Occasionally you may have the need to connect to a service on IBM i, which is not encrypted either temporary or permanently.
Networking best practices require encryption even on internal networks to protect sensitive information from being seen (“sniffed”) by an unknown party, and you should never log in over an unencrypted connection since your userprofile and password will be passed over the network in clear text.
So how can you connect securely to an un-encrypted service?
SSH to the rescue #
One service that is always encrypted is Secure Shell (SSH). SSH is becoming increasingly important in the IT landscape of today and can be used for
- secure file transfers (SCP/SFTP)
- secure remote access by system administrators
SSH uses cryptography for authentication and connection, and all transmissions are encrypted. You’ll find SSH on every platform, both SSH server and SSH client - even Windows now has SSH as an optional install. And the best part? SSH is free and open source!
The most popular open source software for SSH is OpenSSH, and this has been ported by IBM and is included in the free license program 5733-SC1 for IBM i. It contains both server and client functionality. Because of the raise in requirements for secure communications and use of SSH, you will often find OpenSSH installed on an IBM i system. Even developers benefit from SSH as this is the protocol used to connect Code for IBM i to the IBM i server.
One feature of SSH is the so-called port forwarding where SSH connects a port on the local system (SSH client) to a port on the remote system (SSH server). All traffic to the local port is transferred to the remote port, and we can use this feature to connect securely to an un-encrypted service on IBM i.
Port forwarding #
SSH does not forward any ports by default, and you need to enable port forwarding at connection time. This can be done by adding some parameters to the SSH command, either in a command line or in a graphical SSH client, e.g. PuTTY.
In the command line, you add the parameter -L and specify the local and remote port:
ssh -L local_port:destination_host:destination_port username@ssh_server
If you want to forward more than one port, you add another -L parameter:
ssh -L local_port_1:destination_host:destination_port_1 -L local_port_2:destination_host:destination_port_2 username@ssh_server
In PuTTY, you add port forwarding in the Connection -> SSH -> Tunnels menu.
Example: DCM and web server administration #
Let’s say you want to start using TLS for your connections to the IBM i host servers and web servers, and you will use your IBM i to create the TLS certificates. For this you will have to connect to the Digital Certificate Manager (DCM) and the HTTP administration services on your server - but none of these have a certificate yet, and your (administrator) password would be transmitted across the network in clear text… a catch-22 situation, because these services are the ones used for generating and applying the TLS certificates!
However, by connecting to the SSH server on your IBM i with ports forwarded, you can connect to these un-encrypted services through an encrypted tunnel, and your password will be transmitted safely across the network.
DCM uses port 2006 and HTTP administration port 2001 for un-encrypted connections, so the SSH command would look like this:
ssh -L 2006:<my_ibmi>:2006 -L 2001:<my_ibmi>:2001 <my_user>@<my_ibmi>
In the example above, <my_ibmi> should be replaced by the hostname or ip address of your IBM i server and <my_user> with the name of your IBM i userprofile.
Once you have logged in to your SSH session on the IBM i server, you can now connect to DCM using the following url in your browser: http://localhost:2006/dcm. This will take you to the login page in DCM. Likewise, the url http://localhost:2001/HTTPAdmin will take you to the HTTP Administration page, prompting a basic web login. Your connections to the two services now go through the secure SSH tunnel, being encrypted by SSH instead of being transmitted in clear text, and your passwords are now safe and can’t be seen by anyone.
Note that the local and remote ports do not have to be the same, you can use any port from 1024 and above for the local port (the ports below 1024 are reserved and can only be used by an administrator).
SSH - an invaluable tool #
SSH is an extremely useful tool - not just for system administrators, but also for developers and user with special requirements for security. I use it on a daily basis for many different situations, and can only recommend my fellow IBM i administrators to start using this great tool.
Port forwarding is only one of many functions in SSH, it can do much more than forwarding ports. In the future I will post more articles about SSH, so stay tuned.
Reply by Email