Appendix G.

Using RSF Over Encrypted Connections

RSF allows you to communicate with other AS/400s and iSeries machines over encrypted connections. You can choose to use RSF’s built-in encryption, or industry standard Secure Sockets Layer (SSL).

In the discussion that follows, the requester machine is the one that initiates the connection. The server machine is the one that responds.

When using RSF to send email, you determine whether the transmission is encrypted by the value you specify for the "Outgoing mail encryption" parameter on the Change RSF Defaults (CHGRSFDFT) command.  The default is *NO.  To encrypt outgoing mail, follow the instructions in Sending Encrypted Email section below.

To use RSF’s built-in encryption:

  1. On the requester machine, use RSF menu option 1 to work with server directory entries. Specify *BASIC for the “Encryption” parameter on the entry that points to the server machine.
     
  2. Create a 128-byte data area on both the requester and server machines. Store any sequence of characters you like in the data area, but be sure that the contents of data areas on the source and target machines are identical.
     
  3. On the requester machine, specify the qualified name of the data area you created for the “Encryption key data area” parameter on the RSF server directory entry which points to the server machine, or specify *NONE for the data area name to use a default encryption key.
     
  4. On the server machine, specify the qualified name of the data area you created for the “Encryption key data area” parameter on the Change RSF Defaults (CHGRSFDFT) command (RSF menu option 31), or specify *NONE for the data area name to use a default encryption key.

 

To use SSL encryption with RSF:

  1. You must first configure SSL on the requester and server machines. See below for step-by-step instructions.

  2. On both the requester and server machines, use the Change RSF Defaults (CHGRSFDFT) command (RSF menu option 31) to change the “SSL Status” to *ENABLED.

  3. On the requester machine, use RSF menu option 1 to work with server directory entries. Specify *SSL for the “Encryption” parameter on the entry that points to the server machine.

 

Follow these steps on the server machine to configure SSL for use with RSF:

  1. In order to configure and use SSL, the following OS/400 licensed programs must be installed:

    TCP/IP Connectivity Utilities for iSeries, 5722-TC1
    Digital Certificate Manager, 5722-SS1 - Base Option 34
    IBM HTTP Server for iSeries, 5722-DG1
    Developer Kit for Java, 5722-JV1

  2. Use the following command to ensure that the AS/400 HTTP server is started:

        STRTCPSVR SERVER(*HTTP) HTTPSVR(*ALL)

  3. Use a web browser to connect to http://your_IP_address:2001/, where “your_IP_address” is the address or network name of the iSeries to be configured. When prompted, sign on as QSECOFR.
     

  1. The iSeries Tasks window is shown. Click on “Digital Certificate Manager” (DCM).
     
     

  1. The Welcome Page is shown. Click on the question mark in the upper right to display DCM help information.
     

  1. In the left menu, click on “Create a local CA to issue certificates for SSL sessions”. This topic describes how to create a local certificate authority and a default certificate in the *SYSTEM certificate store. Print out this help topic and then follow the instructions.

    (Printing the topic is recommended because the help window will change automatically as you navigate through other DCM menus.)

  2. At the end of the help topic referred to above are instructions for assigning your certificate to a non-IBM SSL application. Follow the instructions to assign your certificate to RSF.
     

  1. When called for by the instructions, click on “Add Applications”. Select “Server” and click Continue.

  2. At the next set of prompts, enter RSF for “Application ID”, select *YES for “Client authentication supported”, enter “Remote Software Facility” for application description and click Add. Accept the defaults for all other prompts on the page.

  3. When called for by the instructions, click “Assign Certificate” to assign your certificate to RSF.
     

  1. Click “Assign to Applications”.
     

  1. Put a check mark next to Remote Software Facility and click Continue. You should see a successful completion message.

  2. Important: You must ensure that *PUBLIC is authorized to all of the Integrated File System folders in the path for your certificate, as well as the two certificate files themselves. (The certificate files have extension of KDB and RDB. The default certificate path is /QIBM/USERDATA/ICSS/CERT/SERVER, but you may have specified a different path when you created your certificate.) Make certain that *PUBLIC authority is at least *RX for each folder in the path and for the two certificate files. You can use the IBM command “WRKLNK OBJ(/)” to drill down through the folders in the path. Use option 9 with a folder or file to edit its authority.

  3. Finally, you must export your certificate authority to all requester machines that will contact the server using SSL.  Click on Export Certificate as shown in the figure above.  Export either the certificate authority alone, or the certificate and the certificate authority.  On each requester machine, use the Import Certificate option shown in the figure above.  Then, follow steps 8 - 13 above to associate RSF with the certificate.

 

 

Sending Encrypted Email

To use SSL/TLS to encrypt outgoing email, you must:

  1. Use the Change RSF Defaults (CHGRSFDFT) command (RSF menu option 31) to change two parameters as follows

    SSL status . . . . . . . . :   SSLSTS(*ENABLED)
    Outgoing mail encryption . :   MAILSECURE(*YES)

  2. Configure SSL with IBM's Digital Certificate Manager as outlined below.

 

Using Digital Certificate Manager to Allow Encrypted Email

  1. In order to configure and use SSL, the following OS/400 licensed programs must be installed:

    TCP/IP Connectivity Utilities for iSeries, 5722-TC1
    Digital Certificate Manager, 5722-SS1 - Base Option 34
    IBM HTTP Server for iSeries, 5722-DG1
    Developer Kit for Java, 5722-JV1

  1. Use the following command to ensure that the AS/400 HTTP *ADMIN server is started:

        STRTCPSVR SERVER(*HTTP) HTTPSVR(*ALL)

  2. Use a web browser to connect to http://your_IP_address:2001/, where “your_IP_address” is the address or network name of the iSeries to be configured. When prompted, sign on as QSECOFR.
     

  1. The iSeries Tasks window is shown. Click on “Digital Certificate Manager” (DCM).
     
     

  1. The Welcome Page is shown. Click on "Select a Certificate Store".
     

  1. Select the *SYSTEM certificate store and continue.
     

  1. Click to expand the "Manage Applications" menu.  Select "Add application" and click Continue.
     

  1. Select "Client" click Continue.
     

  1. Define the RSFMAIL application as shown above.  Then click "Add".
     

  1. Next, select "Define CA trust list" from the menu, select "Client" and click Continue.
     

  1. Select the RSF Email Support application and click "Define CA Trust List".
     

  1. Click "Trust All" and then click "OK".