AS/400e. Digital Certificate Management

Transcription

1 AS/400e Digital Certificate Management

2

3 AS/400e Digital Certificate Management

4 ii AS/400e: Digital Certificate Management

5 Contents Part 1. Digital Certificate Management Chapter 1. Print this topic Chapter 2. Getting Started with IBM Digital Certificate Manager Deciding whether to use digital certificates Digital certificates for SSL secure communications 6 Digital certificates for user authentication Using Internet certificates ersus creating your own 8 Examples for using public ersus priate digital certificates Acting as your own CA Using an Internet CA to issue certificates Creating and exporting a CA to another system 12 Setting up system for digital certificates Chapter 3. Understanding digital certificates Cryptography Priate key Public key Digital signatures Certificate Authority Trusted root Secure Sockets Layer (SSL) System certificates User certificates Certificate stores Chapter 4. Using Digital Certificate Manager Starting Digital Certificate Manager Migrating from a V4R3 ersion of DCM to V4R5 ersion Certificate administration Certificate Authority (CA) tasks Completing the Create a Certificate Authority form Completing the Renew a Certificate Authority form Deleting a CA Changing the policy data for an intranet CA.. 30 Changing the default Certificate Authority certificate store password Installing a CA certificate on a PC Copying a CA certificate for another AS/ Selecting the target release for a certificate Completing the Create a System Certificate form for another AS/ System certificate tasks Working with system certificates Changing a system certificate store password.. 41 Creating a new system certificate store Deleting a system certificate store Receiing a system certificate Working with CA certificates Receiing a CA certificate Working with secure applications User certificate tasks Requesting a user certificate Managing registered certificates Registering an existing user certificate Chapter 5. Troubleshooting DCM Migrating errors and recoery solutions Troubleshooting for registering an existing user certificate Copyright IBM Corp. 1999, 2000 iii

6 i AS/400e: Digital Certificate Management

7 Part 1. Digital Certificate Management This topic proides you with information for using digital certificates to enhance your network and system security. For example, you can use digital certificates to secure applications with SSL. This proides one of the best solutions for sending sensitie data oer the Internet to remote system. Additionally, you can find information about Digital Certificate Manager (DCM), a feature for OS/400 that allows you to manage digital certificates for your network. You also can learn how to create and manage your own Certificate Authority (CA) to issue certificates to users and exert tighter access control oer internal systems. Requirements Digital Certificate Manager is option 34 of OS/400. You must install this option to use DCM. You must also install the IBM HTTP Serer for AS/400 (5769 DG1) and use the *ADMIN instance to access DCM. Additionally, you must install a cryptographic access proider licensed program (5769 AC1, 5769 AC2, or 5769 AC3) to create certificates. These cryptographic products determine the maximum key length that is permitted for cryptographic algorithms based on your export and import regulations. You must install one of these products before you can create certificates. Note: You will not be able to create certificates unless you install all the required products. If a required product is not installed, you will receie an error message instructing you to install the missing component before you can successfully install DCM. In V4R5, the stash (.sth) password files are no longer used. Beginning in V4R5 the certificate store passwords are stored internally on the system as.kdb files. Topic Roadmap To learn more about using digital certificates and Digital Certificate Manager refer to these pages: Getting Started with IBM Digital Certificate Manager. Will digital certificates proide you with the security that you need? This page helps you understand how you can use digital certificates for better system and network security. Reiew scenarios and learn about using Digital Certificate Manager to create and manage certificates. Understanding digital certificates This page coers some basic concepts that you should understand about digital certificates and when they are useful as a part of your security policy. Using Digital Certificate Manager Copyright IBM Corp. 1999,

8 After you decide how you want to use and deploy certificates, you are ready to use Digital Certificate Manager. This page proides information and procedures for the certificate mtasks that you will complete by using DCM. Troubleshooting DCM Despite your well-laid plans, hae you encountered a problem or error? This page describes some of the more typical problems that you may encounter, as well as some possible solutions for resoling them. 2 AS/400e: Digital Certificate Management

9 Chapter 1. Print this topic You can iew or download a PDF ersion of this document for iewing or printing. You must hae Adobe Acrobat Reader installed to iew PDF files. You can download a copy from Adobe home page.. To iew or download the PDF ersion, select Getting Started with Digital Certificate Manager (file size 451 kb or about 55 pages). To sae a PDF on your workstation for iewing or printing: 1. Open the PDF in your browser (click the link aboe). 2. In the menu of your browser, click File. 3. Click Sae As Naigate to the directory in which you would like to sae the PDF. 5. Click Sae. Copyright IBM Corp. 1999,

10 4 AS/400e: Digital Certificate Management

11 Chapter 2. Getting Started with IBM Digital Certificate Manager AS/400 security features are among the best in the world. Howeer, een AS/400 needs additional security to protect the resources it proides when it deliers serices to, or uses serices from, the Internet. You can use Digital Certificate Manager (DCM) to augment AS/400 security by configuring your system to use digital certificates. Digital certificates allow you to use Secure Sockets Layer (SSL) for secure browser access to Web sites and other Internet serices. DCM allows you to create your own local (intranet) Certificate Authority (CA). You can then use the CA to dynamically issue digital certificates to systems and users on your intranet. When DCM creates a certficate for a CA or for a system, it automatically generates the public key and priate key for the certificate. You can also use DCM to register and use digital certificates from VeriSign or other commercial Certificate Authorities on your intranet or the Internet. Digital Certificate Manager automatically associates a user certificate that was created by the local CA with the owner s AS/400 user profile. Consequently, the certificate has the same authorizations and permissions as the associated profile. You can further augment system security by using digital certificates (instead of user names and passwords) to authenticate and authorize sessions between the serer and users. You can also use the keys associated with the certificates to sign and to encrypt data, such as messages and documents, sent between users and serers. Such digital signatures ensure the reliability of an item s origin and protect the integrity of the item. If you want to get started with certficate tasks immediately, go directly to these pages: Deciding whether to use digital certificates proides more information on the using digital certificates as a part of your security plan. Setting up your system to use digital certificates proides the information that you need to prepare your AS/400 system for using DCM. Starting Digital Certificate Manager proides information to allow you to start using DCM. If you want to begin the tasks now, go directly to the following pages. Using Internet certificates ersus creating your own. Examples for using public ersus priate digital certificates. Acting as your own CA. Using an Internet CA to issue certificates. Creating and exporting a local CA to another system If you want to use DCM in V4R5 to manage certificates from a prior release of DCM, you need to perform some special tasks. Migrating from a preious ersion of DCM to ersion V4R5 proides you with the information that you need to successfully upgrade from your preious ersion of DCM. Copyright IBM Corp. 1999,

12 Deciding whether to use digital certificates Using digital certificates allows you to enhance security for your systems and network. You can use certificates in two primary ways: As a means of configuring SSL for secure communications for arious applications. As a means of more strongly authenticating users who access resources (currently limited to Web sering though HTTP). Passwords proide user authentication, but unlike certificates, passwords do not address such issues as priacy and data integrity. The following are additional ways in which certificates are superior to passwords: Different users can share the same password, jeopardizing the security of your network. Since certificates contain information about a particular indiidual, they are less likely to be shared. Sharing is also logistically more difficult because certificates and their associated priate keys are typically stored on a hard drie or smart card. A certificate also contains a priate key that is neer sent with the certificate for identification. Instead, the system uses this key during the encryption and the decryption processes. Many systems require passwords that are 8 characters or shorter in length. The cryptographic keys that are associated with certificates are hundreds of characters long. This length, along with their random nature, makes cryptographic keys much harder to guess than passwords. There is always the possibility that an indiidual might forget his or her password. Digital certificate keys are based upon cryptographic techniques. This allows for the following potential uses that passwords cannot proide: Assuring data integrity by detecting changes to data. Proing that a particular action was indeed performed. This is called non-repudiation. Securing communications by using the Secure Sockets Layer to encrypt communication sessions. This allows you to send data priately to others oer a public network. If you decide to start using certificates, you must decide what type of Certificate Authority you want to use to issue your certificates. You can use Internet certificates or create your own Certificate Authority to issue certificates, or use a combination of the two types. Once you decide to use certificates, you will need to decide whether to use Internet certificates ersus creating your own. Digital certificates for SSL secure communications You can use digital certificates to secure applications with the Securing applications with SSL protocol. Under SSL, your serer always proides a copy of its certificate to the client when the session is initially established. This accomplishes the following: It assures the client or end-user that your site is authentic. It proides the option of encrypting your session using SSL. The serer and client browser work together as follows to ensure your data is secure. 6 AS/400e: Digital Certificate Management

13 1. The serer presents the certificate to the client (user) browser or application as proof of serer identity. 2. Browser or application erifies identity against Certificate Authority certificate 3. Serer and browser or application agree on a symmetric key and session is encrypted. Note: If the browser or application supports using certificates for user authentication and is configured to require it, there are additional steps prior to session encryption. First, the browser or application submits a user certificate to the serer to erify user s identity. Second, the serer erifies the identity of the user. The end-user s browser then makes his or her certificate aailable at the request of your serer, if the application supports client authentication by means of certificates. After your serer erifies the user s certificate to establish identity, the serer grants appropriate access to your data and serices. Note: SSL 2.0 supports authentication for serers only, while SSL 3.0 supports authentication for clients and serers alike. SSL uses an asymmetric key (public key) algorithms during the SSL handshake processing to negotiate a symmetric key that is subsequently used for encrypting and decrypting the application s data for that particular SSL session. This means that your serer and the client use different session keys, which automatically expire after a set amount of time, for each connection. In the unlikely eent that someone intercepts and decrypts a particular session key, he or she is unable to use it to deduce any future keys. Digital certificates for user authentication A digital certificate acts as an electronic credential. It erifies that the person presenting it is truly who he or she claims to be. In this respect, a certificate is similar to a passport. Both establish an indiidual s identity, and both contain a unique number for identification purposes. In the case of a certificate, a Certificate Authority (CA) functions as the trusted, third party that erifies the credential and seals it with its digital signature. You can create a protection setup for the IBM HTTP Serer to perform user authentication. Eentually, other applications will support user authentication as well. To authenticate a user, certificates make use of a public key and a related priate key. These keys are bound to your user name, along with additional information that systems use for identification. You can make your public key aailable to anyone who wants to communicate with you. This allows people to use your public key to: Verify a message that you signed with your priate key. Encrypt a message that only you can decrypt with your priate key. Because your priate key is instrumental to the authentication process, it is important that you keep it secure. Chapter 2. Getting Started with IBM Digital Certificate Manager 7

14 Using Internet certificates ersus creating your own Once you decide to use certificates, you should choose the type of certificate implementation that best suits your security needs. Your choices include: Selecting an Internet Certificate Authority (CA) to issue certificates. Creating your own CA to issue priate certificates for your intranet. Using a combination of Internet CAs and your own CA. Internet CAs Internet CAs issue certificates to anyone who pays the necessary fee. Howeer, an Internet CA still requires proof of identity before it issues a certificate. This leel of proof aries, though, depending on the CA. You should consider the identification policy of the CA before deciding to trust the certificates that it issues. You must also consider the cost associated with using an Internet CA to issue certificates. This particularly important if there are many users who expect your company to reimburse them for the fees. Still another disadantage is the difficulty of setting up your systems to limit access to a subset of users with a certificate from a large CA. Adantages of using an Internet CA to issue certificates saes time and resources by using an existing well-known CA. Further, other companies tend to recognize and trust certificates that are created by an Internet CA more than those that you create priately. Using priate (local) certificates If you create your own CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own CA allows you to issue certificates only to those users who are trusted members of your group. This proides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadantage of maintaining your own CA is the amount of time and resources that you must inest. Howeer, Digital Certificate Manager makes this process easier for you. Note: No matter which CA is used, the system administrator controls which issuing CA should be trusted on his system. If a copy of a certificate for a well-known CA can be found in your browser, your browser can be set to trust serer certificates that were issued by that CA. Howeer, if that CA certificate is not in your *SYSTEM certificate store, your serer will not trust user certificates that were issued by that CA. To trust user certificates that are issued by a CA, you need to get a copy of the CA certificate from the CA. It must be in the correct file format and you must receie that certificate into your certificate store. You may find it helpful to reiew some examples before you decide how you want to use certificates. Based on how you decide to use certificates, you can use Digital Certificate Manager to put your plan into action: Acting as your own CA describes the tasks you must perform should you choose to issue your own certificates.. 8 AS/400e: Digital Certificate Management

15 Using an Internet CA to issue certificates describes the tasks you must perform to use certificates from a well-known CA. Creating and exporting a CA to another system describes the tasks you must perform if you want to use a DCM local CA on more than one system.. Examples for using public ersus priate digital certificates The decision to use an Internet Certificate Authority (CA) or to create a priate CA depends on seeral factors. These factors include whom you want to hae access to your intranet and how secure you want to keep your data. The following scenarios depict different approaches to regulating access to your company s intranet. Scenario 1: Using public digital certificates for public access to internal resources Public certificates are certificates that are issued by a well-known Internet CA. Using public digital certificates to allow access to your corporate intranet is a practical choice under the following conditions: Your data and applications require arying degrees of security. There is a high rate of turnoer among your trusted users. You do not want to operate your own Certificate Authority (CA). If you work for an insurance company, for example, you might be responsible for maintaining different applications on your company s Intranet site. One particular application for which you are responsible is a rate-calculating application that allows agents to generate quotes for their clients. Although this application is not highly sensitie, you want to make sure that only registered agents can use it. Further, you do not trust the security that passwords proide because different agents can share them with each other. To deal with this situation, you can require the agents to obtain a certificate from a known and trusted CA. Once he or she obtains a certificate, an approed agent can isit your company s Intranet site and request access to your rate-calculating application. Your serer can then approe or reject the request. If your serer approes the request, the agent is gien access to the application. Scenario 2: Using priate digital certificates on an intranet Using priate (local) digital certificates on your intranet is a practical choice for your corporate intranet under the following conditions: You require a high degree of security. You trust the indiiduals to whom you issue certificates. You want to operate your own Certificate Authority (CA). If you work for a large corporation, your human resources department is probably concerned with such issues as legal matters and priacy of records. Further, you realize that passwords are an inadequate method of protecting such sensitie data. After all, people can share, forget, and een steal them. Therefore, you decide to set up a priate CA and issue certificates to all employees. This allows for the authentication of users, the signing of information, and the encryption of . Ultimately, by issuing certificates yourself, you hae increased the probability that your data remains secure. Chapter 2. Getting Started with IBM Digital Certificate Manager 9

16 The security that certificates proide is not limited to protecting your data from outside threats. You can also use certificates to restrict the access of certain employees to specific data as well. For example, you can use certificates to preent software deelopers within your company from accessing the human resource records in the prior scenario. They can also preent technical writers from using high-leel, management applications. You can effectiely use certificates to restrict or facilitate access across your entire network. Acting as your own CA After careful reiew of your security needs and policies you hae decided to be your own Certificate Authority (CA). You can now start Digital Certificate Manager (DCM) so that you can create and operate your own CA. DCM proides you with a guided task path that takes you through this process. The task path takes you through creating the CA itself, as well as to seeral additional tasks. This ensures that you hae eerything set up to start to use digital certificates for SSL security Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. To use DCM to create and operate a local CA, complete these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame of DCM, select Certificate Authority (CA) task. 3. Select the Create a Certificate Authority task. This displays the first of a series of forms. These will guide you through the process of creating a CA and completing other tasks needed to begin to use digital certificates and SSL. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 4. Complete all the forms for this guided task. These forms coer all the tasks you need to perform to set up a working CA, including: a. Creating a Certificate Authority. b. Installing the Certificate Authority Certificate on your PC or browser. c. Choosing the policy data for your Certificate Authority. d. Selecting which applications should trust your Certificate Authority. e. Creating a system certificate signed by your Certificate Authority. f. Selecting which applications should use the system certificate for SSL With these tasks complete, your local CA is up and running and the secured applications that you selected can begin using SSL. Users that will access these applications through an SSL connection must hae a copy of the CA certificate on 10 AS/400e: Digital Certificate Management

17 their PC or in their browser. This is so that they can authenticate the serer s identity as part of the SSL negotiation process. Before a user can access the selected applications through an SSL connection, the user must install a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. You can also use this CA to copy a certificate and export it to another AS/400 in your network. You will need to use DCM on the other system to receie a CA certificate to complete this task. Using an Internet CA to issue certificates After careful reiew of your security needs and policies you hae decided that you want to use certificates from a public Internet Ceritificate Authority such as VeriSign. For example, you operate a publicly aailable web site and want to use SSL to ensure the priacy of certain information transactions. You can now use Digital Certificate Manager to centrally manage these certificates and to configure your system to use them. Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. To use DCM to manage and use public Internet certificates, complete these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame of DCM, select System certificates to display a list of aailable tasks. A window will open requesting your password, click on cancel. When you hae created your certificate store you will also assign a password for future use. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 3. Select Create a new certificate store from the task list.. This displays a page which allows you to designate the type of Certificate Authority that you want to use. (You create a system certificate as part of creating the new certificate store.) 4. Choose the option for using a well-known CA to issue the certificate and select OK. A form for creating a system certificate displays. 5. Complete the form. Note: To be able to use DCM to work with your certificates you must designate *SYSTEM for the certificate store in the Certificate store path Chapter 2. Getting Started with IBM Digital Certificate Manager 11

18 and file name field. In the Certificate store path and file name field, the default is *SYSTEM. 6. Click OK. DCM displays a page which contains a text string. This text string is an encrypted copy of the public key for your system certificate. (DCM stores the priate key in the new certificate store.) You use this text string in the certificate application form required by most Internet CAs. 7. Copy the entire text string into your certificate application, including the start of file and end of file text.. Note: Be careful when you do the copy and paste. This is the only copy of the certificate request data. If you exit this page of your browser, you lose the certificate request data. You must perform the Create a system certificate task again to create a new certificate request. If you wish to sae a copy of the request data, copy and paste the data into a file. 8. Send the application to the CA that you selected. Note: You must wait for the CA to return the erified completed certificate before you can finish this procedure. 9. After the CA returns your erified certificate, you restart DCM. 10. Select receie the certificate from the System Certificates list in the left-hand naigation frame. This displays a form that allows you to load the completed certificate into the *SYSTEM certificate store. 11. Complete the form. 12. Select Work with secure applications from the System Certificates list. This displays a page that allows you to manage the certificates associated with specific applications. From this page you should perform these tasks: a. Select the applications that should use the new certificate for SSL communications. b. Ensure that these applications trust the CA that issued the certificate. With these tasks complete, you hae successfully managed the certificates for your applications. Howeer, before you can begin using SSL for these applications, you must secure the applications by configuring them to use SSL. for each application. Before a user can access the selected applications through an SSL connection, the user must obtain a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. Users must access the public website for the Internet CA and follow the directions proided for obtaining a copy of the CA certificate. Creating and exporting a CA to another system You may already be using a local CA on an AS/400 in your network. Howeer, you want to extend the use of this CA to another AS/400 in your network. For example, you want your current local CA to issue a system certificate for the another AS/400. This is so that you can use SSL for applications that run on it. You must perform a series of tasks on each AS/400 to do this. The system that hosts the local CA must not use a cryptographic access proider product (ACx) that proides function than the target system. Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done 12 AS/400e: Digital Certificate Management

19 prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. Use DCM on the system that hosts your local CA, to perform these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame, select Certificate Authority to display a list of aailable tasks. 3. Select Create a system certificate for another AS/400 task. Selecting this task displays the first of seeral pages which allow you to create a system certificate and key pair from your local CA. 4. Complete the pages that DCM proides for the task. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. Note: This task creates three files if you are creating a certificate for V4R4 or later (kdb extension). Each file has the name that you designated for the file with extensions of.kdb,.rdb and.sth. The.kdb file contains a copy of the local CA certificate as well as the system certificate that you created. When creating the key label, you can make the certificate label unique for the target system. Note: If you are creating a certificate for a V4R3 or earlier target system, completing this task creates two key ring files. Each file has the name that you designated for the file with one of two extensions:.kyr and.sth. If you are creating a certificate for a V4R4 or later target system, completing the task creates three files. Each file has the name that you designated for the file with one of three extensions:.kdb,.rdb, and.sth. When using the form to create the certificate for the target system, you can specify a unique key label for the certificate.the same directory ( /qibm/userdata/icss/cert/serer/* ) can be used if a different file name is used - for example, MyDefaultForXYZ.KDB, MyDefaultForXYZ.RDB, and MyDefaultForXYZ.STH. This makes it easy to recognize what the target system should use for file names. 5. Use binary FTP or another method to transfer the files that you created. (3 files for V4R4 or later, 2 files for V4R3 or earlier as described in the Note aboe.) You must transfer all the files that you created to the /QIBM/USERDATA/ICSS/CERT/SERVER directory. Perform these tasks on the other (target) system: 1. Make sure that the files you transferred from the local CA host system in the preious procedure (key ring files: kyr and sth or the three KDB files: kdb, rdb, Chapter 2. Getting Started with IBM Digital Certificate Manager 13

20 and sth) that you transferred to this system are in the directory /QIBM/USERDATA/ICSS/CERT/SERVER. 2. Rename the files as follows: For V4R4 and later files, rename the files to default.kdb, default.rdb, and default.sth. By renaming these files, you essentially create the components that comprise the *SYSTEM certificate store for the target system. For V4R3 or earlier files, rename the files to default.kry and default.sth. When saed in the certificate store DCM will also create a copy of the existing CA. Attention: If you already hae default.*files you should not rename them. You will need to make unique names for them instead. To oerwrite the default files will cause major problems to your system. 3. Start DCM and complete the tasks appropriate for the release of DCM you hae on the target system. For V4R3 or earlier releases of DCM: Complete the Receiing a Certificate Authority certificate. This will put the CA certificate into a serer key ring file and designate the CA as a trusted root. If you used DCM to create the serer certificate from an Internet CA, you must receie it into the key ring file that you specified at that time. 4. For V4R4 or later releases of DCM: a. Select System certificates in the left-hand naigation frame to display a list of aailable tasks. The Certificate Store and Password window displays. b. In the appropriate fields, enter the name of the certificate store that you want to access and supply the password for it. For this procedure, make sure that you enter *SYSTEM for the certificate store and the password that you used when you created the files on the other system. c. Select Work with secure applications from the task list to display a page that allows you to manage the certificates associated with specific applications. d. From this page you should perform these tasks: 1) Select the applications that should use the certificate for SSL communications. 2) Select the applications that should trust the CA that issued the certificate. Then you can use this CA to copy a certificate and export it to another AS/400 in your network. You will need to use DCM on the other system to receie a CA certificate to complete this task. 5. Start a DCM session. 6. In the left-hand naigation frame, select System certificates to display a list of aailable tasks. The Certificate Store and Password window is displayed. You must enter the name of the certificate store that you want to access and supply the password for it. For this procedure, make sure that you enter *SYSTEM for the certificate store and the password used when you created the files on the other system Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 7. Select Work with secure applications to display the Work with Secure Applications page. This page allows you to manage the certificates associated with your secure applications. (This option is aailable for the *SYSTEM 14 AS/400e: Digital Certificate Management

21 certificate store only.) From this page, you must complete two tasks for the certificates that you now hae in your *SYSTEM certificate store. 8. You must designate which applications should trust the local CA certificate. 9. You must designate which applications should use the system certificate. With these tasks complete, your applications can use the certificate issued by the local CA on another AS/400. Howeer, before you can begin using SSL for these applications, you mustsecure the applicationsby configuring them to use SSL. Before a user can access the selected applications through an SSL connection, the user must install a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. Setting up system for digital certificates You must complete these tasks before setting up your intranet to use digital certificates: 1. Install one of the cryptographic proider products (5769AC1, 5769AC2, or 5769AC3). 2. Install OS/400 option 34 - Digital Certificate Manager. 3. Install the IBM HTTP Serer for AS/400 (5769DG1), then configure the IBM HTTP Serer. Most of the DCM part tasks can use the *ADMIN Serer with minimal setup. Howeer, some steps in DCM require the Secure Sockets Layer (SSL), so it is best to configure the SSL portion of the IBM HTTP Serer correctly. See HTTP web serer for complete details and the latest information for setting up the IBM HTTP Serer. Note: DCM uses the IBM HTTP Serer to make changes that the serer uses. You might need to end the IBM HTTP Serer and then restart it to use the new information. This depends on the changes you make and the method you use. 4. Start the *ADMIN Serer so you use your web browser to access DCM from the AS/400 tasks page. 5. After starting the *ADMIN Serer, you must enable it to use SSL for secure requests. You will know that the system enabled the *ADMIN Serer if both of the following are true when you start the instance: a. SSLMODE is ON. Either you or the IBM HTTP Serer code must turn SSLMODE ON. DCM does not set this directie. b. You hae properly registered the secure application. Note: You can do both of these by using the security configuration page of the HTTP Serer. 6. After you finish setting up the *ADMIN serer, you need to associate a certificate with the *ADMIN serer application in DCM before the serer can use SSL successfully. You must decide what kind of certificates you will use and then use DCM to set up your certificates. Based on the way you decide to set up and use certificates, you must complete one of these sets of tasks: Act as your own CA. Use an Internet CA. Create and export a certificate from another system. Chapter 2. Getting Started with IBM Digital Certificate Manager 15

22 Note: During the process of setting up your certificates, you will be able to select the applications that should use the certificates for SSL and the applications that should trust the issuing CA. DCM assigns an application ID to each registered application. You assign a certificate to an application by way of its application ID. For the *ADMIN serer, this application ID is QIBM_HTTP_SERVER_ADMIN. 7. After you use DCM to associate a certificate with the *ADMIN serer, you may need to stop and restart the serer before it is able to recognize and use the certificate for SSL connections. Note: Do NOTstop and restart the serer PRIORto associating a certificate with its application ID. If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. Setting up the *ADMIN serer to use SSL correctly ensures that user certificate tasks in DCM that require the use of SSL will work as expected. The topic, SSL and the *ADMIN serer proides additional considerations about using SSL with the *ADMIN serer. 16 AS/400e: Digital Certificate Management

23 Chapter 3. Understanding digital certificates Before you start using digital certificates to protect your communications, you should understand what they are and what security benefits they proide. A digital certificate is a digital document that alidates the identity of the certificate s owner, much as a passport does. A trusted party, called a Certificate Authority (CA) issues digital certificates to users and serers. The trust in the CA is the foundation of trust in the certificate as a alid credential. Each CA has a policy to determine what identifying information the CA requires in order to issue a certificate. Some Internet Certificate Authorities may require ery little information, such as a distinguished name and address. A priate key and a public key are generated for each certificate. The certificate contains the public key, while the browser or a secure file stores the priate key. The owner of a certificate can use these keys to sign and encrypt data (using cryptography), such as messages and documents, sent between users and serers. Such digital signatures ensure the reliability of an item s origin and protect the integrity of the item. Using digital certificates and SSL-enabled browsers (such as Netscape Naigator and Microsoft Internet Explorer), your serer and clients can communicate securely using the Secure Sockets Layer (SSL). Your browser can also use certificates instead of user names and passwords for more secure authentication and authorization within your intranet. There are three types of digital certificates: Certificate Authority, System Certificates, and User Certificates. They are stored in a Certificate store. Digital Certificate Manager (DCM) registers user certificates that you create. You can also use the DCM to register user certificates that other Certificate Authorities issue. DCM automatically associates the registered certificate with the certificate owner s AS/400 user profile. Distinguished name A distinguished name (DN) is the name of the person or serer to whom a Certificate Authority (CA) issues a digital certificate. The certificate proides this name to indicate certificate ownership. Depending on the policy of the CA that issues a certificate, the DN can include other information. When you use Digital Certificate Manager to create your own intranet CA, the DN includes this information: certificate owner s common name organization organizational unit city state country Copyright IBM Corp. 1999,

24 Cryptography Cryptography is the science of keeping data secure. Cryptography allows you to store information or to communicate with other parties while preenting non-inoled parties from understanding the stored information or understanding the communication. Encryption transforms understandable text into an unintelligible piece of data (ciphertext). Decrypting restores the understandable text from the unintelligible data. Both processes inole a mathematical formula or algorithm and a secret sequence of data (the key). There are two types of cryptography: In shared or secret key (symmetric) cryptography, one key is a shared secret between two communicating parties. Encryption and decryption both use the same key. In public key (asymmetric) cryptography, encryption, and decryption each use different keys. A party has two keys: A public key and a priate key. The two keys are mathematically related, but it is irtually impossible to derie the priate key from the public key. A message that is encrypted with someone s public key can be decrypted only with the associated priate key. Alternately, a serer or user can use a priate key to sign a document and use a public key to decrypt the digital signatures. This erifies the document s source. Priate key A priate key is one of an asymmetric key pair and consists of a data string and an algorithmic pattern. Public key A user or serer can use a priate key to decrypt messages that were encrypted with the corresponding public key. A user or serer can also use a priate key to encrypt messages that only the corresponding public key can decrypt. A public key is usually bound to the owner s digital certificate and is aailable for anyone to use. A priate key, howeer, is protected by and aailable only to the owner of the key. This limited access ensures that communications that use the key are kept secure. A public key is one of an asymmetric key pair and is usually bound to the owner s digital certificate. Consequently, a public key is aailable for anyone to use. A public key consists of a data string and an algorithmic pattern. A user or serer can use a public key to decrypt messages that were encrypted with the corresponding priate key. A user or serer can also use a public key to encrypt messages that only the corresponding priate key can decrypt. Digital signatures A digital signature on an electronic document is equialent to a personal signature on a written document. A digital signature proides proof of the document s origin. The certificate owner signs a document by using the priate key that is associated with the certificate. The recipient of the document uses the corresponding public key to decrypt the signature, which erifies the sender as the source. 18 AS/400e: Digital Certificate Management

25 Certificate Authority A Certificate Authority signs certificates that it issues. This signature consists of a data string that is encrypted with the Certificate Authority s priate key. Any user can then erify the signature on the certificate by using the Certificate Authority s public key to decrypt the signature. Before you start using digital certificates to protect your communications, you should understand what they are and what security benefits they proide. Digital certificates Secure Sockets Layer (SSL) Cryptography Certificate Authority (CA) A Certificate Authority (CA) is a trusted party that creates and issues digital certificates to users and systems. The trust in the CA is the foundation of trust in the certificate as a alid credential. A CA uses its priate key to create a digital signature on a certificate that it issues to alidate the certificate s origin. Seeral businesses proide commercial Certificate Authority serices for Internet users. Howeer, organizations can use Digital Certificate Manager to create their own Certificate Authority to issue digital certificates to systems and users within an intranet. Certificate Authority usage A Certificate Authority (CA) is a central administratie entity that can issue digital certificates to users and serers. The Certificate Authority signs certificates with its priate key to alidate their authenticity. A CA can be either a publicly aailable entity, such as VeriSign, or it can be a priately created entity, such as a priate intranet CA. Digital Certificate Manager (DCM) allows you to use both types of CA. When you use DCM to create an intranet CA for your organization, you can use the CA to issue certificates. This can be to both serers and users on your system. When the Certificate Authority issues a user certificate, DCM automatically associates the certificate with the appropriate AS/400 user profile. This ensures that the access and authorization priileges for the certificate are the same as those for the owner s user profile. Certificate Authority policy data When you create a Certificate Authority (CA) with Digital Certificate Manager, you can specify the policy data for the CA. The policy data for a CA describes the signing priileges that it has. The policy data determines: Whether the CA can issue and sign user certificates. How long certificates that the CA issues are alid. You can set or change policy data only for a CA that you create in Digital Certificate Manager. Certificate Authority certificates A Certificate Authority certificate is a digital document that alidates the identity of the Certificate Authority (CA) that owns the certificate. A Certificate Authority certificate can be signed by another CA, such as VeriSign, or self-signed if it is an Chapter 3. Understanding digital certificates 19

26 independent entity. A CA that you create in Digital Certificate Manager is an independent entity. The Certificate Authority s certificate contains identifying information about the Certificate Authority, as well as its public key. When you download a Certificate Authority s certificate into your browser, the browser marks it as a trusted root. Your system must also recognize a CA as a trusted root before it can authenticate certificates that the CA issues. You can use Digital Certificate Manager to designate any Certificate Authority certificate as a trusted root for your system. Trusted root The term trusted root refers to a special designation that is gien to a Certificate Authority certificate. This trusted root designation allows the browser or system to alidate and accept certificates that the Certificate Authority (CA) issues. Secure Sockets Layer (SSL) System certificates When you use Digital Certificate Manager (DCM) to create or renew a system certificate, DCM allows you to designate the issuing Certificate Authority as a trusted root. You can also use Digital Certificate Manager to designate other Certificate Authorities as trusted roots. Users designate a CA as a trusted root when the users download the Certificate Authority certificate into their browsers. The Secure Sockets Layer (SSL), originally created by Netscape, is the industry standard for session encryption between clients and serers. SSL uses asymmetric, or public key, encryption to encrypt the session between a serer and client (user). The client and serer negotiate this session key during an exchange of digital certificates. The key expires automatically after 24 hours, and it creates a different key for each serer connection and each client. Consequently, een if unauthorized users intercept and decrypt a session key (which is unlikely), they cannot use it to eaesdrop on later sessions. A system certificate is a digital document that identifies the system or serer that owns the certificate. System certificates are issued by a Certificate Authority and contain identifying information about the system or serer, such as the system s distinguished name. The certificate also contains the system s public key. A serer must hae a digital certificate to use the Secure Sockets Layer (SSL) for secure communications. Browsers that support digital certificates can examine a serer s certificate to erify the identity of the serer when the client accesses the serer. The browser can then use the authentication of the certificate as the basis for initiating an SSL-encrypted session between the client and the serer. User certificates A user certificate is a digital document that alidates the identity of the client or user that owns the certificate. User certificates are issued by a Certificate Authority and contain information that identifies the client or user, such as the user s distinguished name (DN). The certificate also contains the user s public key. Serers can use the certificate to authenticate the identity of the client (or user) when initiating a Secure Sockets Layer (SSL) communications session. Other users may be able to determine the identity of the user by examining the user s certificate, but can only authenticate the user during SSL. 20 AS/400e: Digital Certificate Management