ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiq_5.4.0.1/rzaiqsslcertauth.htm

98 lines
7.3 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create a local Certificate Authority" />
<meta name="abstract" content="You can use the IBM Digital Certificate Manager (DCM) to create and operate a local Certificate Authority (CA) on your iSeries server. A local CA enables you to issue private certificates for applications that run on your iSeries server." />
<meta name="description" content="You can use the IBM Digital Certificate Manager (DCM) to create and operate a local Certificate Authority (CA) on your iSeries server. A local CA enables you to issue private certificates for applications that run on your iSeries server." />
<meta name="DC.Relation" scheme="URI" content="rzaiqsslparent.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiqsslassoccert.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu404selectingusercatasks.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahuissuepublicusercerts.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu461installcacert.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiqsslcertauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create a local Certificate Authority</title>
</head>
<body id="rzaiqsslcertauth"><a name="rzaiqsslcertauth"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create a local Certificate Authority</h1>
<div><p>You can use the IBM<sup>®</sup> Digital Certificate Manager (DCM) to create and operate
a local Certificate Authority (CA) on your iSeries™ server. A local CA enables you
to issue private certificates for applications that run on your iSeries server.</p>
<div class="section">To use DCM to create and operate a local CA on the iSeries server,
follow these steps:</div>
<ol><li><span>Start DCM.</span></li>
<li><span>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
Authority (CA)</span> to display a series of forms. These forms guide
you through the process of creating a local CA and completing other tasks
needed to begin using digital certificates for SSL, object signing, and signature
verification.</span></li>
<li><span>Complete all the forms that display. There is a form for each of
the tasks that you need to perform to create and operate a local CA on the iSeries server.
Completing these forms allows you to:</span><ol type="a"><li class="substepexpand"><span>Choose how to store the private key for the local CA certificate.
This step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor
installed on your iSeries. If your system does not have a cryptographic
coprocessor, DCM automatically stores the certificate and its private key
in the local CA certificate store.</span></li>
<li class="substepexpand"><span>Provide identifying information for the local CA.</span></li>
<li class="substepexpand"><span>Install the local CA certificate on your PC or in your browser.
This enables software to recognize the local CA and validate certificates
that the CA issues.</span></li>
<li class="substepexpand"><span>Choose the policy data for your local CA.</span></li>
<li class="substepexpand"><span>Use the new local CA to issue a server or client certificate
that applications can use for SSL connections. If you have an IBM 4758-023 PCI
Cryptographic Coprocessor installed in the iSeries server, this step allows you
to select how to store the private key for the server or client certificate.
If your system does not have a coprocessor, DCM automatically places the certificate
and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM
certificate store as part of this task.</span></li>
<li class="substepexpand"><span>Select the applications that can use the server
or client certificate for SSL connections.</span> <div class="note"><span class="notetitle">Note:</span> Be sure to select
the application ID for the i5/OS™ FTP Server (QIBM_QTMF_FTP_SERVER).</div>
</li>
<li class="substepexpand"><span>Use the new local CA to issue an object signing certificate
that applications can use to digitally sign objects. This creates the *OBJECTSIGNING
certificate store, which you use to manage object signing certificates.</span> <div class="note"><span class="notetitle">Note:</span> Although this scenario does not use object signing certificates,
be sure to complete this step. If you cancel at this point in the task, the
task ends and you must perform separate tasks to complete your SSL certificate
configuration.</div>
</li>
<li class="substepexpand"><span>Select the applications that you want to trust
the local CA.</span> <div class="note"><span class="notetitle">Note:</span> Be sure to select the
application ID for the i5/OS FTP Server (QIBM_QTMF_FTP_SERVER).</div>
</li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiqsslparent.htm" title="With Secure Sockets Layer (SSL) you can eliminate the exposure of transmitting passwords and data in the clear when using the i5/OS File Transfer Protocol (FTP) server with an FTP client that also uses SSL.">Use Secure Sockets Layer to secure the File Transfer Protocol server</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzaiqsslassoccert.htm" title="Perform this task if you did not assign a certificate to the File Transfer Protocol (FTP) server application during the creation of the local Certificate Authority (CA), or if you have configured your system to request a certificate from a public CA.">Associate a certificate with the File Transfer Protocol server</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start DCM</a></div>
<div><a href="../rzahu/rzahurzahu404selectingusercatasks.htm">Manage user certificates</a></div>
<div><a href="../rzahu/rzahuissuepublicusercerts.htm">Use APIs to programmatically issue certificates to non-iSeries users</a></div>
<div><a href="../rzahu/rzahurzahu461installcacert.htm">Obtain a copy of the private CA certificate</a></div>
</div>
</div>
</body>
</html>