Complete the following task steps to configure and use Digital
Certificate Manager to sign objects as this scenario describes.
Step 1: Complete all prerequisite
steps
You must complete all prerequisite tasks
to install and configure all needed iSeries™ products before you can perform
specific configuration tasks for implementing this scenario.
Step 2: Create a Local Certificate
Authority to issue a private object signing certificate
When you
use Digital Certificate Manager (DCM) to create a Local Certificate Authority
(CA), the process requires you to complete a series of forms. These forms
guide you through the process of creating a CA and completing other tasks
needed to begin using digital certificates for Secure Sockets Layer (SSL),
object signing, and signature verification. Although in this scenario you
do not need to configure certificates for SSL, you must complete all forms
in the task to configure the system to sign objects.
To use DCM to create
and operate a Local CA, follow these steps: Now that you have created a Local
CA and an object signing certificate, you must define an object signing application
to use the certificate before you can sign objects.
- Start DCM.
- In the navigation frame of DCM, select Create a Certificate
Authority (CA) to display a series of forms.
Note: If you have
questions about how to complete a specific form in this guided task, select
the question mark (?) button at the top of the page
to access the online help.
- Complete all the forms for this guided task. As you perform this task,
you must do the following:
- Provide identifying information for the Local CA.
- Install the Local CA certificate in your browser so that your software
can recognize the Local CA and validate certificates that the Local CA issues.
- Specify the policy data for your Local CA.
- Use the new Local CA to issue a server or client certificate that your
applications can use for SSL connections.
Note: Although this scenario does
not make use of this certificate, you must create it before you can use the
Local CA to issue the object signing certificate that you need. If you cancel
the task without creating this certificate, you must create your object signing
certificate and the *OBJECTSIGNING certificate store in which it is stored
separately.
- Select the applications that can use the server or client certificate
for SSL connections.
Note: For the purposes of this scenario, do not select
any applications and click Continue to display the
next form.
- Use the new Local CA to issue an object signing certificate that applications
can use to digitally sign objects. This subtask creates the *OBJECTSIGNING
certificate store. This is the certificate store that you use to manage object
signing certificates.
- Select the applications that are to trust your Local CA.
Note: For the
purposes of this scenario, do not select any applications and click Continue to
finish the task.
Step 3: Create an object
signing application definition
After you create your object signing
certificate, you must use Digital Certificate Manager (DCM) to define an object
signing application that you can use to sign objects. The application definition
does not need to refer to an actual application; the application definition
that you create can describe the type or group of objects that you intend
to sign. You need the definition so that you can have an application ID to
associate with the certificate to enable the signing process.
To use
DCM to create an object signing application definition, follow these steps:
- In the navigation frame, click Select a Certificate Store and
select *OBJECTSIGNING as the certificate store to open.
- When the Certificate Store and Password page displays, provide the password
that you specified for the certificate store when you created it and click Continue.
- In the navigation frame, select Manage Applications to
display a list of tasks.
- Select Add application from the task list to display
a form for defining the application.
- Complete the form and click Add.
Now you must assign your object signing certificate to the application
that you created.
Step 4: Assign a certificate
to the object signing application definition
To assign the certificate
to your object signing application, follow these steps:
- In the DCM navigation frame, select Manage Certificates to
display a list of tasks.
- From the list of tasks, select Assign certificate to
display a list of certificates for the current certificate store.
- Select a certificate from the list and click Assign to Applications to
display a list of application definitions for the current certificate store.
- Select one or more applications from the list and click Continue.
A message page displays to either confirm the certificate assignment or provide
error information if a problem occurred.
When you complete this task, you are ready to use DCM to sign the
program objects that the company's public Web server (System B) will use.
Step 5: Sign program objects
To
use DCM to sign the program objects for use on the company's public Web server
(System B), follow these steps:
- In the navigation frame, click Select a Certificate Store and
select *OBJECTSIGNING as the certificate store to open.
- Enter the password for the *OBJECTSIGNING certificate store and click Continue.
- After the navigation frame refreshes, select Manage Signable
Objects to display a list of tasks.
- From the list of tasks, select Sign an object to
display a list of application definitions that you can use for signing objects.
- Select the application that you defined in the previous step and click Sign
an Object. A form displays that allows you to specify the location
of the objects that you want to sign.
- In the field provided, enter the fully qualified path and file name of
the object or directory of objects that you want to sign and click Continue.
Or, enter a directory location and click Browse to
view the contents of the directory to select objects for signing.
Note: You
must start the object name with a leading slash or you may encounter an error.
You can also use certain wildcard characters to describe the part of the directory
that you want to sign. These wildcard characters are the asterisk (*),
which specifies any number of characters, and the question mark (?),
which specifies any single character. For example, to sign all the
objects in a specific directory, you might enter /mydirectory/*;
to sign all the programs in a specific library, you might enter /QSYS.LIB/QGPL.LIB/*.PGM.
You can use these wildcards only in the last part of the path name; for example, /mydirectory*/filename results
in an error message. If you want to use the Browse function
to see a list of library or directory contents, you must enter the wildcard
as part of the path name before clicking Browse.
- Select the processing options that you want to use for signing the selected
object or objects and click Continue.
Note: If you
choose to wait for job results, the results file displays directly in your
browser. Results for the current job are appended to the end of the results
file. Consequently, the file may contain results from any previous jobs, in
addition to those of the current job. You can use the date field in the file
to determine which lines in the file apply to the current job. The date field
is in YYYYMMDD format. The first field in the file can be either the message
ID (if an error occurred during processing the object) or the date field (indicating
the date on which the job processed).
- Specify the fully qualified path and file name to use for storing job
results for the object signing operation and click Continue.
Or, enter a directory location and click Browse to
view the contents of the directory to select a file for storing the job results.
A message displays to indicate that the job was submitted to sign objects.
To view the job results, see job QOBJSGNBAT in the
job log.
To ensure that you or others can verify the signatures, you must export
the necessary certificates to a file and transfer the certificate file to
System B. You must also complete all signature verification configuration
tasks on System B before you transfer the signed program objects to System
B. Signature verification configuration must be completed before you can successfully
verify signatures as you restore the signed objects on System B.
Step 6: Export certificates
to enable signature verification on System B
Signing objects to
protect the integrity of the contents requires that you and others have a
means of verifying the authenticity of the signature. To verify object signatures
on the same system that signs the objects (System A), you must use DCM to
create the *SIGNATUREVERIFICATION certificate store. This certificate store
must contain a copy of both the object signing certificate and a copy of the
CA certificate for the CA that issued the signing certificate.
To allow
others to verify the signature, you must provide them with a copy of the certificate
that signed the object. When you use a Local Certificate Authority (CA) to
issue the certificate, you must also provide them with a copy of the Local
CA certificate.
To use DCM so that you can verify signatures on the
same system that signs the objects (System A in this scenario), follow these
steps:
- In the navigation frame, select Create New Certificate Store and
select *SIGNATUREVERIFICATION as the certificate store
to create.
- Select Yes to copy existing object signing certificates
into the new certificate store as signature verification certificates.
- Specify a password for the new certificate store and click Continue to
create the certificate store. Now you can use DCM to verify object signatures
on the same system that you use to sign objects.
To use DCM to export a copy of the Local CA certificate and a copy
of the object signing certificate as a signature verification certificate
so that you can verify object signatures on other systems (System B), follow
these steps:
- In the navigation frame, select Manage Certificates,
and then select the Export certificate task.
- Select Certificate Authority (CA) and click Continue to
display a list of CA certificates that you can export.
- Select the Local CA certificate that you created earlier from the list
and click Export.
- Specify File as your export destination and click Continue.
- Specify a fully qualified path and file name for the exported Local CA
certificate and click Continue to export the certificate.
- Click OK to exit the Export confirmation page.
Now you can export a copy of the object signing certificate.
- Re-select the Export certificate task.
- Select Object signing to display a list of object
signing certificates that you can export.
- Select the appropriate object signing certificate from the list and click Export.
- Select File, as a signature verification certificate as
your destination and click Continue.
- Specify a fully qualified path and file name for the exported signature
verification certificate and click Continue to export
the certificate.
Now you can transfer these files to the endpoint systems on which
you intend to verify signatures that you created with the certificate.
Step 7: Transfer certificate
files to company public server, System B
You must transfer the certificate
files that you created on System A to System B, the company's public Web server
in this scenario before you can configure them to verify the objects that
you sign. You can use several different methods to transfer the certification
files. For example, you might use File Transfer Protocol (FTP) or Management
Central package distribution to transfer the files.
Step 8: Signature verification
tasks: Create *SIGNATUREVERIFICATION certificate store
To verify
object signatures on System B (the company's public Web server), System B
must have a copy of the corresponding signature verification certificate in
the *SIGNATUREVERIFICATION certificate store. Because you used a certificate
issued by a Local to sign the objects, this certificate store must also contain
a copy of the Local CA certificate.
To create the *SIGNATUREVERIFICATION
certificate store, follow these steps:
- Start DCM.
- In the Digital Certificate Manager (DCM) navigation frame, select Create
New Certificate Store and select *SIGNATUREVERIFICATION as
the certificate store to create.
Note: If you have questions about how to
complete a specific form while using DCM, select the question mark (?)
at the top of the page to access the online help.
- Specify a password for the new certificate store and click Continue to
create the certificate store. Now you can import certificates into the store
and use them to verify object signatures.
Step 9: Signature verification
tasks: Import certificates
To verify the signature on an object,
the *SIGNATUREVERIFICATION store must contain a copy of the signature verification
certificate. If the signing certificate is a private one, this certificate
store must also have a copy of the Local Certificate Authority (CA) certificate
that issued the signing certificate. In this scenario, both certificates were
exported to a file and that file was transferred to each endpoint system.
To
import these certificates into the *SIGNATUREVERIFICATION store, follow these
steps:You can now use DCM on System B to verify signatures on objects that
you created with the corresponding signing certificate on System A.
- In the DCM navigation frame, click Select a Certificate Store and
select *SIGNATUREVERIFICATION as the certificate store
to open.
- When the Certificate Store and Password page displays, provide the password
that you specified for the certificate store when you created it and click Continue.
- After the navigation frame refreshes, select Manage Certificates to
display a list of tasks.
- From the task list, select Import certificate.
- Select Certificate Authority (CA) as the certificate
type and click Continue.
Note: You must import the
Local CA certificate before you import a private signature verification certificate;
otherwise, the import process for the signature verification certificate will
fail.
- Specify the fully qualified path and file name for the CA certificate
file and click Continue. A message displays that either
confirms that the import process succeeded or provide error information if
the process failed.
- Re-select the Import certificate task.
- Select Signature verification as the certificate
type to import and click Continue.
- Specify the fully qualified path and file name for the signature verification
certificate file and click Continue. A message displays
that either confirms that the import process succeeded or provides error information
if the process failed.
Step 10: Signature verification
tasks: Verify signature on program objects
To use DCM to verify
the signatures on the transferred program objects, follow these steps:
- In the navigation frame, click Select a Certificate Store and
select *SIGNATUREVERIFICATION as the certificate store
to open.
- Enter the password for the *SIGNATUREVERIFICATION certificate store and
click Continue.
- After the navigation frame refreshes, select Manage Signable
Objects to display a list of tasks.
- From the list of tasks, select Verify object signature to
specify the location of the objects for which you want to verify signatures.
- In the field provided, enter the fully qualified path and file name of
the object or directory of objects for which you want to verify signatures
and click Continue. Or, enter a directory location
and click Browse to view the contents of the directory
to select objects for signature verification.
Note: You can also use certain
wildcard characters to describe the part of the directory that you want to
verify. These wildcard characters are the asterisk (*), which specifies any
number of characters, and the question mark (?), which specifies any
single character. For example, to sign all the objects in a specific directory,
you might enter /mydirectory/*; to sign all the programs
in a specific library, you might enter /QSYS.LIB/QGPL.LIB/*.PGM.
You can use these wildcards only in the last part of the path name; for example, /mydirectory*/filename results
in an error message. If you want to use the Browse function to see a list
of library or directory contents, you must enter the wildcard as part of the
path name before clicking Browse.
- Select the processing options that you want to use for verifying the signature
on the selected object or objects and click Continue.
Note: If
you choose to wait for job results, the results file displays directly in
your browser. Results for the current job are appended to the end of the results
file. Consequently, the file may contain results from any previous jobs, in
addition to those of the current job. You can use the date field in the file
to determine which lines in the file apply to the current job. The date field
is in YYYYMMDD format. The first field in the file can be either the message
ID (if an error occurred during processing the object) or the date field (indicating
the date on which the job processed).
- Specify the fully qualified path and file name to use for storing job
results for the signature verification operation and click Continue.
Or, enter a directory location and click Browse to
view the contents of the directory to select a file for storing the job results.
A message displays to indicate that the job was submitted to verify object
signatures. To view the job results, see job QOBJSGNBAT in
the job log.