Le 22/12/2023 à 21:22, a4g atl a écrit :
Thank you, Mark.
I have connected using SSH on connections like Code for i in VSC. However,
I don't understand how that would work for the remote person. How would
they connect from the Linux server or client?

I need to find some documents on how this is done.

Basically, the tunnel creates an ssh based encrypted channel. The entry of the tunnel is on the client side, and the output on the server side. On the client side you override the final tcp port number with the one associated with the tunnel entry, so that the traffic enters the encrypted tunnel. And you address the final tcp port on the server side when you start the tunnel. Basically there is nothing to configure on the server side, most of setup is done on the client side.

Here is an example to set up the tunnel from linux to IBM i. Prerequesite on server side, the ssh server must be started.

https://linuxhint.com/setup-ssh-tunneling-linux/

Let's assume that you use 5000 as the local (on Linux) port. You can use any one you want which is not in use on the Linux device.

For a DRDA access (listening on 446 port), the Linux command to initiate the tunnel would be something like that:
ssh -L 5000:yourIBMi:446 IBMiUser@yourIBMi
5000 tcp port and localhost must be set in DRDA source definition in place of 446 and yourIBMi

For an iACS Linux ODBC driver (database listening on 8471), the Linux command to initiate the tunnel would be something like that:
ssh -L 5000:yourIBMi:8471 IBMiUser@yourIBMi
5000 tcp port and localhost must be set in ODBC source definition in place of 8471 and yourIBMi

It might also be needed (not sure of that) to create a tunnel for signon server (listening on 8476) and for server mapper (listening on 449), *at the same time*, so three tunnels, something like that:
ssh -L 5001:yourIBMi:8476 IBMiUser@yourIBMi
ssh -L 5002:yourIBMi:449 IBMiUser@yourIBMi

(for a full list of ports checkout here https://www.ibm.com/docs/en/i/7.5?topic=numbers-port-host-servers-server-mapper)

(example of a full set of ssh tunnels that you can create on Windows for all iACS service https://www.ibm.com/support/pages/ssh-tunnel-configuration-use-ibm-i-access-client-solutions)

 For ease of use, you can even set a password-less login using SSH keys.

Note that if you have to open some traffic in the firewalls, you only need ssh (tcp port 22 by default) from the Linux to IBM i IPs.

THank you. Darryl.


On Fri, Dec 22, 2023 at 2:53 PM Marc Rauzier <marc.rauzier@xxxxxxxxx> wrote:

Le 22/12/2023 à 20:10, a4g atl a écrit :
The connection needs to be secure and use the DRDA and host servers only.
Be careful, DRDA and host servers (host servers database server
component for SQL access) are distinct animals.

To use DRDA, you will have to install some DB2 connect like tool, which
connect to the DDM/DRDA service on the IBM i (checkout CHGDDMTCPA
command). xODBC (i.e. jdbc/odbc) does indeed use the database server.
Both support an SSL (TLS today) encryption. I guess (I did not check it)
that DB2 connect supports TLS, but it looks like the ODBC drive provided
through iACS Linux package does not provide such a feature.

Basically, the external parties will use SQL to pull data from out files.
Yes, you can still use DRDA or ODBC through an ssh tunnel, set up
between the Linux system and the target IBM i, which will be encrypted
(and therefore with an acceptable security level).
The external operating system is Linux.

Darryl.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.