98 lines
7.3 KiB
HTML
98 lines
7.3 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Create a local Certificate Authority" />
|
|
<meta name="abstract" content="You can use the IBM Digital Certificate Manager (DCM) to create and operate a local Certificate Authority (CA) on your iSeries server. A local CA enables you to issue private certificates for applications that run on your iSeries server." />
|
|
<meta name="description" content="You can use the IBM Digital Certificate Manager (DCM) to create and operate a local Certificate Authority (CA) on your iSeries server. A local CA enables you to issue private certificates for applications that run on your iSeries server." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiqsslparent.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiqsslassoccert.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu66adcmstart.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu404selectingusercatasks.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahuissuepublicusercerts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu461installcacert.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiqsslcertauth" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Create a local Certificate Authority</title>
|
|
</head>
|
|
<body id="rzaiqsslcertauth"><a name="rzaiqsslcertauth"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Create a local Certificate Authority</h1>
|
|
<div><p>You can use the IBM<sup>®</sup> Digital Certificate Manager (DCM) to create and operate
|
|
a local Certificate Authority (CA) on your iSeries™ server. A local CA enables you
|
|
to issue private certificates for applications that run on your iSeries server.</p>
|
|
<div class="section">To use DCM to create and operate a local CA on the iSeries server,
|
|
follow these steps:</div>
|
|
<ol><li><span>Start DCM.</span></li>
|
|
<li><span>In the navigation frame of DCM, select <span class="uicontrol">Create a Certificate
|
|
Authority (CA)</span> to display a series of forms. These forms guide
|
|
you through the process of creating a local CA and completing other tasks
|
|
needed to begin using digital certificates for SSL, object signing, and signature
|
|
verification.</span></li>
|
|
<li><span>Complete all the forms that display. There is a form for each of
|
|
the tasks that you need to perform to create and operate a local CA on the iSeries server.
|
|
Completing these forms allows you to:</span><ol type="a"><li class="substepexpand"><span>Choose how to store the private key for the local CA certificate.
|
|
This step is included only if you have an IBM 4758-023 PCI Cryptographic Coprocessor
|
|
installed on your iSeries. If your system does not have a cryptographic
|
|
coprocessor, DCM automatically stores the certificate and its private key
|
|
in the local CA certificate store.</span></li>
|
|
<li class="substepexpand"><span>Provide identifying information for the local CA.</span></li>
|
|
<li class="substepexpand"><span>Install the local CA certificate on your PC or in your browser.
|
|
This enables software to recognize the local CA and validate certificates
|
|
that the CA issues.</span></li>
|
|
<li class="substepexpand"><span>Choose the policy data for your local CA.</span></li>
|
|
<li class="substepexpand"><span>Use the new local CA to issue a server or client certificate
|
|
that applications can use for SSL connections. If you have an IBM 4758-023 PCI
|
|
Cryptographic Coprocessor installed in the iSeries server, this step allows you
|
|
to select how to store the private key for the server or client certificate.
|
|
If your system does not have a coprocessor, DCM automatically places the certificate
|
|
and its private key in the *SYSTEM certificate store. DCM creates the *SYSTEM
|
|
certificate store as part of this task.</span></li>
|
|
<li class="substepexpand"><span>Select the applications that can use the server
|
|
or client certificate for SSL connections.</span> <div class="note"><span class="notetitle">Note:</span> Be sure to select
|
|
the application ID for the i5/OS™ FTP Server (QIBM_QTMF_FTP_SERVER).</div>
|
|
</li>
|
|
<li class="substepexpand"><span>Use the new local CA to issue an object signing certificate
|
|
that applications can use to digitally sign objects. This creates the *OBJECTSIGNING
|
|
certificate store, which you use to manage object signing certificates.</span> <div class="note"><span class="notetitle">Note:</span> Although this scenario does not use object signing certificates,
|
|
be sure to complete this step. If you cancel at this point in the task, the
|
|
task ends and you must perform separate tasks to complete your SSL certificate
|
|
configuration.</div>
|
|
</li>
|
|
<li class="substepexpand"><span>Select the applications that you want to trust
|
|
the local CA.</span> <div class="note"><span class="notetitle">Note:</span> Be sure to select the
|
|
application ID for the i5/OS FTP Server (QIBM_QTMF_FTP_SERVER).</div>
|
|
</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiqsslparent.htm" title="With Secure Sockets Layer (SSL) you can eliminate the exposure of transmitting passwords and data in the clear when using the i5/OS File Transfer Protocol (FTP) server with an FTP client that also uses SSL.">Use Secure Sockets Layer to secure the File Transfer Protocol server</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzaiqsslassoccert.htm" title="Perform this task if you did not assign a certificate to the File Transfer Protocol (FTP) server application during the creation of the local Certificate Authority (CA), or if you have configured your system to request a certificate from a public CA.">Associate a certificate with the File Transfer Protocol server</a></div>
|
|
</div>
|
|
<div class="reltasks"><strong>Related tasks</strong><br />
|
|
<div><a href="../rzahu/rzahurzahu66adcmstart.htm">Start DCM</a></div>
|
|
<div><a href="../rzahu/rzahurzahu404selectingusercatasks.htm">Manage user certificates</a></div>
|
|
<div><a href="../rzahu/rzahuissuepublicusercerts.htm">Use APIs to programmatically issue certificates to non-iSeries users</a></div>
|
|
<div><a href="../rzahu/rzahurzahu461installcacert.htm">Obtain a copy of the private CA certificate</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |