Desktop to AS/400 encrypted communications

Digital certificates
Identity & Access Management
IT architecture
Security management
Security tokens
Service and support
Single sign-on
We currently have many users connecting to multiple AS/400 servers using TCP/IP. The servers OS vary from V4R5 to V5R3. Several products are used to communicate through the network from the desktops to the different servers. We are looking for a solution that will encrypt the information being passed between the PC desktop to the AS/400 servers. Has anyone already done this successfully? What products were used? What were the costs for implementation?

Answer Wiki

Thanks. We'll let you know when a new response is added.

There are many solutions. Could you give us a bit more to work with.
Where are the users? in the same build? same campus? dispersed using private network? dispersed using public network?
Who are you trying to hide the information from? other insiders? outsiders?

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • ShalomC
    You basically have 2 options. Either secure the communications link between the emulation clients to all of the AS400 servers, or create a secure gateway for all of the servers. The Client Access emulation sofware can run Telnet 5250 over SSL, and so can several other software emulations (Powerterm for example). The problem is that you will have to install a local CA on every AS400 that is to be secured, and setting up CA on AS400 is not my definition of a comfortable afternoon. The alternative is to setup a secure gateway, and as a side effect eliminate all client installations as well. Jadvantage is one such secure gateway. Without going into research, I think that almost any vendor that provides host integration (IBM, Microsoft, BOS, Ericom, Jacada and others ) has an option for secure SSL communications.
    25 pointsBadges:
  • Lovesopensystems
    One alternative is to use VPN (virtual private network technology) Products like IPsec from Nortel or VSClient from Infoexpress can be used over a company?s internal network, or across a public network. We use it to support all employee communication when people are traveling and dialing in or attaching to a high-speed cable network or DSL line from an external network. We're also using it whenever a communicating node is attached to a wireless local area network whether they connected to our Intranet or the Internet as an interim approach until 802.11 wireless security becomes more robust.. These security mechanisms function at the IP layer and are transparent to the applications. See: for information about the AS/400 implementation. IPSec is an IETF standard. I?m afraid I don?t have any information about the cost, but once you start looking for specific information on the technology, you should be able to pin that down.
    0 pointsBadges:
  • Solutions1
    As noted by one of the respondents, you can implement SSL by installing certificates on your AS/400 machines (also, you can install client certificates on express clients.) Doing so is probably the best option longterm. In the literal sense of your question - full end-to-end encryption - server-based SSL is the best way even if installing and updating the certificates is an annoying exercise. Putting in intermediate servers creates an added layer of cost and complexity. Note that having SSL on your AS/400's also simplifies the security setup for publishing web services natively on the AS/400.
    0 pointsBadges:
  • Neverham
    We have several 400 Servers in multiple locations on our WAN. We already have both a firewall and VPN setup for access external to our network. iSeries access is only one of the emulation software packages in use, I know of at least two others, Refections and e-vantage.
    0 pointsBadges:
  • Solutions1
    As I think the above responses including yours) indicate, you have ample options for securing your traffic into your AS/400 environment. In picking among them (and others not mentioned), I suggest you keep in mind three architectual principles: 1) given that roughly 70% of the typical company's security risk is internal and 30% external (with the proportions varying based on type of risk - e.g., risk of vandalism is probably much more external, risk of peeking at personnel records regarding succession planning is probably more internal), originating node to end user level security is important. In your case, the AS/400's seem to be your bedrock "nodes." 2) thin client versus fat client (or at least fatter client) is a key consideration. I tend to favor the very thin side of the spectrum, and "pure" SSL is about as thin as you can get while staill attaining end-to-end encryption. Consumer "home banking" and self-service securities trading are secured based on SSL (and not much else), and address major security concerns regarding money. Indeed, the reason "phishing" is becoming commonplace is because SSL works well enough to divert prospective intruders to an automated form of "social engineering." 3) thin middleware versus fat middleware is a related consideration, and again I tend to the thin school of thought. The more you add intermediate servers, complex middleware, etc. the more you run up against cost and managability problems. There may be very good reasons for implementing complex middleware, but in my view the going-in assumption would be that simple is better and then escalate only if gaps become apparent. Obviously, you know your own circumstances, objectives and constraints better than any outsider, so my opinions are just my opinions.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: