How to establish that you are using SSL in your V12 Client/Server connection
|Date:||12 August 2010|
|Abstract:||After enabling SSL for Client/Server connections, how do you establish that you are indeed using SSL for your connections?|
|Submitted By:||LANSA Technical Support|
LANSA V12 What's New contains the following item
OpenSSL Encryption to IBM i for Client/Server communications is now available as a server-side option for secure encryption of network communications.
To establish a SSL connection between LANSA on IBM i and a Windows server using SuperServer connection, you need to do the following:
- Change the Cryptographic algorithm from *NONE to SSL on the "Add Communications Listener Record" screen
- Restart the listener on IBM i
But how do you establish that you are indeed using SSL in your client/server connection?
The following useful information will assist to test and ensure that you are using an SSL connection.
The first thing to keep in mind is that SSL is only supported in V12. So, one possible test to ensure that the SuperServer connection is using SSL is as follows:
- Stop the LANSA V12 listener
- Set the socket type to be SSL for the listener record
- Set on listener record tracing (on the same screen)
- Start the listener
- Use the Execute a form shortcut in the VL V12 folder to execute VL_DEM20 in local mode and then use the Connect menu option to connect to the V12 host
- Assuming this connection is established successfully and the department/section etc. records are returned to the list from the IBM i server, close the form
- Use WRKLNK to go to the /LANSA_V12pgmlib/tmp folder and open the lroute.trc
- Search (F16) for SSL and you should see that this socket type is being used for the connection e.g. you should see the following messages in the lroute.trc:
Encryption Algorithm selection SSL
SSL ready to use
Encryption Algorithm Agreed SSL
Test 2 (requires a V11 SP5 installation):
- Use the Execute a form shortcut in a VL V11 SP5 folder to execute VL_DEM20 in local mode and then use the Connect menu option to connect to the V12 host
- This connection should fail with a return code 6 (security not valid). The TP joblog will contain this message.
Message . . . . : Cryptographic algorithm ëë< not supported.
Cause . . . . . : Host selected cryptographic algorithm is ëë<. This
algorithm is not supported by the client. Recovery . . . : Upgrade the
client to the same version as the host or select a cryptographic algorithm
supported by the client and restart the listener.
Both of these tests will confirm that you are making an SSL socket type connection.
Please note that SSL does carry a processing overhead and may reduce transfer speeds.