IBM i has had the capability to utilize Secure Sockets Layer (SSL) and Transport Security Layer (TLS) to secure the Telnet server for several releases. This feature was only for the server, until last year. Now instead of needing third-party Telnet clients to connect to your IBM i over TLS/SSL, you can use the native Telnet client. This is a necessary enhancement for customers who need to completely disable unsecure Telnet terminal sessions on port 23 on their IBM i servers. Starting with IBM i 5.4, it’s possible to use SSL with the Telnet client (TELNET or STRTCPTELN CL command) from IBM i to any SSL Telnet server.
This feature was added via PTFs in IBM i 5.4 and 6.1, and in a future release, you can expect the TELNET (STRTCPTELN) command to be updated to include this function. (The SSL parameter was added to the TELNET command in the IBM I 7.1 release).
When the PTF is installed, a new client application, QIBM_QTV_TELNET_CLIENT, will be registered with the Digital Certificate Manager (DCM). All desired servers need to either have their digital certificates imported and assigned to this application or a trust list must be setup including certificate authorities of the desired Telnet servers. For more information on digital certificates and trust lists, see the “Managing Applications in DCM” topic in the information center.
The destination server and the remote port need to support implicit mode SSL to work. Implicit-mode SSL means that the SSL handshake is done immediately after connection. The IBM i Telnet server does support this, you just need to have the “Allow SSL” (ALWSSL) parameter on the Change Telnet Attributes (CHGTELNA) CL command set to *YES or *ONLY.
The value *DFT for the PORT keyword on the Telnet command will use port 23 when the secure client is off, and port 992 when the environment variable is set for SSL. A value of 23 on the PORT keyword will be interpreted as 992 when the environment variable is set for SSL.
Enabling the secure Telnet client is done with an environment variable on 5.4 and 6.1. The current job needs to set the job-level environment variable QIBM_TELNET_CLIENT_SSL to ‘Y’.
ADDENVVAR ENVVAR(QIBM_TELNET_CLIENT_SSL) VALUE('Y') LEVEL(*JOB)
Deleting the environment variable or setting it to another value will disable the secure Telnet client.
To enable all Telnet client users on your system to use SSL, set the QIBM_TELNET_CLIENT_SSL as a system-level environment variable.
ADDENVVAR ENVVAR(QIBM_TELNET_CLIENT_SSL) VALUE('Y') LEVEL(*SYS)
System environment variables are inherited by all jobs and can be overridden by job-level environment variables. Note that jobs currently running wouldn’t inherit this system-level environment variable. You’d need to sign off and sign back on to inherit the system-level environment variable.
Requirements for Telnet client SSL/TLS:
- The partition must be at least IBM i 5.4 or greater.
- The DCM option 34 must be installed.
- PTF SI33240 is required for IBM i 5.4.
- PTF SI33100 is required for IBM i 6.1.
- This function is in the base release of 7.1.
- DCM must have either a trust list or server certificates set up for the application QIBM_QTV_TELNET_CLIENT.
- All certificate authorities of desired servers must be in the trust list.
- Remote servers must be configured for implicit SSL on the requested port.
Documentation for this function is in the PTF cover letters for each release.
This week’s blog on secure Telnet was written by Kevin Hackney. Kevin is a member of the IBM i network applications and configuration team in the Rochester (Minn.) development lab.
This blog post was edited for currency on January 26, 2020.
This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.