friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0332907f0f
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahu4apcaanotherdcm.htm

141 lines
11 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Use a Local CA to issue certificates for other iSeries systems" />
<meta name="abstract" content="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems." />
<meta name="description" content="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahutargetv5r2ssl.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahuobjsigncertv5r1target.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahudcmbackuprecover.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4afinternetvsprivcert.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4anactingownca.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahu4ap-_ca_another_dcm" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use a Local CA to issue certificates for other iSeries systems </title>
</head>
<body id="rzahu4ap-_ca_another_dcm"><a name="rzahu4ap-_ca_another_dcm"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use a Local CA to issue certificates for other iSeries systems </h1>
<div><p>Review this information to learn how to use a private
Local CA on one system to issue certificates for use on other iSeries™ systems.</p>
<div class="section"> <p>You may already be using a private Local Certificate Authority
(CA) on a system in your network. Now, you want to extend the use of this
Local CA to another system in your network. For example, you want your current
Local CA to issue a server or client certificate for an application on another
system to use for SSL communications sessions. Or, you want to use certificates
from your Local CA on one system to sign objects that you store on another
server.</p>
<div class="p">You can accomplish this goal by using Digital Certificate Manager
(DCM). You perform some of tasks on the system on which you operate the Local
CA and perform others on the secondary system that hosts the applications
for which you want to issue certificates. This secondary system is called
the target system. The tasks that you must perform on the target system depend
on that system's release level. <div class="note"><span class="notetitle">Note:</span> You can encounter a problem if the
system on which you operate the Local CA uses a cryptographic access provider
product that provides stronger encryption than the target system. For <span class="keyword">OS/400<sup>®</sup></span> V5R2 and <span class="keyword">OS/400</span> V5R3
the only cryptographic access provider available is 5722AC3, which is the
strongest product available. However, in earlier releases, you were able to
install other, weaker cryptographic access provider products (5722AC1, or
5722AC2) that provided lower levels of cryptographic function When you export
the certificate (with its private key), the system encrypts the file to protect
its contents. If the system uses a stronger cryptographic product than the
target system, the target system cannot decrypt the file during the import
process. Consequently, the import may fail or the certificate may not be usable
for establishing SSL sessions. This is true even if you use a key size for
the new certificate that is appropriate for use with the cryptographic product
on the target system. </div>
</div>
<p>You can use your Local CA to issue certificates
to other systems, which you can then use for signing objects or have applications
use for establishing SSL sessions. When you use the Local CA to create a certificate
for use on another system, the files that DCM creates contain a copy of the
Local CA certificate, as well as copies of certificates for many public Internet
CAs. </p>
<p>The tasks that you must perform in DCM vary slightly depending
on which type of certificate that your Local CA issues and the release level
and conditions on the target system. </p>
<p><strong>Issue private certificates
for use on another <span class="keyword">iSeries</span> system</strong></p>
<p>To
use your Local CA to issue certificates for use on another system, perform
these steps on the system that hosts the Local CA: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a></span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Create Certificate</span> to
display a list of certificate types that you can use your Local CA to create.</span> <div class="note"><span class="notetitle">Note:</span> You do not need to open a certificate store to complete this task.
These instructions assume either that you are not working within a specific
certificate store or that you are working within the Local Certificate Authority
(CA) certificate store. A Local CA must exist on this system before you can
perform these tasks. If you have questions about how to complete a specific
form in this guided task, select the question mark (<span class="uicontrol">?</span>)
at the top of the page to access the online help. </div>
</li>
<li class="stepexpand"><span>Select the type of certificate that you want the Local CA to issue,
and click <span class="uicontrol">Continue</span> to start the guided task and complete
a series of forms. </span></li>
<li class="stepexpand"><span>Select either to create a <strong>server or client certificate for another <span class="keyword">iSeries</span> </strong> (for SSL sessions), or
an <strong>object signing certificate for another iSeries</strong> (for use on another system).</span> <div class="note"><span class="notetitle">Note:</span> If you are creating an object signing certificate for another
system to use, that system must be running <span class="keyword">OS/400</span> V5R1
or later version to use the certificate. Because the target system must be
at <span class="keyword">OS/400</span> V5R1 or later,
DCM on the local host system does not prompt you to select a target release
format for the new object signing certificate. </div>
</li>
<li class="stepexpand"><span>Complete the form and click <span class="uicontrol">Continue</span> to
display a confirmation page. </span> <div class="note"><span class="notetitle">Note:</span> If there is an existing *OBJECTSIGNING
or *SYSTEM certificate store on the target system, be sure to specify a unique
certificate label and unique file name for the certificate. Specifying a unique
certificate label and file name ensures that you can easily import the certificate
into the existing certificate store on the target system. This confirmation
page displays the names of the files that DCM created for you to transfer
to the target system. DCM creates these files based on the release level of
the target system that you specified. DCM automatically puts a copy of the
Local CA certificate into these files. <p>DCM creates the new certificate
in its own certificate store and generates two files for you to transfer:
a certificate store file (<samp class="codeph">.KDB</samp> extension) and a request file
(<samp class="codeph">.RDB</samp> extension).</p>
</div>
</li>
<li class="stepexpand"><span>Use binary File Transfer Protocol (FTP) or another method to transfer
the files to the target system. </span></li>
</ol>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzahutargetv5r2ssl.htm">Use a private certificate for SSL</a></strong><br />
You manage the certificates that your applications use for SSL sessions from the *SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage certificates for SSL, then this certificate store will not exist on the target system.</li>
<li class="ulchildlink"><strong><a href="rzahuobjsigncertv5r1target.htm">Use a private certificate for signing objects on a target system</a></strong><br />
You manage the certificates that you use for signing objects from the *OBJECTSIGNING certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage object signing certificates, then this certificate store will not exist on the target system.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahudcmbackuprecover.htm" title="Use this information to learn how to ensure that important DCM data is added to your backup and recovery plan for your system.">Backup and recovery considerations for DCM data</a></div>
<div><a href="rzahurzahu4afinternetvsprivcert.htm" title="Review this information to learn how to determine which type of certificate (public or private) best suits your business needs.">Public certificates versus private certificates</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahurzahu4anactingownca.htm" title="This information explains how to create and operate a Local Certificate Authority (CA) to issue private certificates for your applications.">Create and operate a Local CA</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink