ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu404selectingusercatasks.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Manage user certificates" />
<meta name="abstract" content="You can use Digital Certificate Manager (DCM) to obtain certificates with SSL or associate existing certificates with their iSeries user profiles." />
<meta name="description" content="You can use Digital Certificate Manager (DCM) to obtain certificates with SSL or associate existing certificates with their iSeries user profiles." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4anactingownca.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurequestuser.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuregisteruser.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahumanageuserexpire.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4anactingownca.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu461installcacert.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu404-selecting_user_ca_tasks" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Manage user certificates</title>
</head>
<body id="rzahu404-selecting_user_ca_tasks"><a name="rzahu404-selecting_user_ca_tasks"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Manage user certificates</h1>
<div><p>You can use Digital Certificate Manager (DCM) to obtain certificates
with SSL or associate existing certificates with their <span class="keyword">iSeries™</span> user
profiles.</p>
<p>If users access your public or internal servers through an
SSL connection, they must have a copy of the Certificate Authority (CA) certificate
that issued the server's certificate. They must have the CA certificate so
that their client software can validate the authenticity of the server certificate
to establish the connection. If your server uses a certificate from a public
CA, your users' software might already possess a copy of the CA certificate.
Consequently, neither you as a DCM administrator, nor your users, need take
any action before they can participate in an SSL session. However, if your
server uses a certificate from a private Local CA, your users must obtain
a copy of the Local CA certificate before they can establish an SSL session
with the server. </p>
<p>Additionally, if the server application supports and requires client authentication
through certificates, users must present an acceptable user certificate to
access resources that the server provides. Depending on your security needs,
users can present a certificate from a public Internet CA or one that they
obtain from a Local CA that you operate. If your server application provides
access to resources for internal users who currently have <span class="keyword">iSeries</span> user
profiles, you can use DCM to add their certificates to their user profiles.
This association ensures that users have the same access and restrictions
to resources when presenting certificates as their user profile grants or
denies.</p>
<p>Digital Certificate Manager (DCM) allows you to manage certificates that
are assigned to an <span class="keyword">iSeries</span> user
profile. If you have a user profile with *SECADM and *ALLOBJ special authorities,
you can manage user profile certificate assignments for yourself or for other
users. When no certificate store is open, or when the Local Certificate Authority
(CA) certificate store is open, you can select <span class="uicontrol">Manage User Certificates</span> in
the navigation frame to access the appropriate tasks. If a different certificate
store is open, user certificate tasks are integrated into the tasks under <span class="uicontrol">Manage
Certificates</span>.</p>
<p>Users without *SECADM and *ALLOBJ user profile special authorities can
manage their own certificate assignments only. They can select <span class="uicontrol">Manage
User Certificates</span> to access tasks that allow them to view the
certificates associated with their user profiles, remove a certificate from
their user profiles, or assign a certificate from a different CA to their
user profiles. Users, regardless of the special authorities for their user
profiles, can obtain a user certificate from the Local CA by selecting the <span class="uicontrol">Create
Certificate</span> task in the main navigation frame.</p>
<p>To learn more about how to use DCM to manage and create user certificates,
review these topics:</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzahurequestuser.htm">Create a user certificate</a></strong><br />
Review this information to learn how your users can use the Local CA to issue a certificate for client authentication.</li>
<li class="ulchildlink"><strong><a href="rzahuregisteruser.htm">Assign a user certificate</a></strong><br />
You can assign a user certificate that you own to your <span class="keyword">i5/OS™</span> user profile or other user
identity. The certificate may be from a private Local CA on another system
or from a well-known Internet CA. Before you can assign a certificate to a
user identity, the issuing CA must be trusted by the server, and the certificate
must not already be associated with a user profile or other user identity
on the system.</li>
<li class="ulchildlink"><strong><a href="rzahumanageuserexpire.htm">Manage user certificates by expiration</a></strong><br />
Digital Certificate Manager (DCM) provides certificate expiration
management support to allow administrators to check the expiration dates of
user certificates on the local <span class="keyword">iSeries</span> system.
DCM user certificate expiration management support can be used in conjunction
with Enterprise Identity Mapping (EIM) so that administrators can use DCM
to check user certificate expiration at the enterprise level.</li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4anactingownca.htm" title="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications.">Create and operate a Local CA</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahurzahu4anactingownca.htm" title="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications.">Create and operate a Local CA</a></div>
<div><a href="rzahurzahu461installcacert.htm" title="Review this information to learn how to obtain a copy of the private CA certificate and install it on your PC so that you can authenticate any server certificates that the CA issues.">Obtain a copy of the private CA certificate</a></div>
</div>
</div>
</body>
</html>