Setting up iSeries servers to use SSL
To set up your iSeries servers to use SSL with IBM Toolbox for
Java, complete the following steps:
Install
the following to your iSeries servers:
- IBM Cryptographic Access Provider 128-bit for iSeries, 5722-AC3, which
provides server-side encryption.
- iSeries Client Encryption (128-bit), 5722-CE3, which provides the Java
classes and utilities used by the IBM Toolbox for Java classes on the
client side.
Note: Toolbox for Java is also compatible with the V5R1
version of Cryptographic Access Provider 56-bit for iSeries, 5722-AC2, and
the V5R1 version of Client Encryption (56-bit), 5722-CE2.
- Change the authority of the directory
that contains the client encryption files.
- Get and configure the
server certificate.
- Apply the certificate to the following iSeries servers that are used by
IBM Toolbox for Java:
- QIBM_OS400_QZBS_SVR_CENTRAL
- QIBM_OS400_QZBS_SVR_DATABASE
- QIBM_OS400_QZBS_SVR_DTAQ
- QIBM_OS400_QZBS_SVR_NETPRT
- QIBM_OS400_QZBS_SVR_RMTCMD
- QIBM_OS400_QZBS_SVR_SIGNON
- QIBM_OS400_QZBS_SVR_FILE
- QIBM_OS400_QRW_SVR_DDM_DRDA
Changing the authority of the directory that contains the client encryption files
To help you meet the SSL legal
responsibilities required when using cryptography algorithms,
the directory that contains the files is shipped with public
authority *EXCLUDE. You must change the authority of the directory
to allow access by only those users authorized to use encryption
algorithms.
Use OS/400 object security to control access to the client
encryption files by completing the following steps:
- On your server, enter the following command:
wrklnk '/QIBM/ProdData/HTTP/Public/jt400/*'
- Select option 9 in the SSL56 or SSL128 directory.
- Ensure that *PUBLIC has *EXCLUDE authority.
- Give *RX authority to the directory to individual or groups of
users who need access to the SSL files.
Note: You can not deny access to the SSL files
to users that have *ALLOBJ special authority.
Getting and configuring server certificates
Before you get and configure your server certificate, you need
to install the following products:
The process you follow to get and configure your server
certificate depends on the kind of certificate you use:
- If you get a certificate from a trusted authority (such as VeriSign, Inc.,
or RSA Data Security, Inc.), install the certificate on iSeries then apply
it to the host servers.
- If you choose not to use a certificate from a trusted authority, you can
build your own certificate to be used on iSeries. Build the certificate by
using Digital Certificate Manager.
- Create the certificate authority on the iSeries server. See the Information
Center topic,
Acting as your own CA.
- Create a system certificate from the certificate authority that you
created.
- Assign which host servers will use the system certificate that you created.