IBM Cloud Docs
Connecting to an IBM i virtual machine (VM)

Connecting to an IBM i virtual machine (VM)

IBM Power Virtual Server in IBM data center

IBM Power Virtual Server Private Cloud in Client location

Learn how to connect to an IBM i VM after configuring your system. Make sure to review Configuring your IBM i virtual machine (VM) before connecting to an IBM i VM.

For a complete list of firewall ports that are available for IBM i VMs, see Network security. If you plan on ordering Direct Link Connect on Classic or already have it, port forwarding is not needed.

Installing and configuring IBM i Access Client Solutions (ACS)

Before you begin, see Install IBM i Access Client Solutions.

Using SSH tunneling to allow ACS to connect over the public IP

The public IP address blocks most ports. As a result, you need to use SSH tunneling or configure your certificates and use SSL to allow ACS to connect over public IP.

Before you use an SSH tunnel, you must create a user profile with USRCLS(*SECOFR) specified or enable the QSECOFR user profile. To enable the QSECOFR user profile, edit the /QOpenSys/QIBM/ProdData/SC1/OpenSSH/etc/sshd_config configuration file, and uncomment PermitRootLogin yes.

After the QSECOFR user profile is enabled, start the SSHD server on the VM:

endtcpsvr server(*SSHD)instance(*all)
strtcpsvr server(*SSHD)

On a Linux® or Mac system, you would run a command similar to the following example:

ssh -L 50000:localhost:23 -L 2001:localhost:2001  -L 449:localhost:449 -L 8470:localhost:8470 -L 8471:localhost:8471 -L 8472:localhost:8472 -L 2007:localhost:2007 -L 8473:localhost:8473 -L 8474:localhost:8474 -L 8475:localhost:8475 -L 8476:localhost:8476 -L 2003:localhost:2003 -L 2002:localhost:2002 -L 2006:localhost:2006 -L 2300:localhost:2300 -L 2323:localhost:2323 -L 3001:localhost:3001 -L 3002:localhost:3002 -L 2005:localhost:2005  -o ExitOnForwardFailure=yes -o ServerAliveInterval=15 -o ServerAliveCountMax=3 <myuser>@<myIPaddress>

You might have to type sudo in front of the ssh command if the system denies you permission.

For further information on information and mapping, see TCP/IP Ports Required for IBM i Access and Related Functions and also Port Assignments with Operations Console.

If you are on a Windows® system, continue with Setting up and configuring PuTTY on a Windows system, otherwise see Starting TCP servers.

Setting up and configuring PuTTY on a Windows system

Install PuTTY onto your system. PuTTY is used for the SSH tunnel on a Windows system.

  1. Open Session under Category:.

  2. Enter your system's IP address and select SSH as the Connection type.

  3. Enter 22 as the port number.

  4. Under the Connection category, select Connection>SSH>Tunnels.

  5. Add your Source port number and Destination. For example, you can chose 50000 as the source port number.

    Do not change the source port numbers. When telnetting, avoid making the source port the same as the destination.

  6. Click Add to add your source port to the forwarded port list.

    You need to repeat step 3 to step 6 to add all of the following ports: 23, 449, 8470, 8471, 8472, 8473, 8474, 8475, 8476, 2003, 2002, 2006, 2300, 2323, 3001, 3002, and 2005.

  7. After you add all of the necessary port numbers, check your populated list.

  8. Click back on the Session category and give your session a name under Saved Sessions. Click Save.

  9. Your saved session appears under Saved Sessions after you click Save. Select your session and click Open to start a PuTTY session to your system.

    Seeing your list of saved sessions
    Seeing your list of saved sessions

  10. You are prompted to accept a key on first use, and then presented with a log-in prompt. Use your IBM i session profile and password.

  11. Configure you ACS client or IBM i Access for Windows Client to use the SSH tunnel. In both clients, you must select Configure from the Communications menu.

  12. Change the IP address to 127.0.0.1 on port 23.

  13. Press OK to save the changes. The client restarts and connects.

Starting the TCP servers

Start the required TCP servers on your IBM i operating system by completing the following tasks:

  1. To allow SSH connections, enter the following command:

    strtcpsvr server(*SSHD)

  2. To start the IBM Navigator for i (iNav) and Digital Certificate Manager (DCM) GUIs, enter the following command:

    strtcpsvr server(*HTTP) httpsvr(*ADMIN)

  3. To get a 5250 console from ACS, start Telnet:

    strtcpsvr server(*TELNET)

Starting a 5250 session on your IBM i VM from ACS

To get a 5250 session on your IBM i VM from ACS, either configure the virtual devices or enable autoconfig. To enable autoconfig, complete the following steps by using the IBM i VM:

For IBM i 7.5, it is required that you first use CHGSSTSECA to set SECSYSVAL *YES (to allow security system value changes).

  1. Enter the cfgtcp command.

  2. Select option 20 (Configure TCP/IP applications).

  3. Select option 11 (Configure TELNET).

  4. Select option 10 (Autoconfigure virtual devices).

  5. Select QAUTOVRT with option 2 (Change).

  6. Change the value from 0 to the number of auto-configured consoles that you want to be able to connect concurrently.

  7. Go to the IBM i VM and start the telnet server for the console:

    strtcpsvr server(*TELNET)

After you complete these steps, you can get to a console from ACS. Additionally, you can get to iNav/DM by pointing your browser to the following address:

https://127.0.0.1:2005/ibm/console/login.do?action=secure

To enable ICC to use an SSL connection to IBM Cloud Object Storage, which IBM Cloud Object Storage requires, see Configuring Cloud Storage Solutions file transfer encryption.

Configuring ACS

After starting ACS, create a system configuration (sysconfig).

  1. Configure a server for localhost. For example, port 50000 is forwarding to port 23. Go into the 5250 session configuration and change the port from 23 to 50000.

  2. Return to the IBM i terminal and enter your credentials, including System, User, and Password.