friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0332907f0f
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahuobjsigncertv5r1target.htm

220 lines
17 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Use a private certificate for signing objects on a target system" />
<meta name="abstract" content="You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system." />
<meta name="description" content="You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4apcaanotherdcm.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="obj_sign_cert_v5r1_target" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use a private certificate for signing objects on a target system</title>
</head>
<body id="obj_sign_cert_v5r1_target"><a name="obj_sign_cert_v5r1_target"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use a private certificate for signing objects on a target system</h1>
<div><p>You manage the certificates that you use for signing objects from
the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM).
If you have never used DCM on the target system to manage object signing certificates,
then this certificate store will not exist on the target system. </p>
<div class="section"> <p>The tasks that you must perform to use the transferred certificate
store files that you created on the Local CA host system vary based on whether
the *OBJECTSIGNING certificate store exists. If the *OBJECTSIGNING certificate
store <a href="#objectsigningcertificatestoredoesnotexist">does not exist,</a> you
can use the transferred certificate files as a means of creating the *OBJECTSIGNING
certificate store. If the *OBJECTSIGNING certificate <a href="#objectsigningcertificatestoreexists">exists
on the target system</a>, you must import the transferred certificates
into it.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4apcaanotherdcm.htm" title="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems.">Use a Local CA to issue certificates for other iSeries systems</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="objectsigningcertificatestoredoesnotexist"><a name="objectsigningcertificatestoredoesnotexist"><!-- --></a><h2 class="sectionscenariobar">*OBJECTSIGNING certificate store does
not exist</h2>
<div><div class="section"><p>The tasks that you perform to use the certificate store files
that you created on the Local CA host system vary based on whether you have
ever used DCM on the target system to manage object signing certificates.</p>
<p>If
the *OBJECTSIGNING certificate store does not exist on the target system with
the transferred certificate store files, follow these steps:</p>
</div>
<ol><li class="stepexpand"><span>Make sure that the certificate store files (two files: one with
a <samp class="codeph">.KDB</samp> extension and one with a <samp class="codeph">.RDB</samp> extension)
that you created on the system that hosts the Local CA are in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SIGNING</samp> directory.</span></li>
<li class="stepexpand"><span>Once the transferred certificate files are in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SIGNING</samp> directory,
rename the certificate files to <samp class="codeph">SGNOBJ.KDB</samp>, and <samp class="codeph">SGNOBJ.RDB</samp>,
if necessary.</span> By renaming these files, you create the components
that comprise the *OBJECTSIGNING certificate store for the target system.
The certificate store files already contain copies of certificates for many
public Internet CAs. DCM added these, as well as a copy of the Local CA certificate,
to the certificate store files when you created them. <div class="note"><span class="notetitle">Attention:</span> If your target system already has a <samp class="codeph">SGNOBJ.KDB</samp> and
a <samp class="codeph">SGNOBJ.RDB</samp> file in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SIGNING</samp> directory,
the *OBJECTSIGNING certificate store currently exists on this target system.
Consequently, you must not rename the transferred files as suggested. Overwriting
the default object signing files will create problems for using DCM, the transferred
certificate store, and its contents. When <a href="#objectsigningcertificatestoreexists">the
*OBJECTSIGNING certificate store already exists</a>, you must use a different
process to get the certificates into the existing certificate store. </div>
</li>
<li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>. </span> You must now change the password for the *OBJECTSIGNING
certificate store. Changing the password allows DCM to store the new password
so that you can use all DCM certificate management functions on the certificate
store.</li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">*OBJECTSIGNING</span> as the
certificate store to open. </span></li>
<li class="stepexpand"><span>When the password page displays, provide the password that you
specified for the certificate store when you created it on the host system
and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificate Store</span> and
select <span class="uicontrol">Change password</span> from the list of tasks. </span> Complete the form to change the password for the certificate store.
After you change the password, you must re-open the certificate store before
you can work with the certificates in it. Next you can create an application
definition for using the certificate to sign objects. </li>
<li class="stepexpand"><span>After you re-open the certificate store, select <span class="uicontrol">Manage
Applications</span> in the navigation frame to display a list of tasks.</span></li>
<li class="stepexpand"><span>From the task list, select <span class="uicontrol">Add application</span> to
begin the process of creating an object signing application definition to
use a certificate to sign objects. </span></li>
<li class="stepexpand"><span>Complete the form to define your object signing application and
click <span class="uicontrol">Add</span>. </span> This application definition
does not describe an actual application, but rather describes the type of
objects that you plan to sign with a specific certificate. Use the online
help to determine how to complete the form. </li>
<li class="stepexpand"><span>Click <span class="uicontrol">OK</span> to acknowledge the application
definition confirmation message and display the <span class="uicontrol">Manage Applications</span> task
list.</span></li>
<li class="stepexpand"><span>From the task list, select <span class="uicontrol">Update certificate assignment</span> to
display a list of object signing application IDs for which you can assign
a certificate.</span></li>
<li class="stepexpand"><span>Select your application ID from the list and click <span class="uicontrol">Update
Certificate Assignment</span>. </span></li>
<li class="stepexpand"><span>Select the certificate that the Local CA on the host system created
and click <span class="uicontrol">Assign New Certificate</span>. </span></li>
</ol>
<div class="section"><p>When you finish these tasks, you have everything that you need
to begin <a href="rzahusigningobjects.htm#signing_objects">signing objects</a> to
ensure their integrity. </p>
<p>When you distribute signed objects, those who
receive the objects must use DCM to <a href="rzahuverifyingsignatures.htm#verifying_signatures">verify
the signature</a> on the objects to ensure that the data is unchanged and
to verify the identity of the sender. To validate the signature, the receiver
must have a copy of the signature verification certificate. You must provide
a copy of this certificate as part of the package of signed objects. </p>
<p>The
receiver also must have a copy of the CA certificate for the CA that issued
the certificate that you used to sign the object. If you signed the objects
with a certificate from a well-known Internet CA, the receiver's version of
DCM will already have a copy of the necessary CA certificate. However, you
must provide a copy of the CA certificate, in a separate package, along with
the signed objects if necessary. For example, you must provide a copy of the
Local CA certificate if you signed the objects with a certificate from a Local
CA. For security reasons, you must provide the CA certificate in a separate
package or publicly make the CA certificate available at the request of those
who need it.</p>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="objectsigningcertificatestoreexists"><a name="objectsigningcertificatestoreexists"><!-- --></a><h2 class="sectionscenariobar">*OBJECTSIGNING certificate store exists</h2>
<div><div class="section"><p>You can use the certificates in the transferred certificate store
files in an existing *OBJECTSIGNING certificate store on a system. To do so,
you must import the certificates from the certificate store files into the
existing *OBJECTSIGNING certificate store. However, you cannot import the
certificates directly from the <samp class="codeph">.KDB</samp> and <samp class="codeph">.RDB</samp> files
because they are not in a format that the DCM import function can recognize
and use. You can add the certificates into the existing *OBJECTSIGNING certificate
store by opening the transferred files as an Other System Certificate Store
on the target system. You can then export the certificates directly into the
*OBJECTSIGNING certificate store. You must export a copy of both the object
signing certificate itself and the Local CA certificate from the transferred
files. </p>
<p>To export the certificates from the certificate store files
directly into the *OBJECTSIGNING certificate store, complete these steps on
the target system: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>.</span></li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and specify <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open</span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the fully qualified path and file name for the certificate store files. Also
provide the password that you used when you created them on the host system
and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificate Store</span> and
select <span class="uicontrol">Change password</span> from the list of tasks. </span> Complete the form to change the password for the certificate store. <div class="note"><span class="notetitle">Note:</span> Be
sure to select the <span class="uicontrol">Automatic login</span> option when you
change the password for the certificate store. Using this option ensures that
DCM stores the new password so that you can use all DCM certificate management
functions on the new store. If you do not change the password and select the
Automatic login option, you may encounter errors when exporting the certificates
from this store into the *OBJECTSIGNING certificate store.</div>
<p>After
you change the password, you must re-open the certificate store before you
can work with the certificates in it.</p>
</li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open. </span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the fully qualified path and file name of the certificate store file, provide
the new password, and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>After the navigation frame refreshes, select <span class="uicontrol">Manage
Certificates</span> in the navigation frame to display a list of tasks
and select <span class="uicontrol">Export certificate</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate Authority (CA)</span> as the
type of certificate to export and click <span class="uicontrol">Continue</span>. </span> <div class="note"><span class="notetitle">Note:</span> The wording for this task assumes that when you work with an Other
System Certificate Store that you are working with server or client certificates.
This is because this type of certificate store is designed for use as a secondary
certificate store to the *SYSTEM certificate store. However, using the export
task in this certificate store is the easiest way to add the certificates
from the transferred files into the existing *OBJECTSIGNING certificate store. </div>
</li>
<li class="stepexpand"><span>Select the Local CA certificate to export and click <span class="uicontrol">Export</span>. </span> <div class="note"><span class="notetitle">Note:</span> You must export the Local CA certificate into the certificate
store before you export the object signing certificate into the certificate
store. If you export the object signing certificate first, you may encounter
an error because the Local CA certificate does not exist in the certificate
store.</div>
</li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate store</span> as the destination
for the exported certificate and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>Enter <samp class="codeph">*OBJECTSIGNING</samp> as the target certificate
store, enter the password for the *OBJECTSIGNING certificate store, and click <span class="uicontrol">Continue</span>. </span></li>
<li class="stepexpand"><span>Now you can export the object signing certificate into the *OBJECTSIGNING
certificate store. Re-select the <span class="uicontrol">Export certificate</span> task.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Server or client</span> as the type of certificate
to export and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>Select the appropriate certificate to export and click <span class="uicontrol">Export</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate store </span> as the destination
for the exported certificate and click <span class="uicontrol">Continue</span></span></li>
<li class="stepexpand"><span>Enter <samp class="codeph">*OBJECTSIGNING</samp> as the target certificate
store, enter the password for the *OBJECTSIGNING certificate store, and click <span class="uicontrol">Continue</span>.
A message displays to indicate that the certificate exported successfully
or to provide error information if the export process failed. </span> <div class="note"><span class="notetitle">Note:</span> To
use this certificate to sign objects, you must now <a href="rzahuassigncert.htm#assigncert">assign
the certificate</a> to an object signing application.</div>
</li>
</ol>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink