These steps take you through configuring an IBM® i host
to run Secure Sockets Layer (SSL) as a self-signed Certificate Authority
(CA). The Digital Certificate Manager (DCM) and IBM HTTP Server for
i allow you to manage digital certificates for your network and use
SSL to enable secure communications.
Note: If not already installed,
install the DCM (option 34 of the base operating system). For more
information on DCM setup requirements, see the Information Center
for your release at http://publib.boulder.ibm.com/eserver/ibmi.html.
Procedure
These steps take you to the Web page for DCM:
Open a browser on your PC and point it to URL:
http://[your_isystem]:2001
Note: You
may need to start the HTTP admin server if it is not already started
on the host using:
strtcpsvr server(*HTTP) httpsvr(*admin)
Provide your host userid and password to signon the
Web page. You should now be at the Welcome to the IBM Systems Director
Navigator for i page.
Click the IBM i Tasks Page link
on the Welcome page.
Click the Digital Certificate Manager link.
Enter your userid and password again.
You should now be at a Web page for the Digital
Certificate Manager.
Note: You can also
get to the DCM Web page by clicking the IBM
i Management > Internet Configurations link on the left frame and then click on the Digital
Certificate Manager link in the Internet Configurations page.
Next, we create a Certificate Store of type *SYSTEM on
the host, assuming it doesn't already have one. This is a file used
to store and manage the certificates created in further steps. The
Certificate Store file has it's own associated password for controlling
access to it:
On the left frame, click the link Create
New Certificate Store.
Check *SYSTEM. If *SYSTEM is
not shown, then there may already be a certificate store. In that
case, go to the step on viewing and exporting the Certificate Authority
certificate for the host.
Click Continue.
Check No - Do not create a certificate in
the certificate store.
Click Continue.
Set Certificate store password: and Confirm
password:.
Click Continue.
You should get the message: The certificate
store has been created.
Next, we create a CA certificate for the host:
On the left frame, click the link Create
a Certificate Authority (CA).
Set Certificate store password: and Confirm
password: to what you set up in the previous section when
creating the Certificate Store.
Set Certificate Authority (CA) name: to
the lowercase value of your system.domain. For example:
host001.dept2.corp123.com
Set the required fields: Organization name, State or
province, Country.
Set the Validity period of Certificate Authority.
This can be set to a maximum of "7300" days.
You can now install the certificate in your browser
by clicking on the Install certificate link.
You may check all the boxes on "Trust this..." and then click OK.
Click Continue to move to the Certificate
Authority (CA) Policy Data page.
Select No on Allow
creation of user certificates:.
Set Validity period of certificates that
are issued by this Certificate Authority (CA) (1-2000): to
a value between "1" and "2000" days.
Click Continue.
Select all the applications that should include this
Certificate Authority (CA) in the application Certificate Authority
(CA) trust list.
You should get the message: The applications
you selected will trust this Certificate Authority (CA).
Click Continue, to finish creating
the CA.
The Web page now shows Create an Object Signing Certificate.
Click Cancel since this is not needed at this
time.
Next, we view and export the CA certificate for the host:
Click Select a Certificate Store button
on the left frame.
Select *SYSTEM
Click Continue.
Enter in the password for the certificate store.
Click Manage Certificates > View Certificate link on the
left frame.
Verify that you see LOCAL_CERTIFICATE _AUTHORITY_... listed.
You can view it to verify what you have entered.
Export the CA certificate to a file in the IFS:
Click Manage Certificates > Export certificate links on the
left frame.
Select Certificate Authority (CA) -
Export a Certificate Authority (CA) certificate to another certificate
store or to a file for use on another system.
Click Continue.
Select LOCAL_CERTIFICATE _AUTHORITY_...
Click Export button.
Select File - Export to a file.
You can then send the file to another system and import the certificate
into an existing certificate store.
Click Continue.
Enter an IFS file name to export the certificate to,
for example:
/tmp/myhostCA.cer
Be
sure to enter an IFS directory path that exists, otherwise the export
will fail.
Click Continue.
You should see a message that your file has been exported
to the IFS location.
Note: This certificate file will
be required locally on the PC for registering the certificate with
the Rational® Developer
for Power client.
The file should be transferred as a text file so that it is properly
converted from EBCDIC to ASCII, and not transferred as a binary file.
If you want to use the Remote Systems Explorer in Rational Developer
for Power Systems Software to
copy the file, you need to first set the File Transfer Mode for
*.cer files to Text. To do this, select Window > Preferences, then select Remote Systems > Files and click Add... to add the
file transfer mode for *.cer files.
Create a certificate on the host for the server applications
to use:
Select Create certificate link
on the left frame.
Select Server or client certificate.
Click Continue.
Select Local Certificate Authority (CA).
Click Continue.
Set Key Size: to the encryption
size that you want.
Give the certificate a label of your choosing.
Give the certificate a common name of your choosing.
Set the required fields: Organization name, State or
province, Country.
Click Continue. You should get
a message saying the certificate has been created.
Select all the applications to use this certificate.
Click Continue. Expect a confirmation
message that the applications you selected will use the certificate.
Click OK.
You are done with the host setup, and should now be
able to connect over SSL after you setup the Rational Developer
for Power Systems Software client
for secure connections.