friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalz_5.4.0.1/rzalzmgmtcntrldetails.htm

280 lines
19 KiB
HTML
Raw Permalink Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario details: Use iSeries Navigator Management Central to sign objects" />
<meta name="abstract" content="Complete the following task steps to configure Management Central to sign objects as this scenario describes." />
<meta name="description" content="Complete the following task steps to configure Management Central to sign objects as this scenario describes." />
<meta name="DC.Relation" scheme="URI" content="rzalzmgmtcntlsc.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="mgmtcntrldetails" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario details: Use iSeries Navigator Management Central to sign objects</title>
</head>
<body id="mgmtcntrldetails"><a name="mgmtcntrldetails"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario details: Use iSeries Navigator Management Central to sign objects</h1>
<div><p>Complete the following task steps to configure Management Central
to sign objects as this scenario describes.</p>
<div class="section"><h4 class="sectionscenariobar">Step 1: Complete all prerequisite
steps</h4><p>You must complete all <a href="rzalzmgmtcntlsc.htm#mgmtcntlsc">prerequisite</a> tasks
to install and configure all needed iSeries™ products before you can perform
specific configuration tasks for implementing this scenario. </p>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 2: Create a Local Certificate
Authority to issue a private object signing certificate</h4><p>When you
use Digital Certificate Manager (DCM) to create a Local Certificate Authority
(CA), the process requires you to complete a series of forms. These forms
guide you through the process of creating a CA and completing other tasks
needed to begin using digital certificates for Secure Sockets Layer (SSL),
object signing, and signature verification. Although in this scenario you
do not need to configure certificates for SSL, you must complete all forms
in the task to configure the system to sign objects.</p>
<p>To use DCM to create
and operate a Local CA, follow these steps: Now that you have created a Local
CA and an object signing certificate, you must define an object signing application
to use the certificate before you can sign objects.</p>
<ol><li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> DCM.</li>
<li>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
Authority (CA)</span> to display a series of forms. <div class="note"><span class="notetitle">Note:</span> If you have
questions about how to complete a specific form in this guided task, select
the question mark (<span class="uicontrol">?</span>) button at the top of the page
to access the online help. </div>
</li>
<li>Complete all the forms for this guided task. As you perform this task,
you must do the following: <ol type="a"><li>Provide identifying information for the Local CA. </li>
<li>Install the Local CA certificate in your browser so that your software
can recognize the Local CA and validate certificates that the Local CA issues. </li>
<li>Specify the policy data for your Local CA.</li>
<li>Use the new Local CA to issue a server or client certificate that your
applications can use for SSL connections. <div class="note"><span class="notetitle">Note:</span> Although this scenario does
not make use of this certificate, you must create it before you can use the
Local CA to issue the object signing certificate that you need. If you cancel
the task without creating this certificate, you must create your object signing
certificate and the *OBJECTSIGNING certificate store in which it is stored
separately.</div>
</li>
<li>Select the applications that can use the server or client certificate
for SSL connections. <div class="note"><span class="notetitle">Note:</span> For the purposes of this scenario, do not select
any applications and click <span class="uicontrol">Continue</span> to display the
next form.</div>
</li>
<li>Use the new Local CA to issue an object signing certificate that applications
can use to digitally sign objects. This subtask creates the *OBJECTSIGNING
certificate store. This is the certificate store that you use to manage object
signing certificates.</li>
<li>Select the applications that are to trust your Local CA. <div class="note"><span class="notetitle">Note:</span> For the
purposes of this scenario, do not select any applications and click <span class="uicontrol">Continue</span> to
finish the task.</div>
</li>
</ol>
</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 3: Create an object
signing application definition</h4><p>After you create your object signing
certificate, you must use Digital Certificate Manager (DCM) to define an object
signing application that you can use to sign objects. The application definition
does not need to refer to an actual application; the application definition
that you create can describe the type or group of objects that you intend
to sign. You need the definition so that you can have an application ID to
associate with the certificate to enable the signing process.</p>
<p>To use
DCM to create an object signing application definition, follow these steps: </p>
<ol><li>In the navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
select <span class="uicontrol">*OBJECTSIGNING</span> as the certificate store to open. </li>
<li>When the Certificate Store and Password page displays, provide the password
that you specified for the certificate store when you created it and click <span class="uicontrol">Continue</span>.</li>
<li>In the navigation frame, select <span class="uicontrol">Manage Applications</span> to
display a list of tasks.</li>
<li>Select <span class="uicontrol">Add application</span> from the task list to display
a form for defining the application.</li>
<li>Complete the form and click <span class="uicontrol">Add</span>. </li>
</ol>
<p>Now you must assign your object signing certificate to the application
that you created.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 4: Assign a certificate
to the object signing application definition </h4><p>To assign the certificate
to your object signing application, follow these steps:</p>
<ol><li>In the DCM navigation frame, select <span class="uicontrol">Manage Certificates</span> to
display a list of tasks.</li>
<li>From the list of tasks, select <span class="uicontrol">Assign certificate</span> to
display a list of certificates for the current certificate store.</li>
<li>Select a certificate from the list and click <span class="uicontrol">Assign to Applications</span> to
display a list of application definitions for the current certificate store.</li>
<li>Select one or more applications from the list and click <span class="uicontrol">Continue</span>.
A message page displays to either confirm the certificate assignment or provide
error information if a problem occurred. </li>
</ol>
<p>When you complete this task, you are ready to <a href="#mgmtcntrldetails">sign
objects using Management Central</a> when you package and distribute them.
However, to ensure that you or others can verify the signatures, you must
export the necessary certificates to a file and transfer them to all the endpoint
systems. You must also complete all signature verification configuration tasks
on each endpoint system before you use Management Central to transfer the
signed application objects to them. Signature verification configuration must
be completed before you can successfully verify signatures as you restore
the signed objects on the endpoint systems.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 5: Export certificates
to enable signature verification on other systems</h4><p>Signing objects
to protect the integrity of the contents requires that you and others have
a means of verifying the authenticity of the signature. To verify object signatures
on the same system that signs the objects, you must use DCM to create the
*SIGNATUREVERIFICATION certificate store. This certificate store must contain
a copy of both the object signing certificate and a copy of the CA certificate
for the CA that issued the signing certificate.</p>
<p>To allow others to verify
the signature, you must provide them with a copy of the certificate that signed
the object. When you use a Local Certificate Authority (CA) to issue the certificate,
you must also provide them with a copy of the Local CA certificate. </p>
<p>To
use DCM so that you can verify signatures on the same system that signs the
objects (System A in this scenario), follow these steps:</p>
<ol><li>In the navigation frame, select <span class="uicontrol">Create New Certificate Store</span> and
select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as the certificate store
to create. </li>
<li>Select <span class="uicontrol">Yes</span> to copy existing object signing certificates
into the new certificate store as signature verification certificates.</li>
<li>Specify a password for the new certificate store and click <span class="uicontrol">Continue</span> to
create the certificate store. Now you can use DCM to verify object signatures
on the same system that you use to sign objects. </li>
</ol>
<p>To use DCM to export a copy of the Local CA certificate and a copy
of the object signing certificate as a signature verification certificate
so that you can verify object signatures on other systems, follow these steps:</p>
<ol><li>In the navigation frame, select <span class="uicontrol">Manage Certificates</span>,
and then select the <span class="uicontrol">Export certificate</span> task.</li>
<li>Select <span class="uicontrol">Certificate Authority (CA)</span> and click <span class="uicontrol">Continue</span> to
display a list of CA certificates that you can export. </li>
<li>Select the Local CA certificate that you created earlier from the list
and click <span class="uicontrol">Export</span>. </li>
<li>Specify <span class="uicontrol">File</span> as your export destination and click <span class="uicontrol">Continue</span>.</li>
<li>Specify a fully qualified path and file name for the exported Local CA
certificate and click <span class="uicontrol">Continue</span> to export the certificate.</li>
<li>Click <span class="uicontrol">OK</span> to exit the Export confirmation page.
Now you can export a copy of the object signing certificate.</li>
<li>Re-settle the <span class="uicontrol">Export certificate</span> task.</li>
<li>Select <span class="uicontrol">Object signing </span> to display a list of object
signing certificates that you can export. </li>
<li>Select the appropriate object signing certificate from the list and click <span class="uicontrol">Export</span>. </li>
<li>Select <span class="uicontrol">File, as a signature verification certificate</span> as
your destination and click <span class="uicontrol">Continue</span>.</li>
<li>Specify a fully qualified path and file name for the exported signature
verification certificate and click <span class="uicontrol">Continue</span> to export
the certificate.</li>
</ol>
<p>Now you can transfer these files to the endpoint systems on which
you intend to verify signatures that you created with the certificate.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 6: Transfer certificate
files to endpoint systems</h4><p>You must transfer the certificate files
that you created on System A to the endpoint systems in this scenario before
you can configure them to verify the objects that you sign. You can use several
different methods to transfer the certification files. For example, you might
use File Transfer Protocol (FTP) or Management Central package distribution
to transfer the files. </p>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 7: Sign objects by using
Management Central</h4><p>The object signing process for Management Central
is part of the software packaging distribution process. You must complete
all <a href="#mgmtcntrldetails">signature verification configuration tasks</a> on
each endpoint system before you use Management Central to transfer the signed
application objects to them. Signature verification configuration must be
completed before you can successfully verify signatures as you restore the
signed objects on the endpoint systems.</p>
<p>To sign an application that
you distribute to endpoint systems as this scenario describes, follow these
steps:</p>
<ol><li>Use Management Central to <a href="../rzai4/rzai4swdistribute1.htm">package and distribute software products</a>.</li>
<li>When you get to the <span class="uicontrol">Identification</span> panel in the <span class="uicontrol">Product
Definition</span> wizard, click <span class="uicontrol">Advanced</span> to display
the <span class="uicontrol">Advanced Identification</span> panel.</li>
<li>In the <span class="uicontrol">Digital signing</span> field, enter the application
ID for the <a href="#mgmtcntrldetails">object signing application
that you created earlier</a> and click <span class="uicontrol">OK</span>. </li>
<li>Complete the wizard and continue the process to <a href="../rzai4/rzai4swdistribute1.htm">package and distribute software products</a> with Management
Central.</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 8: Signature verification
tasks: Create *SIGNATUREVERIFICATION certificate store on endpoint systems</h4><p>To
verify object signatures on the endpoint systems in this scenario, each system
must have a copy of the corresponding signature verification certificate in
the *SIGNATUREVERIFICATION certificate store. If a private certificate signed
the objects, this certificate store must also contain a copy of the Local
CA certificate. </p>
<p>To create the *SIGNATUREVERIFICATION certificate store,
follow these steps:</p>
<ol><li><a href="../rzahu/rzahurzahu66adcmstart.htm">Start</a> DCM.</li>
<li>In the Digital Certificate Manager (DCM) navigation frame, select <span class="uicontrol">Create
New Certificate Store</span> and select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as
the certificate store to create. <div class="note"><span class="notetitle">Note:</span> If you have questions about how to
complete a specific form in this guided task, select the question mark (<strong>?</strong>)
at the top of the page to access the online help. </div>
</li>
<li>Specify a password for the new certificate store and click <span class="uicontrol">Continue</span> to
create the certificate store. Now you can import certificates into the store
and use them to verify object signatures. </li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Step 9: Signature verification
tasks: Import certificates</h4><p>To verify the signature on an object,
the *SIGNATUREVERIFICATION store must contain a copy of the signature verification
certificate. If the signing certificate is a private one, this certificate
store must also have a copy of the Local Certificate Authority (CA) certificate
that issued the signing certificate. In this scenario, both certificates were
exported to a file and that file was transferred to each endpoint system.</p>
<p>To
import these certificates into the *SIGNATUREVERIFICATION store, follow these
steps:Your system can now verify signatures on objects that were created with
the corresponding signing certificate when you restore the signed objects. </p>
<ol><li>In the DCM navigation frame, click <span class="uicontrol">Select a Certificate Store</span> and
select <span class="uicontrol">*SIGNATUREVERIFICATION</span> as the certificate store
to open. </li>
<li>When the Certificate Store and Password page displays, provide the password
that you specified for the certificate store when you created it and click <span class="uicontrol">Continue</span>. </li>
<li>After the navigation frame refreshes, select <span class="uicontrol">Manage Certificates</span> to
display a list of tasks. </li>
<li>From the task list, select <span class="uicontrol">Import certificate</span>. </li>
<li>Select <span class="uicontrol">Certificate Authority (CA)</span> as the certificate
type and click <span class="uicontrol">Continue</span>. <div class="note"><span class="notetitle">Note:</span> You must import the
Local CA certificate before you import a private signature verification certificate;
otherwise, the import process for the signature verification certificate will
fail.</div>
</li>
<li>Specify the fully qualified path and file name for the CA certificate
file and click <strong>Continue</strong>. A message displays that either confirms that
the import process succeeded or provide error information if the process failed.</li>
<li>Reselect the <strong>Import certificate</strong> task.</li>
<li>Select <strong>Signature verification</strong> as the certificate type to import
and click <strong>Continue</strong>.</li>
<li>Specify the fully qualified path and file name for the signature verification
certificate file and click <strong>Continue</strong>. A message displays that either
confirms that the import process succeeded or provides error information if
the process failed.</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalzmgmtcntlsc.htm" title="This scenario describes a company that wants to sign objects that it packages and distributes to multiple systems. Based on the company's business needs and security goals, this scenario describes how to use iSeries Navigator's Management Central function to package and sign objects that they distribute to other systems.">Scenario: Use iSeries Navigator Management Central to sign objects</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink