friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0332907f0f
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahutargetv5r2ssl.htm

306 lines
24 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Use a private certificate for SSL" />
<meta name="abstract" content="You manage the certificates that your applications use for SSL sessions from the *SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage certificates for SSL, then this certificate store will not exist on the target system." />
<meta name="description" content="You manage the certificates that your applications use for SSL sessions from the *SYSTEM certificate store in Digital Certificate Manager (DCM). If you have never used DCM on the target system to manage certificates for SSL, then this certificate store will not exist on the target system." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4apcaanotherdcm.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="target_v5r2_ssl" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use a private certificate for SSL </title>
</head>
<body id="target_v5r2_ssl"><a name="target_v5r2_ssl"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use a private certificate for SSL </h1>
<div><p>You manage the certificates that your applications
use for SSL sessions from the *SYSTEM certificate store in Digital Certificate
Manager (DCM). If you have never used DCM on the target system to manage certificates
for SSL, then this certificate store will not exist on the target system.</p>
<div class="section"> <p>The tasks for using the transferred certificate store files that
you created on the Local Certificate Authority (CA) host system vary based
on whether the *SYSTEM certificate store exists. If the *SYSTEM certificate
store <a href="#systemcertificatestoredoesnotexist">does not exist</a>,
you can use the transferred certificate files as a means of creating the *SYSTEM
certificate store. If the *SYSTEM certificate store does exist on the target
system, you can either <a href="#systemcertificatestoreexistsusingthefilesasanothersystemcertificate">use
the transferred files as an Other System Certificate Store</a> or <a href="#systemcertificatestoreexistsusingthecertificatesintheexisting">import
the transferred files into the existing *SYSTEM certificate store</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4apcaanotherdcm.htm" title="Review this information to learn how to use a private Local CA on one system to issue certificates for use on other iSeries systems.">Use a Local CA to issue certificates for other iSeries systems</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="systemcertificatestoredoesnotexist"><a name="systemcertificatestoredoesnotexist"><!-- --></a><h2 class="sectionscenariobar">*SYSTEM certificate store does not
exist</h2>
<div><div class="section">If the *SYSTEM certificate store does not exist on the system on
which you want to use the transferred certificate store files, you can use
the transferred certificate files as the *SYSTEM certificate store. To create
the *SYSTEM certificate store and use the certificate files on your target
system, follow these steps:</div>
<ol><li class="stepexpand"><span>Make sure that the certificate store files (two files: one with
a <samp class="codeph">.KDB</samp> extension and one with a <samp class="codeph">.RDB</samp> extension)
that you created on the system that hosts the Local CA are in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SERVER</samp> directory.</span></li>
<li class="stepexpand"><span>Once the transferred certificate files are in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SERVER</samp> directory,
rename these files to <samp class="codeph">DEFAULT.KDB</samp>, and <samp class="codeph">DEFAULT.RDB</samp>. </span> By renaming these files in the appropriate directory, you create the
components that comprise the *SYSTEM certificate store for the target system.
The certificate store files already contain copies of certificates for many
public Internet CAs. DCM added these, as well as a copy of the Local CA certificate,
to the certificate store files when you created the them.<div class="note"><span class="notetitle">Attention:</span> If your target system already has a <samp class="codeph">DEFAULT.KDB</samp> and
a <samp class="codeph">DEFAULT.RDB</samp> file in the <samp class="codeph">/QIBM/USERDATA/ICSS/CERT/SERVER</samp> directory,
the *SYSTEM certificate store currently exists on this target system. Consequently,
you must not rename the transferred files as suggested. Overwriting the default
files will create problems when using DCM, the transferred certificate store,
and its contents. Instead, you must ensure that they have unique names and
must use the transferred certificate store as an <span class="uicontrol">Other System Certificate
Store</span>. If you use the files as an Other System Certificate Store,
you cannot use DCM to specify which applications will use the certificate.</div>
</li>
<li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>. You must now change the password for the *SYSTEM certificate store
that you created by renaming the transferred files. Changing the password
allows DCM to store the new password so that you can use all DCM certificate
management functions on the certificate store.</span></li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">*SYSTEM</span> as the certificate
store to open. </span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the password that you specified on the<em> host</em> system for the certificate
store when you created the certificate for the target system and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificate Store</span> and
select <span class="uicontrol">Change password</span> from the list of tasks. Complete
the form to change the password for the certificate store. After you change
the password, you must re-open the certificate store before you can work with
the certificates in it. Next you can specify which applications will use the
certificate for SSL sessions. </span></li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">*SYSTEM</span> as the certificate
store to open. </span></li>
<li class="stepexpand"><span>When the <span class="uicontrol">Certificate Store and Password</span> page
displays, provide the new password and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>After the navigation frame refreshes, select <span class="uicontrol">Manage
Certificates</span> in the navigation frame to display a list of tasks.</span></li>
<li class="stepexpand"><span>From the task list, select <span class="uicontrol">Assign certificate</span> to
display a list of certificates in the current certificate store. </span></li>
<li class="stepexpand"><span>Select the certificate that you created on the <em>host</em> system
and click <span class="uicontrol">Assign to Applications</span> to display a list
of SSL-enabled applications to which you can assign the certificate. </span></li>
<li class="stepexpand"><span>Select the applications that will use the certificate for SSL sessions
and click <span class="uicontrol">Continue</span>.</span> DCM displays a message
to confirm your certificate selection for the applications. <div class="note"><span class="notetitle">Note:</span> Some SSL-enabled
applications support client authentication based on certificates. An application
with this support must to be able to authenticate certificates before providing
access to resources. Consequently, you must <a href="rzahumngcaapptrust.htm#mng_ca_app_trust">define
a CA trust list</a> for the application. This ensures that the application
can validate only those certificates from CAs that you specify as trusted.
If users or a client application present a certificate from a CA that is not
specified as trusted in the CA trust list, the application will not accept
it as a basis for valid authentication.</div>
</li>
</ol>
<div class="section"><p>With these tasks complete, applications on the target system can
use the certificate issued by the Local CA on another system. However, before
you can begin using SSL for these applications, you must <a href="../rzain/rzainoverview.htm">configure the applications
to use SSL</a>. </p>
<p>Before a user can access the selected applications
through an SSL connection, the user must use DCM to <a href="rzahurzahu461installcacert.htm#rzahu461-install_ca_cert">obtain
a copy of the Local CA certificate</a> from the host system. The Local
CA certificate must be copied to a file on the user's PC or downloaded into
the user's browser, depending on the requirements of the SSL-enabled application.</p>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="systemcertificatestoreexistsusingthefilesasanothersystemcertificate"><a name="systemcertificatestoreexistsusingthefilesasanothersystemcertificate"><!-- --></a><h2 class="sectionscenariobar">*SYSTEM certificate store exists —
using the files as an Other System Certificate</h2>
<div><div class="section"><p>If the target system already has a *SYSTEM certificate store,
you must decide how to work with the certificate files that you transferred
to the target system. You can choose to use the transferred certificate files
as an <span class="uicontrol">Other System Certificate Store</span>. Or, you can choose
to <a href="#systemcertificatestoreexistsusingthecertificatesintheexisting">import
the private certificate and its corresponding Local CA</a> certificate
into the existing *SYSTEM certificate store.</p>
<p>Other System Certificate
Stores are user-defined secondary certificate stores for SSL certificates.
You can create and use them to provide certificates for user-written SSL-enabled
applications that do not use DCM APIs to register an application ID with the
DCM feature. The Other System Certificate Store option allows you to manage
certificates for applications that you or others write that use the SSL_Init
API to programmatically access and use a certificate to establish an SSL session.
This API allows an application to use the default certificate for a certificate
store rather than a certificate that you specifically identify. </p>
<p>IBM<sup>®</sup> <span class="keyword">iSeries™</span> applications (and many other
software developers' applications) are written to use certificates in the
*SYSTEM certificate store only. If you choose to use the transferred files
as an Other System Certificate Store, you cannot use DCM to specify which
applications will use the certificate for SSL sessions. Consequently, you
cannot configure standard <span class="keyword">iSeries</span> SSL-enabled
applications to use this certificate. If you want to use the certificate for <span class="keyword">iSeries</span> applications, you must import
the certificate from your transferred certificate store files into the *SYSTEM
certificate store.</p>
<p> To access and work with the transferred certificate
files as an Other System Certificate Store, follow these steps:</p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>. </span></li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open</span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the fully qualified path and file name of the certificate store file (the
one with the <samp class="codeph">.KDB</samp> extension) that you transferred from the
host system. </span> Also provide the password that you specified on the<em> host</em> system
for the certificate store when you created the certificate for the target
system and click <span class="uicontrol">Continue</span>.</li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificate Store</span> and
select <span class="uicontrol">Change password</span> from the list of tasks.</span> Complete the form to change the password for the certificate store. <div class="note"><span class="notetitle">Note:</span> Be
sure to select the <span class="uicontrol">Automatic login</span> option when you
change the password for the certificate store. Using this option ensures that
DCM stores the new password so that you can use all DCM certificate management
functions on the new store.</div>
After you change the password, you must
re-open the certificate store before you can work with the certificates in
it. Next you can specify that the certificate in this store be used as the
default certificate</li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open. </span></li>
<li class="stepexpand"><span>When the <span class="uicontrol">Certificate Store and Password</span> page
displays, provide the fully qualified path and file name of the certificate
store file, provide the new password, and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>After the navigation frame refreshes, select <span class="uicontrol">Manage
Certificate Store</span> and select <span class="uicontrol">Set default certificate</span> from
the list of tasks.</span></li>
</ol>
<div class="section"><p>Now that you have created and configured the Other System Certificate
store, any applications that use the SSL_Init API can use the certificate
in it to establish SSL sessions.</p>
</div>
</div>
<div class="nested2" xml:lang="en-us" id="systemcertificatestoreexistsusingthecertificatesintheexisting"><a name="systemcertificatestoreexistsusingthecertificatesintheexisting"><!-- --></a><h3 class="sectionscenariobar">*SYSTEM certificate store exists —
using the certificates in the existing *SYSTEM certificate store</h3>
<div><div class="section"><p>You can use the certificates in the transferred certificate store
files in an existing *SYSTEM certificate store on a system. To do so, you
must import the certificates from the certificate store files into the existing
*SYSTEM certificate store. However, you cannot import the certificates directly
from the <samp class="codeph">.KDB</samp> and <samp class="codeph">.RDB</samp> files because they
are not in a format that the DCM import function can recognize and use. To
use the transferred certificates in an existing *SYSTEM certificate store,
you must open the files as an Other System Certificate Store and export them
into the *SYSTEM certificate store. </p>
<p>To export the certificates from
the certificate store files into the *SYSTEM certificate store, complete these
steps on the target system: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>.</span></li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and specify <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open.</span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the fully qualified path and file name of the certificate store file (the
one with the <samp class="codeph">.KDB</samp> extension) that you transferred from the
host system.</span> Also provide the password that you specified on the<em> host</em> system
for the certificate store when you created the certificate for the target
system and click <span class="uicontrol">Continue</span>.</li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificate Store</span> and
select <span class="uicontrol">Change password</span> from the list of tasks.</span> Complete the form to change the password for the certificate store.
After you change the password, you must re-open the certificate store before
you can work with the certificates in it.<div class="note"><span class="notetitle">Note:</span> Be sure to select the <span class="uicontrol">Automatic
login</span> option when you change the password for the certificate
store. Using this option ensures that DCM stores the new password so that
you can use all DCM certificate management functions on the new store. If
you do not change the password and select the Automatic login option, you
may encounter errors when exporting the certificates from this store into
the *SYSTEM certificate store.</div>
</li>
<li class="stepexpand"><span>In the navigation frame, click <span class="uicontrol">Select a Certificate
Store</span> and select <span class="uicontrol">Other System Certificate Store</span> as
the certificate store to open. </span></li>
<li class="stepexpand"><span>When the <span class="uicontrol">Certificate Store and Password</span> page
displays, provide the fully qualified path and file name of the certificate
store file, provide the new password, and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>After the navigation frame refreshes, select <span class="uicontrol">Manage
Certificates</span> in the navigation frame to display a list of tasks
and select <span class="uicontrol">Export certificate</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate Authority (CA)</span> as the
type of certificate to export and click <span class="uicontrol">Continue</span>. </span> <div class="note"><span class="notetitle">Note:</span> You must export the Local CA certificate into the certificate
store before you export the server or client certificate into the certificate
store. If you export the server or client certificate first, you may encounter
an error because the Local CA certificate does not exist in the certificate
store.</div>
</li>
<li class="stepexpand"><span>Select the Local CA certificate to export and click <span class="uicontrol">Export</span>. </span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate store </span> as the destination
for the exported certificate and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>Enter <samp class="codeph">*SYSTEM</samp> as the target certificate store,
enter the password for the *SYSTEM certificate store, and click <span class="uicontrol">Continue</span>.</span> A message displays to indicate that the certificate exported successfully
or to provide error information if the export process failed.</li>
<li class="stepexpand"><span>Now you can export the server or client certificate into the *SYSTEM
certificate store. Re-select the <span class="uicontrol">Export certificate</span> task.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Server or client</span> as the type of certificate
to export and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>Select the appropriate server or client certificate to export and
click <span class="uicontrol">Export</span>.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Certificate store </span> as the destination
for the exported certificate and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>Enter <samp class="codeph">*SYSTEM</samp> as the target certificate store,
enter the password for the *SYSTEM certificate store, and click <span class="uicontrol">Continue</span>. </span> A message displays to indicate that the certificate exported successfully
or to provide error information if the export process failed.</li>
<li class="stepexpand"><span>Now you can assign the certificate to applications to use for SSL.
Click <span class="uicontrol">Select a Certificate Store</span> in the navigation
frame and select <span class="uicontrol">*SYSTEM</span> as the certificate store to
open. </span></li>
<li class="stepexpand"><span>When the Certificate Store and Password page displays, provide
the password for the *SYSTEM certificate store and click <span class="uicontrol">Continue</span>.</span></li>
<li class="stepexpand"><span>After the navigation frame refreshes, select <span class="uicontrol">Manage
Certificates</span> to display a list of tasks.</span></li>
<li class="stepexpand"><span>From the task list, select <span class="uicontrol">Assign certificate</span> to
display a list of certificates in the current certificate store. </span></li>
<li class="stepexpand"><span>Select the certificate that you created on the <em>host</em> system
and click <span class="uicontrol">Assign to Applications</span> to display a list
of SSL-enabled applications to which you can assign the certificate. </span></li>
<li class="stepexpand"><span>Select the applications that will use the certificate for SSL sessions
and click <span class="uicontrol">Continue</span>. DCM displays a message to confirm
your certificate selection for the applications. </span> <div class="note"><span class="notetitle">Note:</span> Some SSL-enabled
applications support client authentication based on certificates. An application
with this support must to be able to authenticate certificates before providing
access to resources. Consequently, you must <a href="rzahumngcaapptrust.htm#mng_ca_app_trust">define
a CA trust list</a> for the application. This ensures that the application
can validate only those certificates from CAs that you specify as trusted.
If users or a client application present a certificate from a CA that is not
specified as trusted in the CA trust list, the application will not accept
it as a basis for valid authentication.</div>
</li>
</ol>
<div class="section"> <p>With these tasks complete, applications on the target system can
use the certificate issued by the Local CA on another system. However, before
you can begin using SSL for these applications, you must <a href="../rzain/rzainoverview.htm">configure the applications
to use SSL</a>. </p>
<p>Before a user can access the selected applications
through an SSL connection, the user must use DCM to <a href="rzahurzahu461installcacert.htm#rzahu461-install_ca_cert">obtain
a copy of the Local CA certificate</a> from the host system. The Local
CA certificate must be copied to a file on the user's PC or downloaded into
the user's browser, depending on the requirements of the SSL-enabled application.</p>
</div>
</div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink