Question & Answer
Question
How to set up DDM /DRDA SSL connectivity between two IBM i systems
Answer
Client/server role definitions:
"Client" - The IBM i system that initiates the connection - usually the system where CRTDDMF is run. Commonly referred to as the DDM 'source' or the Application Requester (AR) using DRDA.
"Server" - Remote IBM i system the DDM file is referencing. Commonly referred to as a DDM 'target' or the Application Server (AS) using DRDA.
The IBM i Digital Certificate Manager needs to be accessed on both the Client and Server systems.
The direct URL for IBM i Digital Certificate Manager will be one of the following:
- http://<system_name or IP address>:2006/dcm
- https://<system_name or IP address>:2007/dcm
- http://<system_name or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
NOTE: These instructions assume no previous SSL connectivity is configured and established between the client and server (secure telnet, for example).
Configuration checklist:
Server-side (using DCM):
__ Ensure a CA Certificate exists on Server system. If not, create one.
__ Ensure a server certificate signed by the CA exists.
__ Assign the server certificate to the DRDA/DDM server.
__ Ensure the DRDA SSL daemon is listening on port 448 using NETSTAT *CNN
which might require a restart of the *DDM server.
__ Export the CA on the Server (usually as a ".cer" file), and copy to the Client system. ASCII-mode conversion must be performed on the file when transferring ("ascii" command in FTP).
Client-side steps:
1) On the Client system, import the CA into *SYSTEM certificate store by using DCM.
Note: Under "Fast Path" -> "Work with client applications" or "Manage Application Definitions", there must NOT be a certificate assigned to the "i5/OS DDM/DRDA Client - TCP/IP " application.
2) Create new RDB directory entry on Client pointing to Server, specifying port 448 and *ssl. For example:
===> ADDRDBDIRE RDB(RMTDBSSL) RMTLOCNAME(remoteDB.xyz.com *IP) PORT(448) SECCNN(*SSL)
The target (server) system must have an RDB entry (or Alias) named "RMTDBSSL"
3) CRTDDMF on the Client, referencing remote location of *RDB and specifying the RDBDIRE created in previous step. For example:
===> CRTDDMF FILE(TESTSSL) RMTFILE(QIWS/QCUSTCDT) RMTLOCNAME(*RDB) RDB(RMTDBSSL)
To test, execute:
===> DSPPFM TESTSSL
Special case: Connecting to the local system that uses SSL
Admittedly, this case does not make a lot of sense. When you connect to the local system, no data ever leaves the TCP/IP stack; nothing is ever transmitted onto the network. Thus, encryption is not necessary. However, if this setup is wanted, it must be done by making an alias for the local database. The local database directory entry is simply a name, you cannot define the type of connection to the local system using the *LOCAL location, so it must be done using an alias. For example:
===> ADDRDBDIRE RDB(LOCALRDBNAME LOCALSSL) RMTLOCNAME(*LOOPBACK) PORT(448) SECCNN(*SSL) TEXT('SSL CONNECTION TO LOCAL DB')
Related Information
Was this topic helpful?
Document Information
Modified date:
19 February 2023
UID
nas8N1020710