Configuring InterSystems IRIS Telnet to Use TLS
InterSystems IRIS® data platform offers several options for using TLS-protected Telnet connections:
Configure the InterSystems IRIS Telnet Server to use TLS
You can configure InterSystems IRIS to accept TLS-protected connections from Telnet clients. To do this, configure the InterSystems IRIS Telnet server to use TLS:
If there is not already a %SuperServer TLS configuration associated with the InterSystems IRIS server, create one as described in Create or Edit a TLS Configuration.
From the Management Portal home page, go to the SSL/TLS Configurations page (System Administration > Security > SSL/TLS Configurations).
On the SSL/TLS Configurations page, select Create New Configuration, which displays the New SSL/TLS Configuration page.
On the New SSL/TLS Configuration page, create a TLS configuration with a configuration name of %TELNET/SSL.
Enable the Telnet service, %Service_Telnet:
On the Services page (System Administration > Security > Services), click %Service_Telnet to display the Edit Service page for the Telnet service.
On the Edit Service page, check Service Enabled if it is not already checked.
If you wish or need to require TLS connections, add the following line into the SYSTEM tag of the ^%ZSTART routine:
set sc = $SYSTEM.Security.Users.SetTelnetSSLSetting(2)Copy code to clipboard
For more information about ^%ZSTART, see Customizing Start and Stop Behavior with ^%ZSTART and ^%ZSTOP Routines.
Configuring Telnet Clients to Use TLS
InterSystems IRIS accepts TLS connections from both the InterSystems Telnet client and third-party Telnet clients.
Configure the InterSystems Telnet Client to Use TLS
You can configure the InterSystems Telnet client to use a TLS connection. The process involves several steps:
On the instance that is the Telnet server, configure it according to the instructions in the previous section, which includes the option of requiring TLS.
On the instance that is the Telnet client, configure the settings file according to the instructions in “Connecting from a Windows Client Using a Settings File.”
Configure Third-Party Telnet Clients to Use TLS
You can configure third-party Telnet clients to connect to an InterSystems Telnet server. The required or recommended configuration actions depend on the software in use and the selected cipher suites. The following guidelines apply:
If the Telnet client requires server authentication, then the server must provide a certificate and the client must have access to the server’s certificate chain.
If the InterSystems IRIS Telnet server requires client authentication, then the client must provide a certificate and the server must have access to the client’s certificate chain.
If the InterSystems IRIS Telnet server requests client authentication, then the client has the option of providing a certificate and a certificate chain to its certificate authority (CA). If the client does not provide a certificate, then authentication succeeds; if it provides a non-valid certificate or certificate chain, then authentication fails.
For information on how certificate and certificate chains are used for authentication, see Establishing the Required Certificate Chain.