You may already be using a local CA on an
AS/400 in your network. However, you want to extend the use of this CA
to another AS/400 in your network. For example, you want your current
local CA to issue a system certificate for the another AS/400. This is
so that you can use SSL for applications that run on it. You must
perform a series of tasks on each AS/400 to do this. The system that
hosts the local CA must not use a cryptographic access provider product (ACx)
that provides function than the target system.
| Note: | If you intend to use certificates with the HTTP Web Server for AS/400, you
should create and configure your web server instance. This should be
done prior to starting DCM. When you configure a web server
instance to use SSL, an application ID is generated for the server
instance. You must make a note of this application ID so that you can
use DCM to specify which certificate this application should use for
SSL. Do not end and restart the server instance until you
use DCM to assign a certificate to the server instance.
|
| Note: | If you end and restart the *ADMIN instance of the web server prior to
assigning a certificate to it, the server will not start and you will not be
able to use DCM to assign a certificate. Also, the user will not be
able to use DCM to assign a certificate.
|
Use DCM on the system that hosts your local CA, to perform these
tasks:
- Start a DCM session.
- In the left-hand navigation frame, select Certificate Authority to display a
list of available tasks.
- Select Create a system certificate for
another AS/400 task. Selecting this task displays the first of
several pages which allow you to create a system certificate and key pair from
your local CA.
- Complete the pages that DCM provides for the task.
| Note: | f you have questions about how to complete a specific form in this guided
task, select the question mark (?) button at the top of the page to access the
on-line help.
|
| Note: | This task creates three files if you are creating a certificate for V4R4 or
later (kdb extension). Each file has the name that you designated for
the file with extensions of
.kdb, .rdb and.sth. The .kdb file contains
a copy of the local CA certificate as well as the system certificate that you
created. When creating the key label, you can make the certificate
label unique for the target system.
| Note: | If you are creating a certificate for a V4R3 or earlier target system,
completing this task creates two key ring files. Each file has the name
that you designated for the file with one of two extensions:
.kyr and .sth.
|
If you are creating a certificate for a V4R4 or later target system,
completing the task creates three files. Each file has the name that
you designated for the file with one of three extensions:
.kdb, .rdb, and .sth. When using the form to
create the certificate for the target system, you can specify a unique key
label for the certificate.The same directory (
/qibm/userdata/icss/cert/server/* ) can be used if a different file name is
used - for example, MyDefaultForXYZ.KDB, MyDefaultForXYZ.RDB,
and MyDefaultForXYZ.STH. This makes it easy to recognize what
the target system should use for file names.
|
- Use binary FTP or another method to transfer the files that you
created. (3 files for V4R4 or later, 2 files for V4R3 or earlier as
described in the Note above.) You must transfer all the files that you
created to the /QIBM/USERDATA/ICSS/CERT/SERVER directory.
Perform these tasks on the other (target) system:
- Make sure that the files you transferred from the local CA host system in
the previous procedure (key ring files: kyr and sth or the three KDB
files: kdb, rdb, and sth) that you transferred to this system are in the
directory /QIBM/USERDATA/ICSS/CERT/SERVER.
- Rename the files as follows:
- For V4R4 and later files, rename the files to default.kdb,
default.rdb, and default.sth. By renaming these files,
you essentially create the components that comprise the *SYSTEM certificate
store for the target system.
- For V4R3 or earlier files, rename the files to default.kry and
default.sth. When saved in the certificate store DCM will also
create a copy of the existing CA.
| Attention: | If you already have default.*files you should not rename
them. You will need to make unique names for them instead. To
overwrite the default files will cause major problems to your system.
|
- Start DCM and complete the tasks appropriate for the release of DCM you
have on the target system.
- For V4R3 or earlier releases of DCM:
- Complete the
Receiving a Certificate Authority certificate
. This will put the CA certificate into a server key ring file and
designate the CA as a trusted root. If you used DCM to create the
server certificate from an Internet CA, you must receive it into the key ring
file that you specified at that time.
- For V4R4 or later releases of DCM:
- Select System certificates in the left-hand navigation frame to display a
list of available tasks. The Certificate Store and Password window
displays.
- In the appropriate fields, enter the name of the certificate store that
you want to access and supply the password for it. For this procedure,
make sure that you enter *SYSTEM for the certificate store and the password
that you used when you created the files on the other system.
- Select Work with secure
applications from the task list to display a page that allows you to
manage the certificates associated with specific applications.
- From this page you should perform these tasks:
- Select the applications that should use the certificate for SSL
communications.
- Select the applications that should trust the CA that issued the
certificate.
Then you can use this CA to copy a
certificate and export it to another AS/400 in your network. You
will need to use DCM on the other system to receive a CA certificate to complete this
task.
- Start a DCM session.
- In the left-hand navigation frame, select System certificates to display a
list of available tasks. The Certificate Store and Password window is
displayed. You must enter the name of the certificate store that you
want to access and supply the password for it. For this procedure, make
sure that you enter *SYSTEM for the certificate store and the password used
when you created the files on the other system
| Note: | f you have questions about how to complete a specific form in this guided
task, select the question mark (?) button at the top of the page to access the
on-line help.
|
- Select Work with secure
applications to display the Work with Secure Applications page.
This page allows you to manage the certificates associated with your secure
applications. (This option is available for the *SYSTEM certificate
store only.) From this page, you must complete two tasks for the
certificates that you now have in your *SYSTEM certificate store.
- You must designate which applications should trust the local CA
certificate.
- You must designate which applications should use the system
certificate.
With these tasks complete, your applications can use the certificate issued
by the local CA on another AS/400. However, before you can begin using
SSL for these applications, you must
secure the applications
by configuring them to use SSL.
Before a user can access the selected applications through an SSL
connection, the user must install a copy
of the CA certificate. The CA certificate must be copied to a file
on the user's PC or downloaded into the user's browser, depending on
the requirements of the SSL-enabled application.