IBM Power Systems
About This Blog
Warm wishes and welcome to all AS400 Administrators and Operators.
This is exclusive blog for iSeries system Administrators working anywhere in the world. Also a place for guys and gals who want to share knowledge pertaining to iSeries. This blog has been designed for exchanging knowledge on AS400 or iSeries server administration and operations.
Tuesday, March 23, 2010
Digital Certificate Manager
This document provides steps for configuring Digital Certificate Manager (DCM) on the IBM System i system.
Step 1: To start the HTTP ADMIN instance (if it is not already active), do the following:
1 To determine if the ADMIN instance is active, run the following command:
WRKACTJOB SBS(QHTTPSVR) JOB(ADMIN)
2 If there are no active ADMIN jobs, run the following command:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
3 Run the WRKACTJOB SBS(QHTTPSVR) JOB(ADMIN) command again, and press F5 (Refresh) until at least 3 ADMIN jobs are in *SIGW status.
Step 2: To sign into Digital Certificate Manager, do the following:
1 Using a browser, access the following Web site:
Where is the IP address or host name of the System i™ system.
2 You are prompted to type a profile and password. Use a system administrator level profile.
3 The browser will display the i5/OS TASKS or iSeries TASKS page. Click the link for Digital Certificate Manager.
Step 3: To create a *SYSTEM store, do the following:
1 On the left panel, click Select a Certificate Store. If there is an option for *SYSTEM, you already have a *SYSTEM store.
2 If there is no option for *SYSTEM, on the left panel, click Create New Certificate Store. Click the bullet next to *SYSTEM, and then click Continue.
3 Click the bullet next to No - Do not created a certificate in the certificate store, and then click Continue.
4 Type a password for the *SYSTEM store (must be letters and numbers only with no punctuation nor spaces), and click Continue.
5 Click OK.
6 Click Cancel.
Step 4: To create a Local Certificate Authority, do the following:
1 On the left panel, click Select a Certificate Store. If there is an option for Local Certificate Authority (CA), you already have a Local CA.
2 If there is no option for Local Certificate Authority (CA), on the left panel, click Create a Certificate Authority (CA).
3 Type a password (letters and numbers only).
4 Provide a unique Certificate Authority (CA) name; for example, the name of your company, the name of your System i™ system, and Local CA MyCompany i5 Local CA.
5 Complete the remaining fields as appropriate. Specifying the maximum value for the Validity Period is recommended (unless your Security Administrator requires further limitations). Then, click Continue.
6 The option to install the certificate will be available later. Click Continue.
7 Setting the Validity Period for Server Certificates to the maximum value is recommended (unless your Security Administrator requires further limitations). Then, click Continue.
8 At this time, you do not need to have any applications trust this CA. Continue clicking Continue until you are asked if you want to create the default signing store. At that point, click Cancel.
Step 5: To create a Local Server Certificate, do the following:
1 Click the button: Select a Certificate Store.
2 Click the bullet next to *SYSTEM, and click Continue.
3 Enter the password to the store, and click Continue.
4 On the left panel, click the triangle next to FastPath to expand the section.
5 Under FastPath, click Work with server and client certificates.
6 Click the button: Create.
7 Click the bullet next to Local Certificate Authority (CA), then click Continue.
8 Fill in the fields on the form. For the Certificate Label, use a unique name. For example: MyCompany i5 Local Server Cert. For the common name, use the same value as the label. However, if this certificate will be used for HTTP, use the host identifier that you will be using in the URL. For example: www.i5.mycompany.com. (It is not necessary to complete any of the fields under Subject Alternative Name.) Click Continue.
9 You do not need to assign the certificate to any applications at the moment. Click Continue. Click Ok.
Step 6: To assign the Server Certificate to your applications, do the following:
1 Assuming that you are still signed into the *SYSTEM store, on the left panel under FastPath, click Work with server and client certificates.
2 If there are multiple certificates, click the bullet next to the one you want to work with.
3 Click Assign to Applications.
4 Check the box next to the application(s) you want to use the certificate, and click Continue. Click OK.
5 For server applications, end and start the server application for the newly assigned certificate to be in use. For client applications, sign on to a new character-based user interface (if necessary, sign off and on again) to pick up the changes in DCM.
6 The ADMIN instance is required only for configuration purposes and can now be ended. Run the following command:
ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
Subscribe to:
Post Comments (Atom)
In step #3, what's the advantage to NOT creating a certificate in the *SYSTEM certificate store?
ReplyDeleteThanks!
Mike E.
Its a very confusing and long process. But I appreciate that you have provided each and every step. Thanks a lot for sparing time to write and share this detail.
ReplyDeletedigital certificate