To establish a VPN the two connection endpoints of the VPN need to authenticate each other. OS/400R VPN uses either RSA signature mode or preshared keys to do this.
A preshared key is a nontrivial string up to 128 characters long. Both ends of a connection must agree upon the preshared key. The advantage of using preshared keys is their simplicity, the disadvantage is that a shared secret must be distributed out-of-band, for example over the phone or through registered mail, prior to IKE negotiations. You should treat your preshared key as you would a password.
RSA Signature authentication provides more security than preshared keys because this mode uses digital certificates to provide authentication. You must configure your digital certificates by using Digital Certificate Manager (5722-SS1 Option 34).
How do you plan to authenticate the key servers?