In the event that SSL cannot be used, you may also secure the communications channel between the Metadirectory engine and the driver shim on the connected system using an SSH tunnel.
Ensure that the SSHD server is running on your IBM i box. To start the server, run the following command:
STRTCPSVR SERVER(*SSHD)
You must enable the server to automatically start with TCP/IP. For more information, see How to setup the IBM i SSH daemon to autostart with TCP/IP.
Login to your identity vault server as the user you will use for ssh authentication. You can enable the key based authentication to avoid providing a password each time the ssh client is started. To enable key based authentication, perform the below steps based on your operating system:
On Windows:
Start a Command Prompt
Both on Windows and Linux:
Run the following command: ssh-keygen
Press enter to accept the defaults and do not specify a passphrase. If you are asked to overwrite, select no.
Open id_rsa.pub and copy the contents to your i box. On Linux, this file will be located at ~/.ssh/id_rsa.pub. On windows, this file will be located at %HOMEPATH%\.ssh\id_rsa.pub.
Login to your i box as the user you will use for ssh.
Run QSH
From QSH, run the following command: mkdir ~/.ssh
Next, run the following command from QSH: chmod 700 ~
Next, run the following command from QSH: chmod 600 ~/.ssh
Place the contents of id_rsa.pub file identified above into ~/.ssh/authorized_keys. You may need to create this file.
From QSH, run the following command: chmod 600 ~/.ssh/authorized_keys
Start the ssh client on your Identity Vault server to tunnel the connection to your i box using the following commands based on your operating system. Be default, the port will be 8090.
On Linux:
ssh -fN -i ~/.ssh/id_rsa -L <port>:localhost:<port> <ssh-user>@<ibm-i-host>
On Windows:
You may need to install the OpenSSH client. For more information, see Installation of OpenSSH for Windows Server 2019 and Windows 10.
ssh -i %HOMEPATH%\.ssh\id_rsa -L <port>:localhost<port> <ssh-user>@<ibm-i-host>
On your IBM i box, perform the following steps to modify I5OSDRV configuration file:
Run the following command: GO I5OSDRV/I5OSDRV
Choose option 3 to modify the configuration file
Remove ca=/usr/local/i5osdrv/keys/ca.pem from the -connection line.
Choose option 2 to stop I5OSDRV driver shim, then option 1 to start it back up.
In iManager, perform the following steps:
Go to the configuration for your i5/OS driver and remove kmo="SSL CertificateDNS" from the remote loader connection parameters.
Change the hostname to localhost.
Restart the driver and the connection to your IBM i box should succeed over the SSH tunnel.