IBM Support

Digital Certificate Manager, Getting Started

Troubleshooting


Problem

This document describes how to configure Digital Certificate Manager, how to create a minimal configuration with a *SYSTEM store, a Local Certificate Authority, and a Server Certificate.

Resolving The Problem

This document provides steps for configuring Digital Certificate Manager (DCM) on the IBM System i system. It is phrased for system administrators who have little or no experience with DCM and need a minimal configuration to get started with SSL connectivity.

Step 1: To start the HTTP ADMIN instance (if it is not already active), do the following:

1.To determine if the ADMIN instance is active, run the following command:

WRKACTJOB SBS(QHTTPSVR) JOB(ADMIN)
2.If there are no active ADMIN jobs, run the following command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
3.Run the WRKACTJOB SBS(QHTTPSVR) JOB(ADMIN) command again, and press F5 (Refresh) until at least three ADMIN jobs are in *SIGW status.

Step 2: To sign into Digital Certificate Manager, do the following:
1.Using a browser, access the following Web site:

http://<ipaddress or hostname of the i5 system>:2001

where <ipaddress or hostname of the i5 system> is the IP address or host name of the System i system.
2.You are prompted to type a profile and password. Use a system administrator level profile.
3.The browser will display the i5/OS TASKS or iSeries TASKS page. Click the link for Digital Certificate Manager.
Step 3: To create a *SYSTEM store, do the following:
1.On the left panel, click Select a Certificate Store. If there is an option for *SYSTEM, you already have a *SYSTEM store.
2.If there is no option for *SYSTEM, on the left panel, click Create New Certificate Store. Click the bullet next to *SYSTEM, and then click Continue.
3.Click the bullet next to No - Do not created a certificate in the certificate store, and then click Continue.
4.Type a password for the *SYSTEM store (must be letters and numbers only with no punctuation nor spaces), and click Continue.
5.Click OK.
6.Click Cancel.

Step 4: To create a Local Certificate Authority, do the following:
1.On the left panel, click Select a Certificate Store. If there is an option for Local Certificate Authority (CA), you already have a Local CA.
2.If there is no option for Local Certificate Authority (CA), on the left panel, click Create a Certificate Authority (CA).
3.Type a password (letters and numbers only).
4.Provide a unique Certificate Authority (CA) name; for example, the name of your company, the name of your System i™ system, and Local CA MyCompany i5 Local CA.
5.Complete the remaining fields as appropriate. Specifying the maximum value for the Validity Period is recommended (unless your Security Administrator requires further limitations). Then, click Continue.
6.The option to install the certificate will be available later. Click Continue.
7.Setting the Validity Period for Server Certificates to the maximum value is recommended (unless your Security Administrator requires further limitations). Then, click Continue.
8.At this time, you do not need to have any applications trust this CA. Continue clicking Continue until you are asked if you want to create the default signing store. At that point, click Cancel.
Step 5: To create a Local Server Certificate, do the following:
1.Click the button: Select a Certificate Store.
2.Click the bullet next to *SYSTEM, and click Continue.
3.Enter the password to the store, and click Continue.
4.On the left panel, click the triangle next to FastPath to expand the section.
5.Under FastPath, click Work with server and client certificates.
6.Click the button: Create.
7.Click the bullet next to Local Certificate Authority (CA), then click Continue.
8.Fill in the fields on the form. For the Certificate Label, use a unique name. For example: MyCompany i5 Local Server Cert. For the common name, use the same value as the label. However, if this certificate will be used for HTTP, use the host identifier that you will be using in the URL. For example: www.i5.mycompany.com. (It is not necessary to complete any of the fields under Subject Alternative Name.) Click Continue.
9.You do not need to assign the certificate to any applications at the moment. Click Continue. Click OK.
Step 6: To assign the Server Certificate to your applications, do the following:
1.Assuming that you are still signed into the *SYSTEM store, on the left panel under FastPath, click Work with server and client certificates.
2.If there are multiple certificates, click the bullet next to the one you want to work with.
3.Click Assign to Applications.
4.Check the box next to the application(s) you want to use the certificate, and click Continue. Click OK.
5.For server applications, end and start the server application for the newly assigned certificate to be in use. For client applications, sign on to a new character-based user interface (if necessary, sign off and on again) to pick up the changes in DCM.
6.The ADMIN instance is required only for configuration purposes and can now be ended. Run the following command:

ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]

Historical Number

416096345

Document Information

Modified date:
18 December 2019

UID

nas8N1014938