Setting up system for digital certificates

You must complete these tasks before setting up your intranet to use digital certificates:

1. Install one of the cryptographic provider products (5769AC1, 5769AC2, or 5769AC3).
2. Install OS/400 option 34 - Digital Certificate Manager.
3. Install the IBM HTTP Server for AS/400 (5769DG1), then configure the IBM HTTP Server. Most of the DCM part tasks can use the *ADMIN Server with minimal setup. However, some steps in DCM require the Secure Sockets Layer (SSL), so it is best to configure the SSL portion of the IBM HTTP Server correctly. See HTTP web server for complete details and the latest information for setting up the IBM HTTP Server.

   Note:

   DCM uses the IBM HTTP Server to make changes that the server uses. You might need to end the IBM HTTP Server and then restart it to use the new information. This depends on the changes you make and the method you use.

4. Start the *ADMIN Server so you use your web browser to access DCM from the AS/400 tasks page.

5. After starting the *ADMIN Server, you must enable it to use SSL for secure requests. You will know that the system enabled the *ADMIN Server if both of the following are true when you start the instance:

   1. SSLMODE is ON. Either you or the IBM HTTP Server code must turn SSLMODE ON. DCM does not set this directive.
   2. You have properly registered the secure application.

      Note:

      You can do both of these by using the security configuration page of the HTTP Server.

6. After you finish setting up the *ADMIN server, you need to associate a certificate with the *ADMIN server application in DCM before the server can use SSL successfully. You must decide what kind of certificates you will use and then use DCM to set up your certificates. Based on the way you decide to set up and use certificates, you must complete one of these sets of tasks:
   • Act as your own CA.
   • Use an Internet CA.
   • Create and export a certificate from another system.

   Note:

   During the process of setting up your certificates, you will be able to select the applications that should use the certificates for SSL and the applications that should trust the issuing CA. DCM assigns an application ID to each registered application. You assign a certificate to an application by way of its application ID. For the *ADMIN server, this application ID is QIBM_HTTP_SERVER_ADMIN.

7. After you use DCM to associate a certificate with the *ADMIN server, you may need to stop and restart the server before it is able to recognize and use the certificate for SSL connections.

   Note:

   Do NOTstop and restart the server PRIORto associating a certificate with its application ID. If you end and restart the *ADMIN instance of the web server prior to assigning a certificate to it, the server will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate.

Setting up the *ADMIN server to use SSL correctly ensures that user certificate tasks in DCM that require the use of SSL will work as expected. The topic, SSL and the *ADMIN server provides additional considerations about using SSL with the *ADMIN server.