Configuration Tasks

Configuration choices 2 and 3 in the previous diagram will result in the Secure Sockets Layer (SSL) to be used to encrypt the stream of data traveling between the application using Powertech Encryption for IBM i HTTP API’s and the Powertech Encryption for IBM i HTTP server instance.

There are configuration tasks that will need to be done on both IBM i systems in order for Secure HTTP to be enabled between Powertech Encryption for IBM i HTTP APIs on one IBM i (client) to the Powertech Encryption for IBM i HTTP Server instance on a second IBM i (server).  Discussing two IBM i systems as client and server can be confusing.  The following diagrams will help to clarify the tasks to be performed when configuring SSL for use with Powertech Encryption for IBM i.

The following diagram shows the Digital Certificate Manager tasks that need to be performed to begin using SSL. The HTTP  *ADMIN task are covered in the Powertech Encryption for IBM i HTTP Guide.

The following diagram shows more DCM tasks for requiring a client certificate.

The IBM i Administration web server instance must be running in order to work with the Digital Certificate Manager.

Use IBM Web Administration for i

The IBM Digital Certificate Manager (DCM) is a web-based application that is accessible from the Administration Server on System i. You can start the Administration Server from the server's function in iSeries Navigator or you can enter the following command:

STRTCPSVR SERVER(*HTTP)  HTTPSVR(*ADMIN)

Once the administration server is running, you open your browser and enter this URL:

http://yourSystemi:2001/  QIBM/ICSS/Cert/Admin/qycucm1.ndm/ main 0
NOTE: Replace ‘yourSystemi’ with the name or IP address of your system.

You will be prompted for a user profile and password.  The user profile used must have sufficient authority to use DCM.

WARNING: You will need to keep track of whether you are making changes to the server IBM i or the client IBM i *ADMIN server.

Regardless of whether you will be using option 2 or 3, it is necessary to create a digital certificate and associate it with the Powertech Encryption for IBM i HTTP Server in order to use SSL. This section provides details on how to do this.

  1. Upon signing into the server IBM i Administration server, the main screen is shown:
  1. Click Select a Certificate Store.
  1. Click on the *SYSTEM radio button, then click Continue.
  1. Enter the Certificate Store password and click Continue. If you do not know the password check with your system administrator.
  1. To add an application, click on the Manage Applications link in the list on the left side of the screen to expand the list.
  1. Click on the Add application radio button in the center area of the screen and click Continue.
  1. Click on the Server radio button, then click Continue.
  2. Enter the values shown on the following screen:
  1. Click Add to add the entry. You should see the following screen:
  1. Click OK. The application has been added.
  1. To create a server certificate, click on the Create Certificate link on the left side of the screen.
  1. Select the Server or client certificate radio button, then click Continue.
  1. Select the Local Certificate Authority (CA) radio button, then click Continue.
  1. Fill in values that are appropriate for your business as shown above, then click Continue.
  1. Once a certificate is created, the Digital Certificate Manager will display a list to allow you to select the applications to be associated with it.
  1. Scroll down through the list of applications until you find the application created earlier (i.e. CRYPTO).
  1. Click on the check box to the left of CRYPTO to select it, then click on.
  2. Now the Server Certificate has been created and associated with the application created earlier.
  3. If configuration option 2 will be used, then the configuration tasks are complete. You are now ready to use the Powertech Encryption for IBM i HTTP APIs from the client System i. Do not specify an application ID when using the APIs with a Basic SSL configuration.
  4. If configuration option 3 will be used, continue with the following section.
  1. Upon signing into the client IBM i Administration server, the main screen is shown:
  1. Click Select a Certificate Store.
  1. Select the *SYSTEM radio button, then click Continue.
  1. Enter the *SYSTEM Certificate Store password and click Continue. If you do not know the password check with your system administrator.
  1. To add an application, click on the Manage Applications link in the list on the left side of the screen to expand the list.
  1. Click on the Add application radio button in the center area of the screen and click Continue.
  1. Select the Client radio button, then click Continue.
  1. Enter a value for Application ID to be used on the Powertech Encryption for IBM i HTTP API calls. This value is how   the RPGLE program will make use of the DCM configuration.  Enter a description for the application.  This is only used within DCM. Click Add.
This completes adding to the client application definition to DCM. Next, we will create a client certificate.
  1. Select the Create Certificate link on the left side of the screen.
  1. Select the Server or client certificate radio button, the click Continue.
  1. Select the Local Certificate Authority (CA) radio button, then click Continue.
  1. Enter a label for the client certificate. We have used ‘crypto_dev54_client’ because it is descriptive. Enter values appropriate for your organization, then click Continue.
  1. When the certificate has been completed, Digital Certificate Manager provides an opportunity to select an application to associate the certificate to.
  1. Scroll down in the list and locate the client application that you created earlier, select it.
  2. Click Continue.

Next, we need to export the Local CA Certificate from the IBM i Client system and import it into the IBM i Server system.

  1. Upon signing into the client IBM i Administration server, the main screen is shown:
  1. Click Select a Certificate Store.
  1. Select the Local Certificate Authority (CA) radio button and click Continue.
  1. Enter the Certificate Store password and click Continue. If you do not know the password check with your system administrator.
  1. Click on the Manage Local CA link at the left side of the screen.
  1. Click on the Export radio button, then click Continue.
  1. Click on the File radio button, then click Continue.
  1. Enter an IFS path and filename for the exported certificate, then click Continue. In our example, we use ‘/home/dev53_local_ca’.
  1. Export of the client IBM i Local Certificate Authority (CA) successful!
The file will be a text representation of the certificate, so use IBM i FTP in ASCII mode to send the file from the client IBM i to the server System i.

The next task is to import client CA into server *SYSTEM store on the server System i. Upon signing into the server IBM i Administration server, the main screen is shown:

  1. Click Select a Certificate Store.

  1. Click on the *SYSTEM radio button, then click Continue.
  1. Enter the Certificate Store password and click Continue. If you do not know the password check with your system administrator.
  1. Click on the Manage Certificates link at the left side of the screen.
  1. Click on the Import Certificate link at the left side of the screen. Select the Certificate Authority (CA) radio button, then click Continue.
  1. Enter the IFS path and filename of the certificate to import that you FTP’d from the client System i, then click Continue. In our example, we use ‘/home/dev53_local_ca’  again.
  1. Enter the encryption password that was specified during the export, then click Continue. If you do not know the password check with your system administrator.
  1. Enter the name to be used to identify the imported client Local CA. We used ‘dev54_local_ca’ to identify the system that the certificate came from and to indicate that Default.PrintOnlyit was the Local Certificate Authority there. Click Continue.
You have successfully imported the certificate into the *SYSTEM store of the server IBM i.
This will allow the RPGLE and Java applications on the client IBM i to call the Powertech Encryption for IBM i HTTP APIs and to specify an Application ID when communicating over SSL to the server IBM i.
TIP: Remember to change the Powertech Encryption for IBM i HTTP server instance to “Require client certificate for connection” as shown below: