Legacy Client Access and Trouble with Secured Connections
IBM i Access for Windows/Mac/Linux (a.k.a. “old Client Access”) has been around for a long time. It’s familiar, stable, and probably already installed on most of your end-user PCs. This massive installed base makes it difficult to fathom switching to IBM i Access Client Solutions, especially when the older software continues to work for the vast majority of users. Unfortunately, that may not be the case forever.
Many of our customers have made the move in recent years to secure the communication channels into and out of their systems, including IBM i. In most cases, this means encrypting all client connections using SSL/TLS. All flavors of IBM i Access support encrypting encrypted connections so implementing security for 5250, file transfer, ODBC, and pretty much anything else is relatively straightforward. Most of these projects are driven by compliance concerns (PCI-DSS, HIPAA, etc.), but encrypting your client sessions vastly increases system security even when there is no policy reason to do so – for example, did you know that unencrypted 5250 sessions send the user’s credentials down the wire in plain text?
Regardless of the reason for implementation, the result is many environments where SSL/TLS versions and their encryption standards are now a concern not just for web pages but also for standard user access to things like the Green Screen. Of course, technology marches onward and IBM is continually updating the IBM i Operating System to include new, stronger encryption standards and deactivating older standards as they are proven to be insecure. This is a Good Thing, but there is a catch with old Client Access.
As an out-of-support product, legacy Client Access is not being updated to support newer security technologies and is quickly falling behind in the security arms race. Recent PTFs have altered the default list of supported encryption protocols for v7.3 and v7.4 and this can create a gap between what the operating system will allow as “secure” and what Client Access can actually use. We have now seen multiple instances where users are suddenly having their connections fail following PTF applies and the common thread is IBM i Access for Windows. Client Solutions users have not had issues because ACS runs on a modern Java installation which implements the latest standards.
Fortunately in all of these cases we have been able to assist our customers in re-enabling an older standard through a somewhat convoluted function in the LIC. This again allows their Client Access users to connect, but doing so comes at the cost of reducing the system’s security. Continuing to allow outdated security standards is like locking the front door while the back door is wide open – it is false security, which in my opinion can be worse than no security at all.
If you have a need to encrypt client connections to your IBM i system either due to corporate policy or regulatory requirements, then you should be aware of the limitations and risks of continuing to use Client Access. IBM has stated that they have no plans to intentionally block the legacy client or restrict it from working, however it is important to remember that this is no guarantee that it will continue to work indefinitely. They have no real motivation to continue the non-interference policy, and as a dead product they certainly have no reason to go out of their way to keep it working.
If you’re not yet familiar with the IBM i Access Client Solutions product I encourage you to try it out as soon as you can. It is freely downloadable and uses the same licensing as Client Access. iTech has done a number of videos and webinars on Client Solutions and if you’re planning to roll it out to your users that’s a project we can help with as well. Don’t put off retiring an unsupported tool just because it is convenient; sooner or later it will make your life decidedly inconvenient!