IBM Support

DDM / DRDA SSL connectivity

Question/Answer


Question

How to set up DDM /DRDA SSL connectivity between two IBM i systems

Answer


Client/Server role definitions:
"Client" - The IBM i system that initiates the connection - usually the system where CRTDDMF is run. Commonly referred to as the DDM 'source' or the Application Requestor (AR) when using DRDA.

"Server" - Remote IBM i system the DDM file is referencing. Commonly referred to as a DDM 'target' or the Application Server (AS) when using DRDA.


The IBM i Digital Certificate Manager will need to be accessed on both the Client and Server systems.
This is the direct URL for the IBM i Digital Certificate Manager:
http://<IBM i Client_or_Server>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

NOTE: These instructions assume no previous SSL connectivity has been configured and established between the client and server (secure telnet, for example).

Configuration checklist:

Server-side (using DCM):

__ Ensure a CA Certificate exists on Server system. Create one if it does not.
__ Ensure a server certificate signed by the CA exists.
__ Assign the server certificate to the DRDA/DDM server.
__ Ensure the DRDA SSL daemon is listening on port 448 via NETSTAT *CNN. This may require restart of *DDM server.
__ Export the CA on the Server (usually as a ".cer" file), and copy to the Client system. ASCII-mode conversion must be performed on the file when transferring ("ascii" command in FTP).

Client-side steps:

1) On the Client system, import the CA into *SYSTEM certificate store using DCM.

Note: Under "Fast Path" -> "Work with client applications", there must NOT be a certificate assigned to the "i5/OS DDM/DRDA Client - TCP/IP " application.

2) Create new RDB directory entry on Client pointing to Server, specifying port 448 and *ssl. For example:
===> ADDRDBDIRE RDB(RMTDBSSL) RMTLOCNAME(remoteDB.xyz.com *IP) PORT(448) SECCNN(*SSL)

3) CRTDDMF on the Client, referencing remote location of *RDB and specifying the RDBDIRE created in previous step. For example:
===> CRTDDMF FILE(TESTSSL) RMTFILE(QIWS/QCUSTCDT) RMTLOCNAME(*RDB) RDB(RMTDBSSL)

To test, execute :
===> DSPPFM TESTSSL

 

Special case:  Connecting to the local system using SSL

Admittedly, this case does not make a lot of sense because when you connect to the local system, no data ever leaves the TCP/IP stack, that is, nothing is ever transmitted onto the network so encryption isn't necessary.   However, if this setup is desired, it must be done by making an alias for the local database.  The local database directory entry is simply a name, you cannot define the type of connection to the local system using the *LOCAL location, so it must be done using an alias.  For example:

 ===> ADDRDBDIRE RDB(LOCALRDBNAME LOCALSSL) RMTLOCNAME(*LOOPBACK) PORT(448) SECCNN(*SSL) TEXT('SSL CONNECTION TO LOCAL DB')

 

Related information

Digital Certificate Manager Getting Started
How to Export a Certificate From Digital Certificate Ma
Secure Sockets Layer/Transport Layer Security

Document information

More support for: IBM i

Component: Data Access

Software version: Version Independent

Operating system(s): IBM i

Reference #: N1020710

Modified date: 08 November 2018