Documente Academic
Documente Profesional
Documente Cultură
TCP/IP
Logging on to a
remote computer (Telnet)
XXXX-0000-00
IBM
TCP/IP
Logging on to a
remote computer (Telnet)
XXXX-0000-00
Copyright International Business Machines Corporation 1998, 1999. All rights reserved.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Getting started with Telnet
.
.
5
6
.
.
.
.
.
.
.
.
9
9
.
.
.
11
11
12
12
12
12
17
18
. . 19
.
.
.
.
.
.
.
.
.
.
.
.
19
19
20
20
21
23
iii
iv
|
|
All virtual devices that are created under QPACTLnn controllers and
QVIRCDnnnn controllers count toward the QAUTOVRT limit.
The Telnet server reuses available existing virtual devices that were auto-created by
selecting virtual devices of the same device type and model. When there are no
more device type and model matches, but there are still available virtual devices,
then the device type and model will be changed to match the client device and
model negotiated. This is true only for auto-created (QPADEVnnn) virtual devices.
If you choose to manually create your own devices, you should establish naming
conventions that will allow you to easily manage your configuration. You can
select whatever device names and controller names that you want, provided the
names conform to the OS/400 object naming rules.
|
|
|
|
|
|
The TCP/IP Telnet server supports the use of Secure Sockets Layer (SSL) for
SSL-enabled Telnet clients. SSL uses a private key/public key pair to encrypt data
and transfer documents over the Internet. The private key is used to decode, or
decrypt, the digital certificate that is attached to the document. A digital certificate
allows you to use SSL for secure browser access to web sites and other Internet
services.
|
|
|
When a digital certificate is configured for the Telnet server, the server can handle
SSL and non-SSL clients. All data from the Telnet SSL client is decrypted by the
Telnet SSL server.
|
|
|
|
|
The AS/400 Telnet server supports non-SSL Telnet sessions in 5250, 3270, VT100,
and Printer pass-through emulation. When there is no need for you to use the
Telnet SSL server, you can turn off the SSL port by adding port restrictions. Then,
the Telnet server runs in non-SSL mode only, even if the Telnet server was
previously configured with a certificate.
|
|
|
|
The most important factor to consider when using the Telnet SSL server is the
sensitivity of the information that is used in a client session. If the information is
sensitive, or private, then you may find it beneficial to set up your AS/400 Telnet
server using SSL.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Telnet server can operate with both SSL and non-SSL clients once the digital
certificate is configured. However, you can control the type of client sessions to
accept at the server by restricting Telnet ports. You can restrict the non-encrypted
Telnet port to run Telnet SSL only or you can restrict the SSL port to run
traditional Telnet only.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Type ADDTCPPORT at the command line and use the PORT, PROTOCOL, and
USRPRF parameters.
v In the PORT parameter, enter the number of the port you want to restrict.
To run Telnet SSL only, use the non-encrypted Telnet port, which is
usually port 23.
To run non-SSL Telnet only, use the Telnet SSL port, which is usually port
992.
To identify the port number used on your machine, check the services
table for the telnet and telnet-ssl labels.
Example:
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
To start the Telnet server with Operations Navigator, follow these steps:
|
|
|
|
|
|
3.
4.
5.
6.
For information on signing off, see Ending your Telnet server session.
Click TCP/IP.
Find Telnet in the Server Name column.
Confirm that Started appears in the Status column.
If the server is stopped, right-click Telnet, then select Start.
AS/400 system
Many others
If you do not know what key or key sequence to press to cause the client to enter
command mode, consult either your system administrator or your Telnet client
documentation.
You can also use the end connection (ENDCNN) parameter of the SIGNOFF
command to sign off the server system and end the Telnet connection. For
example, SIGNOFF ENDCNN(*YES) returns you to the client system (if you only have
one Telnet session established) or returns you to the previous system (if you have
more than one Telnet session established).
10
11
The Add Workstation Entry (ADDWSE) command can be done when the
subsystem is active. However, the changes may or may not take effect immediately.
You may need to end and restart the subsystem.
12
time interval is specified by the system value QINACTITV. The interactive job can
be ended, disconnected, or a message can be sent to the message queue that you
specify.
QINACTMSGQ is a 20-character list of up to two 10-character values where the
first is the message queue name and the second is the library name.
v *DSCJOB: The interactive job is disconnected, as is any secondary or group jobs
associated with it. If *DSCJOB is specified, and the job cannot be disconnected,
*ENDJOB will be used.
v *ENDJOB: The interactive job is ended, along with any secondary job and any
group jobs associated with it. If there are many inactive jobs in a subsystem that
are to be ended at once, the interactive response time of that subsystem may be
slowed.
v inactive-message-queue library: A message indicating the job is inactive is sent
to the specified message queue. If the specified message queue does not exist or
is damaged, the messages are sent to the QSYSOPR message queue.
Note: All messages in the message queue specified by QINACTMSGQ are
cleared during an IPL. If you assign a users message queue to
QINACTMSGQ, the user loses all messages in the users message queue
during each IPL.
Possible library values are:
v *LIBL: Use the library list when locating the inactive message queue.
v library name: The name of the library where the inactive message queue is
located. If no library is specified as the current library for the job, QGPL is used.
A change to this system value takes effect immediately.
Note: You must have *ALLOBJ and *SECADM special authority to change the
QINACTMSGQ system value.
13
14
|
|
|
|
You can use these samples as a starting point to build your own exit programs, or
lift portions of the code from them to add to programs that you write yourself. The
example programs that are provided here are not recommended for use on a
production system.
|
|
|
|
The ZIP and SAVF contain the same files. The files in telnet42.zip are in a format
that is compatible with PCs. Choose telnet42.zip to download the program and
information files to your PC, unzip them, then transfer them to your AS/400. You
will need to rename most of the files once you get them to your AS/400.
|
|
|
|
|
|
To download the files, right-click on a link, then select Save Link As.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15
|
|
|
|
|
16
To use cascaded Telnet, see System request options for cascaded Telnet.
System A
System B
Pass-Through
or TELNET
System C
Pass-Through
or TELNET
Home
System
System D
Pass-Through
or TELNET
Intermediate Systems
End
System
RV2P971-1
Figure 1. Cascaded Telnet and Pass-through Home system and End system
Once you have started a cascaded Telnet session, press the System Request (Sys
Req) key, then press Enter to display the System Request menu.
|
|
|
|
|
|
The following options are those associated with the cascaded Telnet system:
v Starting a system request at a client system: AS/400 System Request option 10
displays the System Request menu on the previous client system.
v Transferring to the client system: AS/400 System Request option 11 transfers
you to an alternate job on the previous client system.
v Starting a system request at the home system: AS/400 System request option 13
takes you from an intermediate or end system to the System Request menu of
the home system.
v Transferring to the home system: AS/400 System Request option 14 takes you
from an intermediate or end system to the alternate job on the home system.
If you are using a Telnet client session to connect to the original AS/400, the
client PC is treated as the home system for all System Request options. For
options 10 and 11, the client PC is the previous system. For options 13 and 14,
the client PC is the home system.
Copyright IBM Corp. 1998, 1999
17
Use System Request option 11 to move backward from each system until you
reach the first AS/400 that is not the client box. From here you can use System
Request option 1 to move forward, system to system. Although this does not
provide you with a direct path from one system to the first AS/400, it will
enable you to get there using the System Request options.
|
|
|
|
|
To bypass the System Request menu, press the System Request key and type the
number 10 on the command line. This shortcut is applicable between AS/400
systems only.
To sign off your Telnet session, or to end a Telnet connection, see SIGNOFF
command to return to server system.
18
|
|
|
|
|
Check this list when looking for information to help with Telnet problems:
v For suggestions on ways to fix problems with Telnet SSL, see the topic
Troubleshooting your Telnet SSL server.
v For operating information on VTxxx and 3270 emulation modes, see the Telnet
Client and Telnet Server chapters in the OS/400 TCP/IP Configuration and
|
|
Reference
.
v For diagnostic information, see the Telnet client and server chapters in the
|
|
|
|
|
The troubleshooting topics contain information and tips to help solve Telnet SSL
problems.
|
|
|
|
|
|
|
|
|
|
Many problems with SSL can be narrowed down to incorrect digital certificates.
Digital Certificate Manager lets you change your Certificate Authority or system
certificates. To confirm that you have a valid system certificate, read how to start
Digital Certificate Manager, then view the system certificate.
|
|
You can also browse the topic Common Telnet SSL problems on page 23 for
quick descriptions and resolutions.
|
|
|
|
|
|
|
|
|
|
|
|
1. Check your system status to make sure you have the proper software installed
and that the servers are started.
2. Check for an active SSL listener using the NETSTAT *CNN command.
3. Check the job log to find the SSL return code.
4. Look up the SSL return codes for suggestions to solve the problem.
19
|
|
|
|
|
|
|
|
|
|
The Telnet server must be active and ready to receive connection attempts. To
check for an active SSL listener, follow these steps:
1. At the AS/400 command line, type NETSTAT *CNN to show the Work with
TCP/IP Connection Status display.
2. In the Local Port column, find the telnet- label for telnet-ssl. You will see only
telnet- because the field is not long enough on the display.
|
|
SSL initialization has failed if you dont find telnet-ssl in the Local Port column.
For help fixing the problem, you have to check the job log for the SSL return code.
v Use the F22 key to display the entire Local Port field.
v Use the F14 key to see the port numbers. The telnet-ssl entry will be port
992.
|
|
|
|
When SSL initialization and handshake fails, the Telnet server sends TCP255x
messages to the QTVTELNET job. The SSL return code is a negative number, such
as -2 or -93, for an unsuccessful SSL initialization or an SSL handshake.
|
|
|
|
To
1.
2.
3.
|
|
|
Here are some things to remember about the Telnet server jobs:
v Only one QTVTELNET job starts when the SSL listener fails to initialize.
|
|
|
|
|
|
|
|
v QTVDEVICE and QTVTELNET jobs start when Telnet server starts after a
system IPL or reboot.
v The same number of QTVTELNET and QTVDEVICE jobs are started when the
Telnet server starts an SSL listener.
v QTVTELNET jobs are ended with the ENDTCPSVR *TELNET or ENDTCP
command.
v QTVDEVICE jobs are ended when the QSYSWRK subsystem is ended.
|
|
Sometimes understanding what goes on during SSL processing can help you figure
out where a problem might have occurred.
|
|
|
|
|
|
The Telnet server attempts to initialize SSL every time the server is started. During
initialization, the Telnet server checks the certificate information in the
QIBM_QTV_TELNET_SERVER application. You can tell the SSL initilization is
successful when more than one active QTVTELNET job appears in the job log. Of
course, if the CHGTELNA NBRSVR parameter is set to 1, youll only see one active
QTVTELNET job.
20
|
|
|
|
|
The Telnet server does not initialize SSL when you have a restricted telnet-ssl port.
The Telnet server sends the TCP2550 message Access to port 992 is restricted to
the QTVTELNET job log and the QSYSOPER message queue. The topic
Restricting Telnet ports on page 8 describes how to add or remove port
restrictions.
|
|
When a certificate is incorrect or expired, initialization fails and the Telnet server
sends TCP2553 messages to the QTVTELNET job log.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If the SSL re-initialization fails, new and established SSL sessions will use the
original certificate that was initialized when the server started. The Telnet server
sends TCP2553 messages to the QTVTELNET job log. The next time you start the
Telnet server, SSL initialization fails with no active SSL listener.
|
|
|
|
|
|
|
|
An SSL handshake occurs when the Telnet SSL client connects to TCP port 992 and
attempts an SSL negotiation with the server. While the client is connecting to the
server, it displays status numbers or messages on the status bar of the open
window. If the SSL handshake fails, the Telnet session is not established. For
example, a sign-on screen doesnt appear in the Telnet SSL client window. Consult
the user guide or online help for your Telnet SSL client for information on specific
status numbers or messages. The Telnet server sends TCP2554 messages to the
QTVTELNET job log.
|
|
The SSL return code table shows the most common problems that can occur during
SSL initialization or SSL handshake.
|
|
|
|
|
|
|
21
|
|
|
|
v Occasionally, you may find return codes in the job log that do not appear in the
return code table. You have probably encountered a problem that doesnt
happen often. Check SSL return codes (Part 2) for suggestions to solve these
problems.
||
|
Return
Code
Description
Action
|
|
|
|
-2
|
|
|
|
|
-4
The CA certificate or system certificate If you are using Client Access Express as
is bad
your Telnet SSL client, see Adding CA
certificates to the Client Access Express
key database. Or, see Installing a CA
certificate on a PC for instructions.
|
|
|
|
|
-16
|
|
|
-18
|
|
|
-23
The system certificate is not signed by Change the CA certificate to Trusted. For
a trusted certificate authority
instructions, see Working with secure
applications.
|
|
|
|
-24
|
|
|
|
-93
|
|
|
|
|
|
|
For the SSL return codes in this table, use Digital Certificate Manager to verify that
the digital certificates meet these requirements:
v The CA certificate is valid and not expired.
v The Telnet server application QIBM_QTV_TELNET_SERVER has a value of Yes
in the Certificate Assigned column.
|
|
v The system certificate is being used within the timeframe stated on the
certificate.
||
|
Return
Code
Description
-1
-6
22
|
|
-10
An error occurred in SSL processing. In the job log, check the CPExxxx
message where xxxx is the errno value.
-11
-12
-13
-14
-15
-17
-20
-21
-22
-25
-26
-90
-91
-92
-94
-95
-96
-97
-98
-99
-1010
|
|
The most common Telnet SSL problems are listed here. Select a topic to read about
symptoms, causes, and solutions for each problem.
|
|
|
If you do not know the SSL return code you received, check the Telnet job log for
TCP255x messages.
v SSL is not available (return code -93)
v System certificate is not correct (return code -18 or -23)
v System certificate does not exist for the Telnet server (return code -2)
|
|
|
|
|
|
|
v System certificate did not match the name known to client (return code -16)
v System certificate has expired (return code -24)
v System certificate is not valid (return code -2 or -4)
v Server is not listening on the specified port
v Server did not respond in time
|
|
|
Telnet SSL clients cannot connect to host because there is no active SSL listener. A
TCP2553 message appears in the QTVTELNET job log with return code -93. Check
the software requirements and system status for Telnet SSL.
23
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Telnet server successfully initializes SSL, but the SSL handshake fails. There is
no sign-on panel in the SSL Telnet client window. A TCP2553 message appears in
the QTVTELNET job log with return code -2. The QIBM_QTV_TELNET_SERVER
application does not have an assigned system certificate.
|
|
|
|
View the system certificate and check that the value Yes shows in the Certificate
assigned column. If the value is No, you need to create a system certificate for the
QIBM_QTV_TELNET_SERVER application. See Working with system certificates
for instructions.
|
|
|
|
|
|
|
This problem is the most common problem when a Telnet SSL client first attempts
to establish an SSL session. There is no sign-on panel in the Telnet SSL client
window. A TCP2554 message appears in the QTVTELNET job log with return code
-16. You need to add Certificate Authority (CA) certificate information in your
Telnet SSL client. If you are using Client Access Express as your Telnet SSL client,
see Adding CA certificates to the Client Access Express key database. Otherwise,
see Installing a CA certificate on a PC for more information.
|
|
|
|
|
You are using an out-of-date certificate. There is no sign-on panel in the Telnet SSL
client window. A TCP2553 message appears in the QTVTELNET job log with
return code -24. You need to renew the CA certificate that was used to build the
system certificate. See Completing the Renew a Certificate Authority form for
instructions.
|
|
|
|
|
|
|
The system certificate is not private or trusted. The Private Key and Trusted fields
on the serve certificate are not correct. There is no sign-on panel in the Telnet SSL
client window. A TCP2554 message appears in the QTVTELNET job log with
return code -4. You need to add Certificate Authority (CA) certificate information
in your Telnet SSL client. If you are using Client Access Express as your Telnet SSL
client, see Adding CA certificates to the Client Access Express key database.
Otherwise, see Installing a CA certificate on a PC for more information.
24
|
|
|
|
|
|
1. Check for an active SSL listener by using the NETSTAT *CNN command. You
may not have an SSL listener for these reasons:
v There is a port restriction on the Telnet SSL port. You will see the TCP2550
message in the QTVTELNET job log.
v SSL did not initialize successfully. You will see the TCP2553 message in the
QTVTELNET job log.
|
|
|
2. From the Telnet SSL client, check that the port and the host name are correct
for the Telnet SSL server. Telnet SSL is assigned to port 992 by default.
3. End and start the Telnet SSL server to get an active SSL listener.
Check that the network is operating correctly. For information in this area, see the
|
|
book.
25
26
IBMR
Printed in U.S.A.
XXXX-0000-00