Create an SSL key and certificate for Pegasus

For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information.

Before you can do this procedure, you must install OpenSSL on your system (LPO 5733-SC1). End of change

The private key and certificate are stored in paths that are defined by the sslKeyFilePath and sslCertificateFilePath configuration properties of the cimconfig command. You can create your own certificate and private key in these paths. Otherwise, if either the certificate or private key does not exist in these paths, then the CIM Server will create its own certificate and private key. The CIM server creates its certificate with the following attributes for the subject name:

State or Province Name: Minnesota
Locality: Rochester
Organization Name: IBM
Organizational Unit: iSeries
Common Name: hostname of system
Email Address:

Note:

The Common Name field is replaced by the hostname of this system.
The Email Address field is left blank.
This certificate is self-signed. The expiration date of the certificate is set to 365 days from its creation date.

After these files are created you must manage the renewal and recovery of the certificate. You need to create an SSL key and certificate whenever the certificate is not valid, expired, or its security has been compromised. You can recreate the certificate by deleting the certificate file, and restarting the CIM server. The CIM server creates a new certificate that expires in 365 days.

Note: Pegasus only supports private key files without a pass-phrase. For this reason it is important to keep the private key in a protected directory. By default, the Pegasus private key is put in a directory owned by QSYS, with PUBLIC *EXCLUDE, and no private authorities. If you change the sslKeyFilePath property, it is recommended that this directory be protected.

Pegasus allows the OpenSSL default for its initialization (seeding) of the pseudo random number generator (PRNG). Pegasus calls the SSL_library_init application programming interface (API) which calls the i5/OS™ Qc3GenPrns API (Generate Pseudorandom Numbers). Pegasus on i5/OS will not support seeding the PRNG from a file.

Start of change One method to create a certificate and private key for Pegasus is to use the Digital Certificate Manager (DCM) on i5/OS. End of change

DCM allows you to create a Pegasus server certificate that is issued by a local Certificate Authority (CA) on the i5/OS system, or by an external Certificate Authority.

Note that Pegasus is not integrated with DCM. You must export all certificates that are created in DCM to Pegasus. Pegasus only supports the PEM format for certificates.

To create a private key and certificate, do the following steps:

Create an Application definition in DCM of type server for Pegasus. Because Pegasus is not integrated with DCM, the details of the Application definition are not important. However, the recommended Application ID is QIBM_CIMOM.
Create a certificate for the Pegasus application that is issued by a CA. Make note of the subject name that you enter for Pegasus in the certificate.
Export the certificate from DCM to Pegasus by doing the following steps:
1. In the navigation frame, select Manage Certificates and Export Certificates.
2. Select Server or client as the type of certificate.
3. Select the certificate that you created for Pegasus and click Export.
4. Choose File as the export destination.
5. For the export file name, use the directory defined by the Pegasus sslCertificateFilePath property, and name the file pegasuscert.p12. This file will be in PKCS12 format.
  Note: Make sure to remember the password that you enter here. This will be used to decrypt the exported certificate later.
Run the OpenSSL commands to convert the certificate from PKCS12 format to Privacy Enhanced Mail (PEM) format by doing the following steps:
1. At an i5/OS command line, start the PASE environment by typing CALL QP2TERM.
2. Change directory to the location of the exported certificate.
3. Extract the certificate from the PKCS12 file and convert to PEM format by using the following OpenSSL command: openssl pkcs12 -in pegasuscert.p12 -out pegasuscert.pem -nokeys -clcerts This command will prompt for the password that you entered in the DCM Export page.
  The PEM file that is created might contain more than one certificate. It might contain both the Pegasus certificate and the certificate of the CA that issued the Pegasus certificate. Because Pegasus does not support this type of PEM file, the CA certificate must be removed.
4. Remove the CA certificate by editing the PEM file; delete all of the lines except the ones for the Pegasus certificate. The Pegasus certificate has the Pegasus subject name that you used when you created the certificate in DCM. Keep the lines of Pegasus certificate starting with Bag Attributes and ending with END CERTIFICATE.
5. Extract the private key from the PKCS12 file and convert to PEM format by using the following OpenSSL command: openssl pkcs12 -in pegasuscert.p12 -out pegasuskey.pem -nocerts -nodes This command will prompt for the password that you entered in the DCM Export page.
  The certificate and private key are now converted to PEM format,
6. Make the certificate available to Pegasus by placing it in the path that is defined by the sslCertificateFilePath property.
7. Make the private key available to Pegasus by placing it in the path that is defined by the sslKeyFilePath property.