Setting up SSL on the proxy server

To enable SSL, the proxy server must have a server certificate. Use the IKeyman graphical user interface (GUI) to create the server certificate that the proxy server will use. IKeyman is a GUI tool, so you must run it on a client machine. Once you have created the certificate, you can copy it to the iSeries if your proxy server runs on iSeries.

To set up the proxy server to handle encrypted data, perform the following tasks:

  1. Set up your client to run the IKeyman GUI.
  2. Create a server certificate for the proxy server.
  3. Start the proxy server using the certificate you just created.

Setting up your client to run the IKeyman GUI

The IKeyman GUI is a Java program based on Java Swing 1.1 interfaces. To use IKeyman, your client must be running the Java 1.1.8 JVM (and the Swing 1.1 plug-in) or the Java 2 JVM.

The IKeyman GUI is part of the IBM iSeries Client Encryption licensed program (5722-CE2 or 5722-CE3) in ssltools.jar. The procedure you use to set up your client to use SSL (and to run IKeyman) depends on which version of the licensed program you are running.

Set up your client to use SSL by completing the following steps:

  1. Select the directory on your workstation where you want to put the necessary jar and zip files.
  2. Copy the necessary files to the selected directory:
  3. Add the jar file and the zip files to your CLASSPATH statement. Do not add the .sec file to your CLASSPATH.

    Note: cfwk.zip must be the first item in your classpath.

Creating a server certificate

You use the IKeyman GUI to create a self-signed certificate.

Note: If the IKeyman GUI stops running, check to make sure that cfwk.zip is the first item in your CLASSPATH and that cfwk.sec is in the same directory as the cfwk.zip.

Create a server certificate for the proxy server by completing the following steps:

  1. Start the IKeyman GUI by using the following command:
         java -Dkeyman.javaOnly=true com.ibm.gsk.ikeyman.Ikeyman
    
  2. From the IKeyman Key Database File menu, select New.
  3. In the New dialog, do not alter the the Key Database Type, which should be SSLight key database class.
  4. Type a File Name (ProxyServerKeyring.class, for example) or click Browse to locate the class file you want to use for the keyring.

    Note: Remember the keyring file name, because you need it to start the secure proxy server.

  5. Type a Location (path) or accept the default location, which is the current working directory, then click OK.
  6. In the Password Prompt dialog, type a Password and Confirm Password, then click OK. (Set expiration time is optional, and you do not need to select it.)

    Note: Remember your password, which you need to start the secure proxy server. The key icons in this dialog represent the relative strength of your password. A strong password requires a mix of uppercase and lowercase alphanumeric characters.

  7. From the IKeyman Create file menu, select New Self-Signed Certificate.
  8. In the Create New Self-Signed Certificate dialog, type a Key Label (for example, MyCertificate) and Organization.
  9. Click the Country list to select a country, type a Validity Period or accept the default value, then click OK.
  10. From the IKeyman Key Database File menu, select Close, then (from the same menu) click Exit.

You should now be able to see the keyring that you just created in your current directory.

Starting the proxy server using the new certificate

Before starting the proxy server, make sure that the CLASSPATH for the proxy server contains jt400.jar, sslightx.zip, and the location of the proxy server keyring.

Start the Proxy Server using the certificate you just created. Use the -keyringName and -keyringPassword parameters to pass this information to the proxy server. For example:

     java com.ibm.as400.access.ProxyServer -keyringName ProxyServerKeyring -keyringPassword pxypswrd