluesfortheendpointsystems:

a. UnderEndpointSystems,right-clickthecentralsystem andselectInventory →Collect.

b. Check theSystemValuesoptiononthecollectdialogbox,inordertocollectthesystemvalues

inventoryforthecentralsystem.Deselectanyotheroptions. ClickOKandwaitfortheinventory tasktocomplete.

c. Afterthecollectioniscomplete,right-click the’Trusted Group’andselectSystemValues→

Compare andUpdate.

d. Verifythatthecentralsystemdisplaysin theModelSystemfield.

e. IntheCategoryfield,selectManagementCentral.

f. VerifythatUseSecureSockets LayerissettoYesandselectUpdatetopropagatethisvalue tothe

’TrustedGroup’.

g. VerifythatSSLAuthenticationLevel isset toClientandServerandselectUpdatetopropagate

thisvalue tothe’TrustedGroup’.

SecureSocketsLayer(SSL)

11

Note: Ifthesevaluesarenotset,completeStep6: Configurethecentralsystem forclient

authentication..

h. ClickOK.Wait untiltheCompareandUpdatecompletesprocessingbefore continuingtothenext

step.

Step8:Copythevalidationlistto theendpoint systems:

Thistaskassumesthatyour centralsystemisV5R3orgreater.Onpre-V5R3systems,QYPSVLDL.VLDL waslocatedinQUSRSYS.LIB,notQMGTC2.LIB. Therefore,if youhavepre-V5R3systems,youwillneed tosendthevalidationlisttothese systemsandplaceitinQUSRSYS.LIB,insteadofQMGTC2.LIB. For V5R3andgreatersystems, continuewith thefollowingsteps:

1. IniSeriesNavigator,expandManagementCentral→Definitions.

2. Right-clickPackage,andselectNewDefinition.

3. IntheNew Definitionwindow,workwiththefollowing:

a. Name:Typethenameofthedefinition.

b. Sourcesystem:Selectthenameofthecentral system.

c. Selectedfilesandfolders:Clickinthefield,and type/QSYS.LIB/QMGTC2.LIB/QYPSVLDL.VLDL.

4. ClicktheOptionstab,andselectReplaceexistingfilewiththefilebeing sent.

5. ClickAdvanced.

6. IntheAdvancedOptionswindow,specifyYestoallowobjectdifferencesonrestore,andchangethe

Targetrelease tobetheearliestrelease ofyourendpoints.

7. ClickOKtorefreshthelistofdefinitionsanddisplaythenewpackage.

8. Right-clickthenewpackage, andselectSend.

9. IntheSenddialogbox,expandSystemGroups->TrustedGroup,locatedintheAvailable Systems

andGroupslist.Thisgroupistheoneyoudefinedin“Step 2:Configureendpointsystemsfor serverauthentication”onpage10.

Note: TheSendtaskwillalwaysfailonthecentralsystem,becauseitisalways thesourcesystem.

TheSendtaskshouldcompletesuccessfullyonallendpointsystems.

10. Ifyouhaveanypre-V5R3systemsinTrustedGroup,youmustmanuallygotothose systemsand

movetheQYPSVLDL.VLDLobjectfromQMGTC2.LIBtoQUSRSYS.LIB.Ifthereisalreadya versionof QYPSVLDL.VLDLinQUSRSYS.LIB,deleteitand replaceitwith thenewer onefromQMGTC2.LIB

Step9:RestarttheManagementCentralserveronthecentralsystem:

1. IniSeriesNavigator, expandMyConnections.

2. Expandthecentral system.

3. ExpandNetwork→ ServersandselectTCP/IP.

4. Right-clickManagementCentralandselectStop.Thecentralsystemview collapses,and amessage

displays,explainingthatyouarenotconnectedtotheserver.

5. OncetheManagementCentralserverhasstopped, clickStart torestartit.

Step10:RestarttheManagementCentralserveron allendpointsystems:

Note: Repeatthisprocedureforeachendpointsystem.

1. IniSeriesNavigator, expandMyConnections.

2. Expandtheendpoint systemthatyouare restarting.

3. ExpandNetwork→ ServersandselectTCP/IP.

4. Right-clickManagementCentralandselectStop.

5. OncetheManagementCentralserverhasstopped, clickStart torestartit.

| | | |

SSL

concepts

SSLconceptsincludessupplementalinformation,providingsomebasicbuildingblocksfor theSecure SocketsLayer(SSL)protocols.

WiththeSSLprotocol,youcanestablishsecureconnectionsbetweenclients andserverapplications whichprovideauthenticationofoneorbothendpoints ofthecommunicationsession.SSLalsoprovides privacyandintegrityofthedatathatclientandserverapplicationsexchange.

History

of

SSL

NetscapedevelopedTheSecureSockets LayerProtocol(SSL)in1994,asaresponsetothegrowing concernoversecurityontheInternet.

SSLwasoriginally developedforsecuring webbrowserandservercommunications.Thespecification wasdesignedinsucha waysoyoucanenableotherapplications,suchasTELNETandFTP, touseSSL.

Related concepts

“SupportedSSLandTransport LayerSecurity(TLS)protocols”

Thistopicdescribeswhichversions oftheSSLandTLSprotocols thei5/OSimplementationsupports.

How

SSL

works

SSLisactuallytwoprotocols.Theprotocolsare therecord protocolandthehandshakeprotocol.The recordprotocolcontrolstheflowofthedatabetweenthetwoendpointsofan SSLsession.

ThehandshakeprotocolauthenticatesoneorbothendpointsoftheSSLsession andestablishes aunique symmetrickeyusedtogeneratekeystoencryptanddecryptdataforthatSSLsession.SSLuses

asymmetriccryptography,digitalcertificates,and SSLhandshakeflows,toauthenticate oneorboth endpointsofan SSLsession.Typically,SSLauthenticatestheserver.Optionally, SSLauthenticatesthe client.Adigitalcertificate,issuedbyaCertificateAuthority,canbeassignedtoeachoftheendpoints or totheapplicationsusingSSLoneachendpointoftheconnection.

Thedigitalcertificateiscomprisedofapublickeyandsomeidentifyinginformationthata trusted CertificateAuthority(CA)hasdigitallysigned.Eachpublickeyhasanassociatedprivatekey.Theprivate keyisnotstoredwith oraspartofthecertificate.Inbothserverandclientauthentication,theendpoint whichisbeingauthenticatedmustprove thatit hasaccesstotheprivatekeyassociatedwiththepublic keycontainedwithinthedigitalcertificate.

SSLhandshakesare performanceintensiveoperationsbecause ofthecryptographic operationsusingthe publicand privatekeys.Afteraninitial SSLsessionhasbeenestablishedbetweentwoendpoints,theSSL sessioninformationforthesetwoendpointsand applicationscanbe cachedinsecurememorytospeed upsubsequentSSLsession enablements.WhenanSSLsessionisresumed, thetwoendpointsusean abbreviatedhandshakeflowtoauthenticate thateachhasaccesstouniqueinformationwithoutusingthe publicorprivate keys.Ifbothcanprove thattheyhaveaccesstothis uniqueinformation,thennew symmetrickeysareestablishedand theSSLsessionresumes.ForTLSVersion1.0andSSLVersion3.0 sessions,cachedinformationwillnotremaininthesecurememoryforgreaterthan24hours.InOS/400 V5R2andsubsequentreleasesori5/OS,youcanminimizeSSLhandshakeperformanceimpactsonthe mainCPUbyusingcryptographichardware.

Related information Digital certificateconcepts Cryptographic hardware

Supported

SSL

and

Transport

Layer

Security

(TLS)

protocols

Thistopicdescribes whichversionsoftheSSLand TLSprotocolsthei5/OSimplementationsupports.

ThereareseveralversionsoftheSSLprotocoldefined. Thelatestversion,theTransportLayerSecurity Protocol(TLS),isbased onSSL3.0andisaproductoftheInternetEngineeringTaskForce(IETF).The i5/OSimplementationsupportsthefollowingversions oftheSSLandTLSprotocols:

v TLSVersion1.0

v TLSVersion1.0withSSLVersion3.0compatibility

Note:

1. SpecifyingTLSVersion1.0withSSLVersion3.0compatibilitymeansthatTLSwillbe

negotiatedif possibleandifthatisnotpossiblethenSSLVersion3.0willbenegotiated.If SSLVersion3.0cannotbenegotiated,theSSLhandshakewillfail.

2. TheSystemialso supportsTLSVersion1.0withSSLVersion3.0andSSLVersion2.0

compatibility. Thisisspecifiedwiththeprotocolvalue ofALL,whichmeansthatTLSwillbe negotiatedif possibleandifthatisnotpossiblethenSSLVersion3.0willbenegotiated.If SSLVersion3.0cannotbenegotiated,SSLVersion2.0willbe negotiated.IfSSLVersion2.0 cannotbenegotiated,theSSLhandshakewillfail.

v SSLVersion3.0

v SSLVersion2.0

v SSLVersion3.0withSSLVersion2.0compatibility

SSL

Version

3.0

versus

SSL

Version

2.0

SSLversion3.0isanalmosttotally differentprotocolcompared toSSLVersion2.0.Some ofthemajor differencesbetweenthetwoprotocolsinclude:

v SSLVersion3.0handshakeprotocolflowsaredifferentthanSSLVersion2.0handshakeflows.

v SSLVersion3.0usestheBSAFE3.0implementationfromRSADataSecurity,Incorporated.BSAFE3.0

includesanumberof timingattackfixesandtheSHA-1hashingalgorithm.TheSHA-1hashing algorithmisconsideredtobemoresecurethantheMD5hashingalgorithm.SHA-1allowsSSLVersion 3.0tosupportadditionalciphersuiteswhichuseSHA-1 insteadofMD5.

v SSLVersion3.0protocolreducesman-in-the-middle(MITM)typeofattacksfromoccurringduring SSL

handshakeprocessing.InSSLVersion2.0, itwaspossible,thoughunlikely,thata MITMattackmight accomplishcipherspecificationweakening.Weakeningtheciphercanallowanunauthorizedperson to breaktheSSLsessionkey.

TLS

Version

1.0

versus

SSL

Version

3.0

ThelatestindustrystandardSSLprotocolbasedonSSLversion3.0isTransportLayerSecurity(TLS) Version1.0.Itsspecifications aredefinedbytheInternetEngineeringTaskForce(IETF)inRFC2246,The TLSProtocol.

Themajorgoalof TLSistomake SSLmoresecureandtomake thespecificationof theprotocolmore preciseandcomplete. TLSprovidestheseenhancementsoverSSLVersion3.0:

v AmoresecureMACalgorithm

v Moregranularalerts

v

Clearerdefinitionsof ″grayarea″specifications

AnySystemi applicationsthatare enabledforSSLwillautomaticallyobtainTLSsupport unlessthe applicationhasspecificallyrequestedtouseonlySSLVersion3.0orSSLVersion2.0.

TLSprovidesthefollowingsecurityimprovements:

v Key-HashingforMessageAuthenticationTLSusesKey-HashingforMessageAuthenticationCode

theInternet.SSLVersion3.0alsoprovideskeyedmessageauthentication, butHMACismore secure thanthe(MessageAuthenticationCode) MACfunctionthatSSLVersion3.0uses.

v EnhancedPseudorandomFunction(PRF)PRF generateskeydata.InTLS,theHMACdefinesthePRF.

ThePRFusestwohashalgorithmsinawaywhichguaranteesitssecurity.Ifeitheralgorithm is exposed,thedatawillremainsecureaslongasthesecondalgorithm isnotexposed.

v Improvedfinished messageverificationBothTLSVersion1.0andSSLVersion3.0provideafinished

messagetobothendpoints thatauthenticatesthattheexchangedmessageswere notaltered.However, TLSbasesthisfinishedmessageonthePRF andHMACvalues,whichagain ismore securethanSSL Version3.0.

v ConsistentcertificatehandlingUnlikeSSLVersion3.0, TLSattemptstospecifythetype ofcertificate

whichmustbe exchangedbetweenTLSimplementations.

v SpecificalertmessagesTLSprovidesmorespecific andadditionalalertstoindicateproblemsthat

eithersession endpointdetects.TLSalsodocumentswhen certainalertsshouldbesent.

Related concepts

“HistoryofSSL” onpage13

NetscapedevelopedTheSecureSocketsLayerProtocol(SSL)in1994,asa responsetothegrowing concernoversecurityontheInternet.

Related information

TheTLSProtocol

Server

authentication

Withserverauthentication,theclientwillensurethattheservercertificateisvalidandthatitissignedby acertificate authority(CA) whichtheclienttrusts.

SSLwilluseasymmetriccryptographyand handshakeprotocolflowstogenerateasymmetrickeywhich willbe usedonlyforthisuniqueSSLsession.Thiskeyisusedtogenerateaset ofkeyswhichareused forencryptinganddecrypting datawhichwillflowovertheSSLsession.Subsequently,when anSSL handshakehascompleted, oneorbothendsofthecommunicationlinkwillhavebeenauthenticated. Additionally,auniquekeywillhavebeengeneratedtoencryptanddecryptthedata.Oncethe handshakeiscompletedthen applicationlayerdatawillflowencryptedacrossthatSSLsession.

Client

authentication

Manyapplicationsallowtheoptiontoenableclientauthentication. Withclientauthentication,theserver willensurethattheclientcertificate isvalidandthatit issignedbyaCertificateAuthoritywhichthe servertrusts.

ThefollowingSystemi applicationssupportclientauthentication: v IBMHTTPServer(poweredbyApache)

v FTPserver

v Telnetserver

v ManagementCentralendpointsystem

v

DirectoryServer(LDAP)

Planning

SSL

Thistopicdescribes theprerequisites ofSSLenablementontheSystemiplatform,aswellassome helpfultips.

Related concepts

“TroubleshootingSSL”onpage17

Thisverybasictroubleshootinginformationisintendedtohelpyouthinoutthelistofpossible problemsthattheSystemiplatformcanencounterwith SSL.

SSL

prerequisites

v IBMDigital CertificateManager(DCM),option 34ofi5/OS(5722-SS1)

v

TCP/IPConnectivityUtilitiesforiSeries(5722-TC1)

v IBMHTTPServerforiSeries (5722-DG1)

v

IfyouaretryingtousetheHTTPservertousetheDCM,ensure thatyouhavetheIBMDeveloperKit

forJava™(5722–JV1)installed.Otherwise,theHTTPadminserverwillnotstart.

v Youmayalsowanttoinstallcryptographic hardwaretousewithSSLtospeeduptheSSLhandshake

processing.Ifyouwantto installcryptographichardware,youmust alsoinstall Option35,the CryptographicServiceProvider.

Related information Cryptographic hardware

Digital

certificates

IBMDigitalCertificate Manager(DCM)isthesystemsolutionformanagingdigitalcertificates.

Related information

Publiccertificatesversusprivatecertificates ConfigureDCM

Application

security

with

SSL

ReviewthefollowinglisttoseetheapplicationsthatyoucanusetosecurewithSSLontheSystemi platform.

YoucansecurethefollowingSystemiapplicationswithSSL: v

EnterpriseIdentityMapping(EIM)

v FTPserver

v

HTTPserver(poweredbyApache)

v iSeriesAccessforWindows

v DirectoryServer(LDAP)

v Distributedrelationaldatabasearchitecture(DRDA

®_{)anddistributed datamanagement(DDM)server}

v ManagementCentralserver

v Telnetserver

v WebsphereApplicationServer —Express

v Applicationsthatarewritten totheiSeriesAccessforWindowssetofAPIs(applicationprogramming

interfaces)

v ApplicationsdevelopedusingthesecuresocketsApplicationProgrammableInterfaces (APIs)

supportedontheSystemiplatform.ThesupportedAPIsare GlobalSecureToolkit(GSKit)and the SSL_SystemiAPIs.

Related concepts

“Scenario:Securingallconnectionstoyour ManagementCentralserverwith SSL”onpage5

ThisscenarioexplainshowtouseSSLtosecureallconnectionswithanSystemimodelthatisacting asa centralsystembyusingtheiSeriesNavigatorManagementCentralserver.

Related information

EnterpriseIdentityMapping UseSSLtosecuretheFTPserver

HTTPserver

SecureSocketsLayeradministration(iSeriesAccessfor Windowstopic) Telnetscenario:SecureTelnetwith SSL

SecureSocketsAPI

Troubleshooting

SSL

Thisverybasictroubleshootinginformationisintendedtohelp youthinoutthelistof possibleproblems thattheSystemi platformcanencounter withSSL.

Itisimportanttounderstandthatthis isnota comprehensivesourcefortroubleshooting information,but ratheraguidetoaidincommonproblemresolution.

Verifythatthefollowingstatementsare true:

v YouhavemettheprerequisitesforSSLontheSystemiplatform.

v Yourcertificateauthorityandcertificatesarevalidandhavenotexpired.

Ifyouhaveverifiedthatthepreviousstatements aretrueforyoursystemand youstillhavean SSL-relatedproblem,trythefollowingoptions:

v

TheSSLerrorcodeintheserverjoblogcanbecrossreferenced inanerrortabletofindmore

informationabouttheerror. Forexample,thistable mapsthe-93 thatmightbe seeninaserverjoblog totheconstantSSL_ERROR_SSL_NOT_AVAILABLE.

– Anegativereturncode(indicatedbythedashbefore thecode number)indicatesthatyouare using

anSSL_API.

– Apositivereturn codeindicatesthatyouareusinga GSKitAPI. Programmerscancodethe

gsk_strerror()orSSL_Strerror()APIin theirprogramstoobtaina briefdescriptionofan error returncode.SomeapplicationsmakeuseofthisAPIand printout amessagetothejoblog containingthissentence.

Ifmoredetailedinformationisrequired, themessageidprovidedinthetablecanbedisplayed onan Systemimodeltoshowpotentialcauseand recoveryforthis error.Additional documentation explainingtheseerrorcodes maybelocatedintheindividualsecuresocketAPIthathasreturnedthe error.

v ThefollowingtwoheaderfilescontainthesameconstantnamesforSystemSSLreturncodes asthe

table,butwithoutthemessageIDcrossreference: – QSYSINC/H.GSKSSL

– QSYSINC/H.QSOSSL

RememberthatalthoughthenamesoftheSystemSSLreturn codesremainconstantinthese twofiles, morethanoneuniqueerrorcanbe associatedwitheachreturncode.

Related concepts

“PlanningSSL” onpage15

Thistopicdescribestheprerequisitesof SSLenablementontheSystemi platform,aswell assome helpfultips.

Related information Serviceandsupport

SecuresocketAPIerrorcodemessages

Related

information

for

Secure

Sockets

Layer

(SSL)

Usethisinformationtolearnaboutotherresources andinformationrelevanttousingSSL.

Web

sites

v RFC2246:″TheTLSProtocolVersion1.0″

(ftp://ftp.isi.edu/in-notes/rfc2246.txt) ExplainstheTLSprotocolindetail.

v RFC2818:″HTTPOver TLS″

(ftp://ftp.isi.edu/in-notes/rfc2818.txt) DescribeshowtouseTLStosecureHTTPconnectionsovertheInternet. v

TheSSLEncryptionexplainedinformation

(http://www.digicert.com/ssl) DiscussesSSLencryptionwith anemphasisoncertificates.

Other

information

v SSLand JavaSecureSocket Extension

v IBMToolboxforJava

Saving

PDF

files

Tosavea PDFonyour workstationforviewingor printing: 1. Right-clickthePDFinyourbrowser(right-click thelinkabove).

2. ClicktheoptionthatsavesthePDFlocally.

3. Navigatetothedirectoryinwhichyouwanttosave thePDF.

4. ClickSave.

Downloading

Adobe

Reader

YouneedAdobe Readerinstalledonyour systemtovieworprintthesePDFs.Youcandownloada free copyfromtheAdobe Website(www.adobe.com/products/acrobat/readstep.html)

Appendix.

Notices

Thisinformationwas developedforproductsand servicesofferedintheU.S.A.

IBMmaynotoffertheproducts,services,orfeaturesdiscussedin thisdocumentinothercountries. ConsultyourlocalIBM representativeforinformationontheproductsandservices currentlyavailable in yourarea.AnyreferencetoanIBM product,program,orserviceisnotintendedtostateorimplythat onlythatIBM product,program,orservicemaybe used.Anyfunctionallyequivalentproduct, program, orservicethatdoesnotinfringeanyIBM intellectualpropertyrightmaybe usedinstead.However, itis theuser’sresponsibility toevaluateandverifytheoperationofanynon-IBMproduct, program,or service.

IBMmayhavepatentsorpending patentapplicationscoveringsubjectmatterdescribedinthis

document.Thefurnishing ofthisdocumentdoesnotgrantyouanylicensetothesepatents.Youcansend licenseinquiries, inwriting,to:

IBMDirectorof Licensing IBMCorporation

NorthCastleDrive Armonk,NY 10504-1785 U.S.A.

Forlicenseinquiriesregardingdouble-byte(DBCS)information,contacttheIBMIntellectualProperty Departmentinyourcountryorsendinquiries, inwriting,to:

IBMWorldTradeAsiaCorporation Licensing

2-31Roppongi3-chome,Minato-ku Tokyo106-0032,Japan

Thefollowing paragraphdoesnot applytotheUnited Kingdomoranyothercountrywheresuch provisionsareinconsistentwithlocallaw:INTERNATIONALBUSINESSMACHINESCORPORATION PROVIDESTHISPUBLICATION“ASIS”WITHOUT WARRANTYOFANYKIND,EITHEREXPRESS ORIMPLIED,INCLUDING,BUTNOT LIMITEDTO,THEIMPLIEDWARRANTIESOF

NON-INFRINGEMENT,MERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.Some statesdonotallowdisclaimerofexpressorimpliedwarrantiesincertaintransactions,therefore, this statementmaynotapplytoyou.

Thisinformationcould includetechnicalinaccuraciesortypographicalerrors.Changes areperiodically madetotheinformationherein;thesechanges willbe incorporatedinneweditions ofthepublication. IBMmaymakeimprovements and/orchangesintheproduct(s)and/or theprogram(s)describedin this publicationatanytimewithoutnotice.

Anyreferencesinthisinformationtonon-IBMWebsitesare providedforconvenienceonlyand donotin anymannerserveasanendorsementofthoseWebsites.Thematerials atthoseWebsitesare notpart of thematerialsforthisIBMproductanduseofthoseWebsitesisatyour ownrisk.

IBMmayuseordistributeanyoftheinformationyousupplyinanyway itbelievesappropriatewithout incurringanyobligationtoyou.

Licenseesofthisprogramwhowishtohaveinformationaboutitforthepurposeof enabling:(i)the exchangeofinformationbetweenindependentlycreated programsandotherprograms(includingthis one)and(ii)themutualuseoftheinformationwhichhasbeen exchanged,shouldcontact:

IBMCorporation

SoftwareInteroperabilityCoordinator,DepartmentYBWA 3605Highway52N

Rochester,MN55901 U.S.A.

Suchinformationmaybeavailable, subjecttoappropriatetermsandconditions, includinginsomecases, paymentofafee.

Thelicensedprogramdescribed inthisinformationandalllicensedmaterialavailablefor itareprovided byIBM undertermsoftheIBMCustomerAgreement,IBMInternationalProgramLicenseAgreement, IBMLicenseAgreementforMachineCode,oranyequivalentagreementbetweenus.

Anyperformance datacontainedhereinwasdeterminedinacontrolled environment.Therefore,the resultsobtainedinotheroperatingenvironmentsmayvarysignificantly.Some measurementsmayhave beenmadeondevelopment-levelsystemsand thereisnoguaranteethatthesemeasurements willbe the sameongenerallyavailablesystems.Furthermore,somemeasurements mayhavebeen estimatedthrough extrapolation.Actualresultsmayvary.Users ofthisdocumentshouldverifytheapplicabledatafortheir specificenvironment.

Informationconcerning non-IBMproductswasobtainedfromthesuppliersofthose products,their publishedannouncementsorotherpubliclyavailable sources.IBMhasnottestedthoseproductsand cannotconfirmtheaccuracyofperformance,compatibility oranyotherclaims relatedtonon-IBM products.Questionsonthecapabilitiesof non-IBMproductsshouldbeaddressedtothesuppliersof thoseproducts.

AllstatementsregardingIBM’sfuturedirectionorintentare subjecttochange orwithdrawalwithout notice,and representgoalsandobjectivesonly.

AllIBMprices shownare IBM’ssuggestedretailprices,arecurrentand aresubjecttochangewithout notice.Dealerprices mayvary.

Thisinformationisforplanningpurposesonly.Theinformationhereinissubjectto changebeforethe productsdescribedbecomeavailable.

Thisinformationcontains examplesofdataandreports usedindailybusinessoperations.Toillustrate themascompletelyaspossible,theexamples includethenamesofindividuals,companies,brands,and products.Allofthese namesare fictitiousandanysimilaritytothenamesandaddressesusedbyan actualbusinessenterpriseisentirelycoincidental.

COPYRIGHTLICENSE:

Thisinformationcontains sampleapplication programsinsourcelanguage,whichillustrateprogramming techniquesonvariousoperatingplatforms.Youmaycopy, modify,anddistributethese sampleprograms inanyform withoutpaymenttoIBM,forthepurposesofdeveloping,using,marketingordistributing applicationprogramsconformingto theapplication programminginterfacefortheoperatingplatformfor whichthesampleprogramsarewritten.Theseexampleshavenotbeenthoroughly testedunderall conditions.IBM,therefore,cannotguaranteeorimplyreliability,serviceability,orfunction ofthese programs.

Eachcopyoranyportion ofthesesampleprogramsoranyderivative work,must includea copyright noticeasfollows:

©(yourcompanyname)(year).Portionsofthiscodearederived fromIBMCorp.Sample Programs.© CopyrightIBMCorp. _entertheyearoryears_.Allrightsreserved.

Trademarks

ThefollowingtermsaretrademarksofInternationalBusiness MachinesCorporation intheUnitedStates, othercountries,orboth:

DRDA i5/OS IBM iSeries OS/400 System i

Microsoft,Windows,WindowsNT, andtheWindowslogoaretrademarksofMicrosoft Corporationinthe UnitedStates,othercountries,orboth.

Javaandall Java-basedtrademarksare trademarksof SunMicrosystems,Inc. intheUnitedStates, other countries,orboth.

Othercompany,product,andservicenamesmaybe trademarksorservicemarksofothers.

Terms

and

conditions

Permissionsfortheuseofthesepublicationsisgrantedsubjecttothefollowingtermsand conditions.

PersonalUse:Youmayreproducethesepublicationsforyourpersonal,noncommercialuseprovidedthat allproprietarynoticesarepreserved.Youmaynotdistribute,displayormake derivativeworksofthese publications,oranyportionthereof,withouttheexpressconsentofIBM.

CommercialUse:Youmayreproduce, distributeanddisplaythesepublicationssolelywithinyour enterpriseprovidedthatall proprietarynotices arepreserved.Youmaynotmakederivativeworks of thesepublications,orreproduce, distributeordisplaythesepublicationsoranyportionthereofoutside yourenterprise, withouttheexpressconsentofIBM.

Exceptasexpresslygrantedinthispermission,nootherpermissions,licensesorrightsare granted,either expressorimplied, tothepublicationsoranyinformation,data,softwareorotherintellectualproperty containedtherein.

IBMreservestherighttowithdraw thepermissionsgrantedhereinwhenever,initsdiscretion,theuseof thepublicationsisdetrimentaltoitsinterestor,asdeterminedbyIBM,theaboveinstructionsare not beingproperlyfollowed.

Youmaynotdownload, exportorre-exportthis informationexceptinfullcompliancewith allapplicable lawsand regulations,includingallUnitedStatesexportlawsandregulations.

IBMMAKESNOGUARANTEEABOUTTHECONTENTOF THESEPUBLICATIONS.THE PUBLICATIONSAREPROVIDED″AS-IS″ANDWITHOUTWARRANTY OFANYKIND,EITHER EXPRESSEDORIMPLIED,INCLUDINGBUTNOT LIMITEDTOIMPLIEDWARRANTIESOF MERCHANTABILITY,NON-INFRINGEMENT,ANDFITNESSFORAPARTICULARPURPOSE.