Digital certificates

Digital certificates are digitally-signed statements used for secured transactions over the internet.

Digital certificates can be used on servers running i5/OS™ Version 4 Release 3 (V4R3) and later. To make a secure connection using the Secure Sockets Layer (SSL), a digital certificate is required.

Digital certificates comprise the following:

The public encryption key of the user
The name and address of the user
The digital signature of a third-party certification authority (CA). The authority's signature means that the user is a trusted entity.
The issue date of the certificate
The expiration date of the certificate

As an administrator of a secured server, you can add a certification authority's "trusted root key" to the server. This means that your server will trust anyone who is certified through that particular certification authority.

Digital certificates also offer encryption, ensuring a secure transfer of data through a private encryption key.

You can create digital certificates through the javakey tool. (For more information about javakey and Java™ security, see the Sun Microsystems, Inc., Java Security page Link outside Information Center .) The IBM^® Toolbox for Java licensed program has classes that administer digital certificates on the iSeries™ server.

The AS400Certificate classes provide methods to manage X.509 ASN.1 encoded certificates. Classes are provided to do the following:

Get and set certificate data.
List certificates by validation list or user profile.
Manage certificates, for example, add a certificate to a user profile or delete a certificate from a validation list.

Using a certificate class causes the AS400 object to connect to the server. See managing connections for information about managing connections.

On the server, certificates belong to a validation list or to a user profile.

The AS400CertificateUserProfileUtil class has methods for managing certificates on a user profile.
The AS400CertificateVldlUtil class has methods for managing certificates in a validation list.

Using AS400CertificateUserProfileUtil and AS400CertificateVldlUtil requires that you install base operating system option 34 (Digital Certificate Manager). These two classes extend AS400CertificateUtil, which is an abstract base classes that defines methods common to both subclasses.

The AS400Certificate class provides methods to read and write certificate data. Data is accessed as an array of bytes. The Java.Security package in Java virtual machine 1.2 provides classes that can be used to get and set individual fields of the certificate.

Listing certificates

To get a list of certificates, the Java program must do the following:

Create an AS400 object.
Construct the correct certificate object. Different objects are used for listing certificates on a user profile (AS400CertificateUserProfileUtil) versus listing certificates in a validation list (AS400CertificateVldlUtil).
Create selection criteria based on certificate attributes. The AS400CertificateAttribute class contains attributes used as selection criteria. One or more attribute objects define the criteria that must be met before a certificate is added to the list. For example, a list might contain only certificates for a certain user or organization.
Create a user space on the server and put the certificate into the user space. Large amounts of data can be generated by a list operation. The data is put into a user space before it can be retrieved by the Java program. Use the listCertificates() method to put the certificates into the user space.
Use the getCertificates() method to retrieve certificates from the user space.

Example: Listing digital certificates

The following example lists certificates in a validation list. It lists only those certificates belonging to a certain person.

Note: Read the Code example disclaimer for important legal information.

        // Create an AS400 object. The certificates are on this system.
     AS400 sys = new AS400("mySystem.myCompany.com");

        // Create the certificate object.
     AS400CertificateVldlUtil certificateList =
        new AS400CertificateVldlUtil(sys, "/QSYS.LIB/MYLIB.LIB/CERTLIST.VLDL");

        // Create the certificate attribute list. We only want certificates
        // for a single person so the list consists of only one element.
     AS400CertificateAttribute[] attributeList = new AS400CertificateAttribute[1];
     attributeList[0] = 
        new AS400CertificateAttribute(AS400CertificateAttribute.SUBJECT_COMMON_NAME, "Jane Doe");

        // Retrieve the list that matches the criteria. User space "myspace"
        // in library "mylib" will be used for storage of the certificates.
        // The user space must exist before calling this API.
     int count = certificateList.listCertificates(attributeList, "/QSYS.LIB/MYLIB.LIB/MYSPACE.USRSPC");

        // Retrieve the certificates from the user space.
     AS400Certificates[] certificates = 
        certificateList.getCertificates("/QSYS.LIB/MYLIB.LIB/MYSPACE.USRSPC", 0, 8);

        // Process the certificates