Configuring an IBM i host for SSL

About this task

These steps take you through configuring an IBM® i host to run Secure Sockets Layer (SSL) as a self-signed Certificate Authority (CA). The Digital Certificate Manager (DCM) and IBM HTTP Server for i allow you to manage digital certificates for your network and use SSL to enable secure communications.
Note: If not already installed, install the DCM (option 34 of the base operating system). For more information on DCM setup requirements, see the Information Center for your release at http://publib.boulder.ibm.com/eserver/ibmi.html.

Procedure

  1. These steps take you to the Web page for DCM:
    1. Open a browser on your PC and point it to URL:
       http://[your_isystem]:2001
      Note: You may need to start the HTTP admin server if it is not already started on the host using:
       strtcpsvr server(*HTTP) httpsvr(*admin)
    2. Provide your host userid and password to signon the Web page. You should now be at the Welcome to the IBM Systems Director Navigator for i page.
    3. Click the IBM i Tasks Page link on the Welcome page.
    4. Click the Digital Certificate Manager link.
    5. Enter your userid and password again.
    6. You should now be at a Web page for the Digital Certificate Manager.
      Note: You can also get to the DCM Web page by clicking the IBM i Management > Internet Configurations link on the left frame and then click on the Digital Certificate Manager link in the Internet Configurations page.
  2. Next, we create a Certificate Store of type *SYSTEM on the host, assuming it doesn't already have one. This is a file used to store and manage the certificates created in further steps. The Certificate Store file has it's own associated password for controlling access to it:
    1. On the left frame, click the link Create New Certificate Store.
    2. Check *SYSTEM. If *SYSTEM is not shown, then there may already be a certificate store. In that case, go to the step on viewing and exporting the Certificate Authority certificate for the host.
    3. Click Continue.
    4. Check No - Do not create a certificate in the certificate store.
    5. Click Continue.
    6. Set Certificate store password: and Confirm password:.
    7. Click Continue.
    8. You should get the message: The certificate store has been created.
  3. Next, we create a CA certificate for the host:
    1. On the left frame, click the link Create a Certificate Authority (CA).
    2. Set Certificate store password: and Confirm password: to what you set up in the previous section when creating the Certificate Store.
    3. Set Certificate Authority (CA) name: to the lowercase value of your system.domain. For example:
      host001.dept2.corp123.com
    4. Set the required fields: Organization name, State or province, Country.
    5. Set the Validity period of Certificate Authority. This can be set to a maximum of "7300" days.
    6. You can now install the certificate in your browser by clicking on the Install certificate link. You may check all the boxes on "Trust this..." and then click OK.
    7. Click Continue to move to the Certificate Authority (CA) Policy Data page.
    8. Select No on Allow creation of user certificates:.
    9. Set Validity period of certificates that are issued by this Certificate Authority (CA) (1-2000): to a value between "1" and "2000" days.
    10. Click Continue.
    11. Select all the applications that should include this Certificate Authority (CA) in the application Certificate Authority (CA) trust list.
    12. You should get the message: The applications you selected will trust this Certificate Authority (CA).
    13. Click Continue, to finish creating the CA.
    14. The Web page now shows Create an Object Signing Certificate. Click Cancel since this is not needed at this time.
  4. Next, we view and export the CA certificate for the host:
    1. Click Select a Certificate Store button on the left frame.
    2. Select *SYSTEM
    3. Click Continue.
    4. Enter in the password for the certificate store.
    5. Click Manage Certificates > View Certificate link on the left frame.
    6. Select Certificate Authority (CA) - View a Certificate Authority (CA) certificate.
    7. Click Continue.
    8. Verify that you see LOCAL_CERTIFICATE _AUTHORITY_... listed. You can view it to verify what you have entered.
  5. Export the CA certificate to a file in the IFS:
    1. Click Manage Certificates > Export certificate links on the left frame.
    2. Select Certificate Authority (CA) - Export a Certificate Authority (CA) certificate to another certificate store or to a file for use on another system.
    3. Click Continue.
    4. Select LOCAL_CERTIFICATE _AUTHORITY_...
    5. Click Export button.
    6. Select File - Export to a file. You can then send the file to another system and import the certificate into an existing certificate store.
    7. Click Continue.
    8. Enter an IFS file name to export the certificate to, for example:
      /tmp/myhostCA.cer
      Be sure to enter an IFS directory path that exists, otherwise the export will fail.
    9. Click Continue.
    10. You should see a message that your file has been exported to the IFS location.
      Note: This certificate file will be required locally on the PC for registering the certificate with the Rational® Developer for Power client. The file should be transferred as a text file so that it is properly converted from EBCDIC to ASCII, and not transferred as a binary file. If you want to use the Remote Systems Explorer in Rational Developer for Power Systems Software to copy the file, you need to first set the File Transfer Mode for *.cer files to Text. To do this, select Window > Preferences, then select Remote Systems > Files and click Add... to add the file transfer mode for *.cer files.
  6. Create a certificate on the host for the server applications to use:
    1. Select Create certificate link on the left frame.
    2. Select Server or client certificate.
    3. Click Continue.
    4. Select Local Certificate Authority (CA).
    5. Click Continue.
    6. Set Key Size: to the encryption size that you want.
    7. Give the certificate a label of your choosing.
    8. Give the certificate a common name of your choosing.
    9. Set the required fields: Organization name, State or province, Country.
    10. Click Continue. You should get a message saying the certificate has been created.
    11. Select all the applications to use this certificate.
    12. Click Continue. Expect a confirmation message that the applications you selected will use the certificate.
    13. Click OK.
    14. You are done with the host setup, and should now be able to connect over SSL after you setup the Rational Developer for Power Systems Software client for secure connections.

Feedback