Each link in the navigational frame on the left represents a different task that you can perform in Digital Certificate Manager. Once you start DCM, there are three categories of tasks:
v Certificate Authority (CA) v System certificates
v User certificates
If the category has more than one task that you can perform, an arrow appears to the left of it. The arrow indicates that when you select the category link, an expanded list of tasks displays so that you may choose which task to perform.
When you select a task link, a page for performing that task displays in the frame on the right. The category and number of links you see in the left-hand frame vary depending on the authorizations that your AS/400 user profile has. Some links and their associated tasks are available only to AS/400 security officers or
administrators. The security officer or administrator must have *SECADM and
*ALLOBJ special authorities to view and use these tasks. Users without these special authorities have access to user certificate functions only.
Selecting the AS/400 Tasks link returns you to the AS/400 Tasks page.
Note: Selecting the ? help will provide you with help for that screen. Because all help topics are in a single file, you can scroll among topics within the file for easier access to related information.
Use the links below to obtain more detailed information about digital certificates and network security:
v VeriSign: information page
http://digitalid.verisign.com/server/help/hlpIntroID.htm provides more details about using digital certificates on the Internet.
v
For more information review these pages in the Information Center.
Starting Digital Certificate Manager.
Migrating from a V4R3 version of DCM to a V4R5 version.
Certificate administration.
Certificate Authority (CA) Tasks.
System certificate tasks.
User certificate tasks.
Starting Digital Certificate Manager
Before you can use any of its functions, you need to start DCM. Follow these instructions to do so.
1. Install 5769 SS1 Option 34.
Install 5769 DG1.
Install either 5769 AC1, 5769 AC2, or 5769 AC3. These are cryptography products.
2. Start your Web browser.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Start the HTTP Server *ADMIN instance.
4. Using your browser, go to the AS/400 Tasks page on your system at http://your_system_name:2001 .
5. Click Digital Certificate Manager.
If you are migrating from an earlier version of DCM this page will give you the details you need to upgrade your system.
Migrating from a V4R3 version of DCM to V4R5 version
When you migrate from a V4R3 or earlier version of Digital Certificate Manager (DCM) to V4R5, DCM automatically upgrades your local Certificate Authority (CA) and system certificate store. DCM upgrades these files, which are located in default.kyr, into the corresponding certificate store files, which are located in default.kdb. The Hypertext Transfer Protocol (HTTP) and LDAP servers also migrate all of their valid certificates in associated key rings intodefault.kdb, which is the *SYSTEM certificate store.
Note: If you are migrating from V4R4, nothing needs to be done to migrate to V4R5.
If you use a .kyr file that DCM did not upgrade, DCM converts it to a .kyr.kdb file.
This occurs the first time you work with it. The first time you specify secure.kyr through DCM, for example, DCM converts it into secure.kyr.kdb.
Note: Key rings are different from certificate stores, so you must convert files in this manner. Manually changing the file extensions results in errors when you try to work with them.
If you attempt to deletesecure.kyr, DCM actually archives it and deletes secure.kyr.kdb instead.
Key ring to certificate store migration.
During installation, the system migrates the following key rings:
v DCM’s default key rings.
v Key rings that the HTTP Server configuration files use.
v Key rings that the LDAP Server configuration files use.
Default certificate store password.
If the file /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR exists, the system migrates this key ring file and any other eligible key ring files into the
*SYSTEM certificate store. The original password associated with the
DEFAULT.KYR file is used as the password for the *SYSTEM certificate store.
If the DEFAULT.KYR file does not exist but there are other key ring files eligible for migration, the system creates the *SYSTEM certificate store with a password of DEFAULT (all uppercase letters) and completes the migration.
For information on errors and how to resolve them read the page on Migrating errors and recovery solutions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate administration
The AS/400 security officer can use Digital Certificate Manager (DCM) to create an intranet Certificate Authority (CA) and to issue certificates to systems or users. The security officer can also use DCM to designate an Internet Certificate Authority as a trusted root. This person can also register certificates that the Internet CA issues as valid for system authentication.
The security officer must have *SECADM and *ALLOBJ special authorities to perform the following tasks:
Create a Certificate Authority. Display a Certificate Authority certificate.
Renew a Certificate Authority Change a certificate store password Delete a Certificate Authority Delete a system certificate store Change Certificate Authority policy data Receive a system certificate Change the Certificate Authority certificate
store password
Receive a Certificate Authority certificate
Copy a Certificate Authority certificate for another AS/400
Work with Certificate Authorities
Create a system certificate for another AS/400
Work with secure applications
Create new system certificate store Manage user certificates for other users Renew a system certificate store
Note: Users without these special authorities have access to user certificate functions only.
Certificate Authority (CA) tasks
Digital Certificate Manager (DCM) allows you to set up your system to use digital certificates in one of two ways. You can receive an Internet Certificate Authority (CA) certificate and designate it as a trusted root on your system. Or, you can create your own intranet Certificate Authority to issue digital certificates to your systems and users. By having your own Certificate Authority, you can control which systems and users can receive certificates from the CA. This allows you to more securely control access to servers and Web sites.
Regardless of which method you choose for establishing a CA, your system must have a certificate. This is so that applications on the system can use the Secure Sockets Layer (SSL) for secure communications. Additionally, your users must install a copy of the CA certificate in their browsers. Consequently, when you create your own intranet CA, DCM takes you through the steps that are necessary to perform these tasks.
If you choose to use an Internet CA, you must ensure that your system and users have certificates from that CA.
You must have *SECADM, and *ALLOBJ special authorities to select the
Certificate Authority (CA) link.You can then select one of these tasks to perform:
v Create a Certificate Authority. Selecting this task displays the first of several forms which allow you to create an intranet CA. This is the only task link
|
available in this category until you perform it. If you create a CA, the task list changes so that the other CA tasks are available. This task, however, is no longer in the list.
v Renew. Selecting this link displays the first of several forms which allow you to renew your intranet CA. When you complete this process, DCM replaces the existing CA certificate in the default CA certificate store with a new CA certificate.
Note: Any certificates issued by this CA will no longer be valid.
v Display. Selecting this task allows you to display information pertaining to the intranet CA certificate in the default CA certificate store.
v Delete. Selecting this task displays a page which allows you to delete your intranet CA certificate and the corresponding default CA certificate store.
v Change policy data. Selecting this task displays a page which allows you to change the policy that your intranet CA uses to issue certificates.
v Change password. Selecting this task allows you to change the password for the intranet CA certificate store and select the password expiration policy.
v Install CA certificate on your PC. Selecting this task displays the Install CA Certificate page. From this page you can install the CA certificate from the local or intranet CA certificate store in your browser. Or, you can copy the CA certificate into a file on your PC.
v Copy CA certificate for another AS/400. Selecting this task displays the Export Certificate page. From this page you can copy your intranet CA certificate to a file so that you can use it on other AS/400s and receive the CA certificate. You can then use DCM on another system to receive the CA certificate so that applications on the system recognize it as a trusted root.
v Selecting a target release for a certificate must be done before you can access the function, create a system certificate.
v Create a system certificate for another AS/400. This task displays several pages which allow you to complete the create a system certificate form for another AS/400 and key pair from your intranet CA. You can then transfer the file to another AS/400 for other applications to use for SSL.
Completing the Create a Certificate Authority form
You must provide the following information to complete the Create a Certificate Authority form:
1. Select a key size. A smaller key size is faster but less secure, while a larger key size is more secure but slower.
2. Provide information for these required fields:
v In the Certificate store password field, type a password to restrict access to the Certificate Authority local (or intranet) Certificate authority certificate store file. Use standard AS/400 password rules.
v In the Confirm password field, type the password that you entered in the password field for verification.
Note: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recover it and you will lose access to your CA certificate store.
v In the Certificate Authority name field, type a name to describe the Certificate Authority.
v In the Organization name field, type the name of your company or organizational section.
v In the State or province field, type a designation for your state or province.
This designation must be a minimum of three characters in length.
|
|
|
|
|
|
|
|
|
|
|
|
v In the Country field, type a two-letter designation for your country.
v In the Validity period for Certificate Authority (in days) field, type the number of days for which the Certificate Authority certificate is valid. The default is 1095 days (3 years).
3. Select OK. After DCM processes the form, it stores the official CA certificate in the local Certificate Authority certificate store. It also stores a copy of the CA certificate in the *SYSTEM certificate store if that certificate store exists. The CA Certificate Created Successfully page displays so that you can install a copy of the CA certificate in your browser.
After you install the certificate in your browser, click the OK button. The Certificate Authority Policy Data page displays to allow you to select the CA policy data.
Selecting a key size for System certificates and Certificate Authority
The key sizes available in the selection box vary according to the country in which your system is located. Some countries, such as France, restrict the import of certain key sizes. The United States also has export restrictions on certain larger key sizes. The key sizes in the selection box represent those that you can legally use in your country.
Because larger keys provide more secure encryption, choose the largest key size available to you.
Installing the intranet Certificate Authority certificate in your browser when you create a Certificate Authority
After you use Digital Certificate Manager to create a Certificate Authority (CA) certificate, you must install the certificate in your browser.
Installing the certificate establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other certificates that the Certificate Authority issues. The browser must be able to authenticate system or server certificates before it can use the Secure Sockets Layer to negotiate a secure Web session.
To install the CA certificate in your browser, follow these steps:
1. Select Receive Certificate and follow the instructions that your browser provides.
2. Click OK. The Certificate Authority Policy Data page displays to allow you to select the CA policy data.
Setting the policy data when you create an intranet Certificate Authority
When you create a local (or intranet) Certificate Authority (CA) in Digital
Certificate Manager (DCM), you must set the policy data for the CA. You perform this task after you complete the Create a Certificate Authority form and install the CA certificate in your browser. The Certificate Authority Policy Data page, displays when you click the OK button on the CA Certificate Created Successfully page.
To set the policy data for an intranet CA follow these steps:
1. Select whether the CA can issue and sign user certificates.
2. Indicate the length of time for system certificates and user certificates that the CA issues is valid. The validity period for certificates must be equal to or less than the validity period of the CA.
|
|
|
|
|
|
|
|
|
|
3. Click OK to display a page that confirms your policy data selection. The title of the page varies slightly depending on whether you accept the policy data that is provided or made changes to the policy data.
From this page you can select the applications that should trust the new CA, if applications are registered with DCM.
If no registered applications are available, the page displays a policy data confirmation message only. To complete the process of creating your intranet Certificate Authority, you must create a system certificate. Click the OK button to display the Create a System Certificate form.
Selecting applications to trust a Certificate Authority when you create it
If applications have been registered with Digital Certificate Manager, you can select the applications that should trust your intranet Certificate Authority (CA) when you create it. You perform this task after you set the policy data for your CA.
To specify the applications that should trust certificates that your intranet CA issues, follow these steps:
1. Select which applications from the list that you want to trust the CA.
2. Click the OK button. The Secure Applications Status page displays to confirm that the applications that you selected now trust the CA. To complete the process of creating your intranet Certificate Authority, you must create a system certificate.
3. Click the OK button to display the Create a System Certificate form.
Completing the Create a System Certificate form when you create an intranet Certificate Authority
To finish the process of creating an intranet Certificate Authority (CA), you must use the new CA to create a system certificate. The Create a System Certificate form displays after you select the applications that trust the new CA. If no registered applications are available, the Create a System Certificate page displays after you set the policy data for your CA.
To complete the Create a System Certificate form, follow these steps:
1. Select a key size to use for the public and private keys for the certificate. The bigger the key, the more secure the encryption it provides.
2. Provide information for these required fields:
v In the Certificate store password field, type a password to restrict access to the certificate store that you specified. Use standard AS/400 password rules.
v In the Confirm password field, type the password that you entered in the certificate store password field for verification.
Attention: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password you cannot reset it or recover it, and you will lose access to your certificate store files.
v In the Server name field, type a name to describe the server. Although you can give the server any name, you should use the TCP/IP host name for the server whenever possible.
v In the Organization name field, type the name of your company or organizational section.
v In the State or province field, type a designation for your state or province.
This designation must be a minimum of three characters in length.
v In the Country field, type a two-letter designation for your country.
3. Click the OK button.
The System Certificate Created Successfully page displays. This page allows you to select which applications should use this certificate for secure
communications, if applications have been registered with Digital Certificate Manager (DCM).
4. Select which applications in the list should use the new certificate for SSL communications, and click the OK button. The Secure Applications Status page displays to confirm that the selected applications are set to use the new
certificate.
Troubleshooting tip:
When a system certificate is first assigned to the IBM HTTP Server, you need to stop the server and restart it. This ensures that the system performs SSL
initialization at the IBM HTTP Server startup.
Completing the Renew a Certificate Authority form
Use the Renew a Certificate Authority form to renew your current Certificate Authority (CA) certificate. When you access the form, the fields contain any previous information that you associated with the certificate. You can change any of this information as part of renewing your CA certificate.
Follow these steps to complete the Renew a Certificate Authority form:
1. Select a key size.
2. Accept or change the information for these required fields:
v In the Certificate Authority name field, type a name to describe the Certificate Authority.
v In the Organization name field, type in the name of your company or organizational section.
v In the State or province field, type a designation for your state or province.
This designation must be a minimum of three characters in length.
v In the Country field, type a two-letter designation for your country.
v In the Validity period for Certificate Authority field, type the number of days for which the Certificate Authority certificate is valid. The default value is 1095 days (3 years).
3. Click the OK button. After DCM processes the form, it deletes the previous CA certificate in the default CA certificate store and replaces it with the new CA certificate. The CA Certificate Renewed Successfully page displays so that you can install a copy of the new CA certificate in your browser.
After you install the certificate in your browser, click the OK button. A page displays so that you can select which applications should trust the Certificate Authority, if applications have been registered with DCM.
Note: If you want to view or change the policy data for your Certificate Authority, you must do so after you complete the renewal process.
Installing the intranet Certificate Authority certificate in your browser when you renew the certificate
After you use Digital Certificate Manager to renew a Certificate Authority (CA) certificate, you must install the certificate in your browser.
Installing the certificate establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other
Installing the certificate establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other