Scenario details: Use iSeries Navigator Management Central to sign objects

Step 1: Complete all prerequisite steps

You must complete all prerequisite tasks to install and configure all needed iSeries™ products before you can perform specific configuration tasks for implementing this scenario.

Step 2: Create a Local Certificate Authority to issue a private object signing certificate

When you use Digital Certificate Manager (DCM) to create a Local Certificate Authority (CA), the process requires you to complete a series of forms. These forms guide you through the process of creating a CA and completing other tasks needed to begin using digital certificates for Secure Sockets Layer (SSL), object signing, and signature verification. Although in this scenario you do not need to configure certificates for SSL, you must complete all forms in the task to configure the system to sign objects.

To use DCM to create and operate a Local CA, follow these steps: Now that you have created a Local CA and an object signing certificate, you must define an object signing application to use the certificate before you can sign objects.

1. Start DCM.
2. In the navigation frame of DCM, select Create a Certificate Authority (CA) to display a series of forms.
   Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the online help.
3. Complete all the forms for this guided task. As you perform this task, you must do the following:
   1. Provide identifying information for the Local CA.
   2. Install the Local CA certificate in your browser so that your software can recognize the Local CA and validate certificates that the Local CA issues.
   3. Specify the policy data for your Local CA.
   4. Use the new Local CA to issue a server or client certificate that your applications can use for SSL connections.
      Note: Although this scenario does not make use of this certificate, you must create it before you can use the Local CA to issue the object signing certificate that you need. If you cancel the task without creating this certificate, you must create your object signing certificate and the *OBJECTSIGNING certificate store in which it is stored separately.
   5. Select the applications that can use the server or client certificate for SSL connections.
      Note: For the purposes of this scenario, do not select any applications and click Continue to display the next form.
   6. Use the new Local CA to issue an object signing certificate that applications can use to digitally sign objects. This subtask creates the *OBJECTSIGNING certificate store. This is the certificate store that you use to manage object signing certificates.
   7. Select the applications that are to trust your Local CA.
      Note: For the purposes of this scenario, do not select any applications and click Continue to finish the task.

Step 3: Create an object signing application definition

After you create your object signing certificate, you must use Digital Certificate Manager (DCM) to define an object signing application that you can use to sign objects. The application definition does not need to refer to an actual application; the application definition that you create can describe the type or group of objects that you intend to sign. You need the definition so that you can have an application ID to associate with the certificate to enable the signing process.

To use DCM to create an object signing application definition, follow these steps:

1. In the navigation frame, click Select a Certificate Store and select *OBJECTSIGNING as the certificate store to open.
2. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
3. In the navigation frame, select Manage Applications to display a list of tasks.
4. Select Add application from the task list to display a form for defining the application.
5. Complete the form and click Add.

Now you must assign your object signing certificate to the application that you created.

Step 4: Assign a certificate to the object signing application definition

To assign the certificate to your object signing application, follow these steps:

1. In the DCM navigation frame, select Manage Certificates to display a list of tasks.
2. From the list of tasks, select Assign certificate to display a list of certificates for the current certificate store.
3. Select a certificate from the list and click Assign to Applications to display a list of application definitions for the current certificate store.
4. Select one or more applications from the list and click Continue. A message page displays to either confirm the certificate assignment or provide error information if a problem occurred.

When you complete this task, you are ready to sign objects using Management Central when you package and distribute them. However, to ensure that you or others can verify the signatures, you must export the necessary certificates to a file and transfer them to all the endpoint systems. You must also complete all signature verification configuration tasks on each endpoint system before you use Management Central to transfer the signed application objects to them. Signature verification configuration must be completed before you can successfully verify signatures as you restore the signed objects on the endpoint systems.

Step 5: Export certificates to enable signature verification on other systems

Signing objects to protect the integrity of the contents requires that you and others have a means of verifying the authenticity of the signature. To verify object signatures on the same system that signs the objects, you must use DCM to create the *SIGNATUREVERIFICATION certificate store. This certificate store must contain a copy of both the object signing certificate and a copy of the CA certificate for the CA that issued the signing certificate.

To allow others to verify the signature, you must provide them with a copy of the certificate that signed the object. When you use a Local Certificate Authority (CA) to issue the certificate, you must also provide them with a copy of the Local CA certificate.

To use DCM so that you can verify signatures on the same system that signs the objects (System A in this scenario), follow these steps:

1. In the navigation frame, select Create New Certificate Store and select *SIGNATUREVERIFICATION as the certificate store to create.
2. Select Yes to copy existing object signing certificates into the new certificate store as signature verification certificates.
3. Specify a password for the new certificate store and click Continue to create the certificate store. Now you can use DCM to verify object signatures on the same system that you use to sign objects.

To use DCM to export a copy of the Local CA certificate and a copy of the object signing certificate as a signature verification certificate so that you can verify object signatures on other systems, follow these steps:

1. In the navigation frame, select Manage Certificates, and then select the Export certificate task.
2. Select Certificate Authority (CA) and click Continue to display a list of CA certificates that you can export.
3. Select the Local CA certificate that you created earlier from the list and click Export.
4. Specify File as your export destination and click Continue.
5. Specify a fully qualified path and file name for the exported Local CA certificate and click Continue to export the certificate.
6. Click OK to exit the Export confirmation page. Now you can export a copy of the object signing certificate.
7. Re-settle the Export certificate task.
8. Select Object signing to display a list of object signing certificates that you can export.
9. Select the appropriate object signing certificate from the list and click Export.
10. Select File, as a signature verification certificate as your destination and click Continue.
11. Specify a fully qualified path and file name for the exported signature verification certificate and click Continue to export the certificate.

Now you can transfer these files to the endpoint systems on which you intend to verify signatures that you created with the certificate.

Step 6: Transfer certificate files to endpoint systems

You must transfer the certificate files that you created on System A to the endpoint systems in this scenario before you can configure them to verify the objects that you sign. You can use several different methods to transfer the certification files. For example, you might use File Transfer Protocol (FTP) or Management Central package distribution to transfer the files.

Step 7: Sign objects by using Management Central

The object signing process for Management Central is part of the software packaging distribution process. You must complete all signature verification configuration tasks on each endpoint system before you use Management Central to transfer the signed application objects to them. Signature verification configuration must be completed before you can successfully verify signatures as you restore the signed objects on the endpoint systems.

To sign an application that you distribute to endpoint systems as this scenario describes, follow these steps:

1. Use Management Central to package and distribute software products.
2. When you get to the Identification panel in the Product Definition wizard, click Advanced to display the Advanced Identification panel.
3. In the Digital signing field, enter the application ID for the object signing application that you created earlier and click OK.
4. Complete the wizard and continue the process to package and distribute software products with Management Central.

Step 8: Signature verification tasks: Create *SIGNATUREVERIFICATION certificate store on endpoint systems

To verify object signatures on the endpoint systems in this scenario, each system must have a copy of the corresponding signature verification certificate in the *SIGNATUREVERIFICATION certificate store. If a private certificate signed the objects, this certificate store must also contain a copy of the Local CA certificate.

To create the *SIGNATUREVERIFICATION certificate store, follow these steps:

1. Start DCM.
2. In the Digital Certificate Manager (DCM) navigation frame, select Create New Certificate Store and select *SIGNATUREVERIFICATION as the certificate store to create.
   Note: If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.
3. Specify a password for the new certificate store and click Continue to create the certificate store. Now you can import certificates into the store and use them to verify object signatures.

Step 9: Signature verification tasks: Import certificates

To verify the signature on an object, the *SIGNATUREVERIFICATION store must contain a copy of the signature verification certificate. If the signing certificate is a private one, this certificate store must also have a copy of the Local Certificate Authority (CA) certificate that issued the signing certificate. In this scenario, both certificates were exported to a file and that file was transferred to each endpoint system.

To import these certificates into the *SIGNATUREVERIFICATION store, follow these steps:Your system can now verify signatures on objects that were created with the corresponding signing certificate when you restore the signed objects.

1. In the DCM navigation frame, click Select a Certificate Store and select *SIGNATUREVERIFICATION as the certificate store to open.
2. When the Certificate Store and Password page displays, provide the password that you specified for the certificate store when you created it and click Continue.
3. After the navigation frame refreshes, select Manage Certificates to display a list of tasks.
4. From the task list, select Import certificate.
5. Select Certificate Authority (CA) as the certificate type and click Continue.
   Note: You must import the Local CA certificate before you import a private signature verification certificate; otherwise, the import process for the signature verification certificate will fail.
6. Specify the fully qualified path and file name for the CA certificate file and click Continue. A message displays that either confirms that the import process succeeded or provide error information if the process failed.
7. Reselect the Import certificate task.
8. Select Signature verification as the certificate type to import and click Continue.
9. Specify the fully qualified path and file name for the signature verification certificate file and click Continue. A message displays that either confirms that the import process succeeded or provides error information if the process failed.