How to connect to SSL-POP3 servers |
|
This document describes what is to be done in order to enable an IBM i box to become client of SSL-POP3 servers.
(also check out this page
describing all the steps taken by an IBM i user who succeded in connecting to a MS Exchange POP3 via SSL.)
|
|
1. Prerequisites
- To create the needed DCM (Digital Certificate Manager) environment on your IBM i:
- Product 5761DG1 option *BASE (IBM HTTP Server for i5/OS)
- Product 5761SS1 option 34 (Digital Certificate Manager, DCM)
- To test SSL-POP3 client connections (optional):
- Product 5761SS1 option 30 (Qshell)
- Product 5733SC1 option 1 (OpenSSH, OpenSSL, zlib)
|
|
2. Creating the needed DCM (Digital Certificate Manager) environment on your IBM i
The following describes how to create the *SYSTEM "Certificate Store" needed to connect to as a client any SSL-POP3 server.
- On your IBM i start the HTTP instance *ADMIN
- Connect your WEB browser to your IBM i IP address on port 2001
and login with a class *SECOFR user profile to enter "IBM WEB Administration for i"
- Select Digital Certificate Manager
- Press the link Create New Certificate Store
- Select the radio button *SYSTEM and press the Continue button
- Select the radio button NO - Do not create a certificate in the certificate store and press the Continue button
- Enter a certificate store password of your choice, confirm it and press the Continue button.
The following screen appears:
- In the left frame press the button Select a Certificate Store
- Select the radio button *SYSTEM and press the Continue button
- Type your password and press the Continue button.
The following screen appears:
- In the left frame expand the item Manage Certificates, then press the link Validate certificate.
- Select the radio button Certificate Authority (CA) and press the Continue button.
The following screen appears:
- Press the Validate button. You will receive a confirmation screen and you are then done.
|
|
2. Some tips
- How to provide *PUBLIC access to the "*SYSTEM Certificate Store"
DCM generated objects are not allowed to be accessed from *PUBLIC user profiles (the allowed user profiles are QSYS and *SECOFR class user profiles).
That may generate some difficulties when trying to use SSL from a user profile (example: QTMHHTTP) not allowed to access those objects.
In such cases, one may receive an error message with error code 107 and message text "Access to the key database is not allowed" .
This is why, when you are finished with DCM, you have better to run the following commands:
- CHGAUT OBJ('/QIBM') USER(*PUBLIC) DTAAUT(*RX)
- CHGAUT OBJ('/QIBM/UserData') USER(*PUBLIC) DTAAUT(*RX)
- CHGAUT OBJ('/QIBM/UserData/ICSS') USER(*PUBLIC) DTAAUT(*RX)
- CHGAUT OBJ('/QIBM/UserData/ICSS/Cert') USER(*PUBLIC) DTAAUT(*RX)
- CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server') USER(*PUBLIC) DTAAUT(*RX)
- CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server/*') USER(*PUBLIC) DTAAUT(*RX)
- GSKit APIs
Usually, IBM i programs activating some SSL connection do that by using the so called GSKit APIs,
see this IBM i Infocenter page.
The meaning of error codes from GSKit API's can also be found in a QSYSINC source file (run command STRSEU SRCFILE(QSYSINC/H) SRCMBR(GSKSSL)).
- Error message "The validity time period of the certificate has expired" (error code 107).
If you are running a program that uses the GSKit APIs (example: program POP3READ/POP3RSSL) and you receive the above error message,
in spite of any temptative re-definitions through DCM, you should be aware that the error may be generated from connecting by mistake to the wrong server.
|
|
3. Manually testing connections to SSL-POP3 servers
In order to test the ability of your IBM i to connect to a SSL-POP3 server (like GMail) you must:
- have installed the required prerequisites (HPP Server, Digital Certificate Manager (DCM), QSHELL and OpenSSH/OpenSSL feature)
- generated through DCM a "*SYSTEM certificate store", see page How to connect to SSL-POP3 servers.
You must then know the DNS name (or the IP address) of the SSL-POP3 server that you want to connect to. See the following example,
illustrating the case where you would like to connect to the GMail SSL-POP3 servicing your GMail account
(user name kibel@gmail.com, password 123sesami) that Goggle serves to you in Italian language.
- If your IBM i is located in Italy, then the GMail SSL-POP3 server DNS name is
pop.gmail.com.
If your IBM i is located in another country, then the GMail SSL-POP3 server DNS name is
pop.gmail.it (you must connect to the Italian language GMail SSL-POP3 server).
We shall assume that its name is pop.gmail.com.
- Logon on in Telnet on your IBM i and enter command QSH to start the QShell Command Entry.
- Then you may have the following dialog:
$
> openssl s_client -connect pop.gmail.com:995 -quiet
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Gpop ready for requests from 80.16.163.20 z54pf31027476eeu.19
> USER kibel@gmail.com
+OK send PASS
> PASS 123sesami
+OK Welcome.
read:errno=0
$ |
If your username and password are correct, but they are not accepted, that is because you are connecting to the wrong SSL-POP3 server.
|