AS/400e. Digital Certificate Management

Transcription

1 AS/400e Digital Certificate Management

2

3 AS/400e Digital Certificate Management

4 ii AS/400e: Digital Certificate Management

5 Contents Part 1. Digital Certificate Management Chapter 1. Print this topic Chapter 2. Getting Started with IBM Digital Certificate Manager Deciding whether to use digital certificates Digital certificates for SSL secure communications 6 Digital certificates for user authentication Using Internet certificates ersus creating your own 8 Examples for using public ersus priate digital certificates Acting as your own CA Using an Internet CA to issue certificates Creating and exporting a CA to another system 12 Setting up system for digital certificates Chapter 3. Understanding digital certificates Cryptography Priate key Public key Digital signatures Certificate Authority Trusted root Secure Sockets Layer (SSL) System certificates User certificates Certificate stores Chapter 4. Using Digital Certificate Manager Starting Digital Certificate Manager Migrating from a V4R3 ersion of DCM to V4R5 ersion Certificate administration Certificate Authority (CA) tasks Completing the Create a Certificate Authority form Completing the Renew a Certificate Authority form Deleting a CA Changing the policy data for an intranet CA.. 30 Changing the default Certificate Authority certificate store password Installing a CA certificate on a PC Copying a CA certificate for another AS/ Selecting the target release for a certificate Completing the Create a System Certificate form for another AS/ System certificate tasks Working with system certificates Changing a system certificate store password.. 41 Creating a new system certificate store Deleting a system certificate store Receiing a system certificate Working with CA certificates Receiing a CA certificate Working with secure applications User certificate tasks Requesting a user certificate Managing registered certificates Registering an existing user certificate Chapter 5. Troubleshooting DCM Migrating errors and recoery solutions Troubleshooting for registering an existing user certificate Copyright IBM Corp. 1999, 2000 iii

6 i AS/400e: Digital Certificate Management

7 Part 1. Digital Certificate Management This topic proides you with information for using digital certificates to enhance your network and system security. For example, you can use digital certificates to secure applications with SSL. This proides one of the best solutions for sending sensitie data oer the Internet to remote system. Additionally, you can find information about Digital Certificate Manager (DCM), a feature for OS/400 that allows you to manage digital certificates for your network. You also can learn how to create and manage your own Certificate Authority (CA) to issue certificates to users and exert tighter access control oer internal systems. Requirements Digital Certificate Manager is option 34 of OS/400. You must install this option to use DCM. You must also install the IBM HTTP Serer for AS/400 (5769 DG1) and use the *ADMIN instance to access DCM. Additionally, you must install a cryptographic access proider licensed program (5769 AC1, 5769 AC2, or 5769 AC3) to create certificates. These cryptographic products determine the maximum key length that is permitted for cryptographic algorithms based on your export and import regulations. You must install one of these products before you can create certificates. Note: You will not be able to create certificates unless you install all the required products. If a required product is not installed, you will receie an error message instructing you to install the missing component before you can successfully install DCM. In V4R5, the stash (.sth) password files are no longer used. Beginning in V4R5 the certificate store passwords are stored internally on the system as.kdb files. Topic Roadmap To learn more about using digital certificates and Digital Certificate Manager refer to these pages: Getting Started with IBM Digital Certificate Manager. Will digital certificates proide you with the security that you need? This page helps you understand how you can use digital certificates for better system and network security. Reiew scenarios and learn about using Digital Certificate Manager to create and manage certificates. Understanding digital certificates This page coers some basic concepts that you should understand about digital certificates and when they are useful as a part of your security policy. Using Digital Certificate Manager Copyright IBM Corp. 1999,

8 After you decide how you want to use and deploy certificates, you are ready to use Digital Certificate Manager. This page proides information and procedures for the certificate mtasks that you will complete by using DCM. Troubleshooting DCM Despite your well-laid plans, hae you encountered a problem or error? This page describes some of the more typical problems that you may encounter, as well as some possible solutions for resoling them. 2 AS/400e: Digital Certificate Management

9 Chapter 1. Print this topic You can iew or download a PDF ersion of this document for iewing or printing. You must hae Adobe Acrobat Reader installed to iew PDF files. You can download a copy from Adobe home page.. To iew or download the PDF ersion, select Getting Started with Digital Certificate Manager (file size 451 kb or about 55 pages). To sae a PDF on your workstation for iewing or printing: 1. Open the PDF in your browser (click the link aboe). 2. In the menu of your browser, click File. 3. Click Sae As Naigate to the directory in which you would like to sae the PDF. 5. Click Sae. Copyright IBM Corp. 1999,

10 4 AS/400e: Digital Certificate Management

11 Chapter 2. Getting Started with IBM Digital Certificate Manager AS/400 security features are among the best in the world. Howeer, een AS/400 needs additional security to protect the resources it proides when it deliers serices to, or uses serices from, the Internet. You can use Digital Certificate Manager (DCM) to augment AS/400 security by configuring your system to use digital certificates. Digital certificates allow you to use Secure Sockets Layer (SSL) for secure browser access to Web sites and other Internet serices. DCM allows you to create your own local (intranet) Certificate Authority (CA). You can then use the CA to dynamically issue digital certificates to systems and users on your intranet. When DCM creates a certficate for a CA or for a system, it automatically generates the public key and priate key for the certificate. You can also use DCM to register and use digital certificates from VeriSign or other commercial Certificate Authorities on your intranet or the Internet. Digital Certificate Manager automatically associates a user certificate that was created by the local CA with the owner s AS/400 user profile. Consequently, the certificate has the same authorizations and permissions as the associated profile. You can further augment system security by using digital certificates (instead of user names and passwords) to authenticate and authorize sessions between the serer and users. You can also use the keys associated with the certificates to sign and to encrypt data, such as messages and documents, sent between users and serers. Such digital signatures ensure the reliability of an item s origin and protect the integrity of the item. If you want to get started with certficate tasks immediately, go directly to these pages: Deciding whether to use digital certificates proides more information on the using digital certificates as a part of your security plan. Setting up your system to use digital certificates proides the information that you need to prepare your AS/400 system for using DCM. Starting Digital Certificate Manager proides information to allow you to start using DCM. If you want to begin the tasks now, go directly to the following pages. Using Internet certificates ersus creating your own. Examples for using public ersus priate digital certificates. Acting as your own CA. Using an Internet CA to issue certificates. Creating and exporting a local CA to another system If you want to use DCM in V4R5 to manage certificates from a prior release of DCM, you need to perform some special tasks. Migrating from a preious ersion of DCM to ersion V4R5 proides you with the information that you need to successfully upgrade from your preious ersion of DCM. Copyright IBM Corp. 1999,

12 Deciding whether to use digital certificates Using digital certificates allows you to enhance security for your systems and network. You can use certificates in two primary ways: As a means of configuring SSL for secure communications for arious applications. As a means of more strongly authenticating users who access resources (currently limited to Web sering though HTTP). Passwords proide user authentication, but unlike certificates, passwords do not address such issues as priacy and data integrity. The following are additional ways in which certificates are superior to passwords: Different users can share the same password, jeopardizing the security of your network. Since certificates contain information about a particular indiidual, they are less likely to be shared. Sharing is also logistically more difficult because certificates and their associated priate keys are typically stored on a hard drie or smart card. A certificate also contains a priate key that is neer sent with the certificate for identification. Instead, the system uses this key during the encryption and the decryption processes. Many systems require passwords that are 8 characters or shorter in length. The cryptographic keys that are associated with certificates are hundreds of characters long. This length, along with their random nature, makes cryptographic keys much harder to guess than passwords. There is always the possibility that an indiidual might forget his or her password. Digital certificate keys are based upon cryptographic techniques. This allows for the following potential uses that passwords cannot proide: Assuring data integrity by detecting changes to data. Proing that a particular action was indeed performed. This is called non-repudiation. Securing communications by using the Secure Sockets Layer to encrypt communication sessions. This allows you to send data priately to others oer a public network. If you decide to start using certificates, you must decide what type of Certificate Authority you want to use to issue your certificates. You can use Internet certificates or create your own Certificate Authority to issue certificates, or use a combination of the two types. Once you decide to use certificates, you will need to decide whether to use Internet certificates ersus creating your own. Digital certificates for SSL secure communications You can use digital certificates to secure applications with the Securing applications with SSL protocol. Under SSL, your serer always proides a copy of its certificate to the client when the session is initially established. This accomplishes the following: It assures the client or end-user that your site is authentic. It proides the option of encrypting your session using SSL. The serer and client browser work together as follows to ensure your data is secure. 6 AS/400e: Digital Certificate Management

13 1. The serer presents the certificate to the client (user) browser or application as proof of serer identity. 2. Browser or application erifies identity against Certificate Authority certificate 3. Serer and browser or application agree on a symmetric key and session is encrypted. Note: If the browser or application supports using certificates for user authentication and is configured to require it, there are additional steps prior to session encryption. First, the browser or application submits a user certificate to the serer to erify user s identity. Second, the serer erifies the identity of the user. The end-user s browser then makes his or her certificate aailable at the request of your serer, if the application supports client authentication by means of certificates. After your serer erifies the user s certificate to establish identity, the serer grants appropriate access to your data and serices. Note: SSL 2.0 supports authentication for serers only, while SSL 3.0 supports authentication for clients and serers alike. SSL uses an asymmetric key (public key) algorithms during the SSL handshake processing to negotiate a symmetric key that is subsequently used for encrypting and decrypting the application s data for that particular SSL session. This means that your serer and the client use different session keys, which automatically expire after a set amount of time, for each connection. In the unlikely eent that someone intercepts and decrypts a particular session key, he or she is unable to use it to deduce any future keys. Digital certificates for user authentication A digital certificate acts as an electronic credential. It erifies that the person presenting it is truly who he or she claims to be. In this respect, a certificate is similar to a passport. Both establish an indiidual s identity, and both contain a unique number for identification purposes. In the case of a certificate, a Certificate Authority (CA) functions as the trusted, third party that erifies the credential and seals it with its digital signature. You can create a protection setup for the IBM HTTP Serer to perform user authentication. Eentually, other applications will support user authentication as well. To authenticate a user, certificates make use of a public key and a related priate key. These keys are bound to your user name, along with additional information that systems use for identification. You can make your public key aailable to anyone who wants to communicate with you. This allows people to use your public key to: Verify a message that you signed with your priate key. Encrypt a message that only you can decrypt with your priate key. Because your priate key is instrumental to the authentication process, it is important that you keep it secure. Chapter 2. Getting Started with IBM Digital Certificate Manager 7

14 Using Internet certificates ersus creating your own Once you decide to use certificates, you should choose the type of certificate implementation that best suits your security needs. Your choices include: Selecting an Internet Certificate Authority (CA) to issue certificates. Creating your own CA to issue priate certificates for your intranet. Using a combination of Internet CAs and your own CA. Internet CAs Internet CAs issue certificates to anyone who pays the necessary fee. Howeer, an Internet CA still requires proof of identity before it issues a certificate. This leel of proof aries, though, depending on the CA. You should consider the identification policy of the CA before deciding to trust the certificates that it issues. You must also consider the cost associated with using an Internet CA to issue certificates. This particularly important if there are many users who expect your company to reimburse them for the fees. Still another disadantage is the difficulty of setting up your systems to limit access to a subset of users with a certificate from a large CA. Adantages of using an Internet CA to issue certificates saes time and resources by using an existing well-known CA. Further, other companies tend to recognize and trust certificates that are created by an Internet CA more than those that you create priately. Using priate (local) certificates If you create your own CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own CA allows you to issue certificates only to those users who are trusted members of your group. This proides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadantage of maintaining your own CA is the amount of time and resources that you must inest. Howeer, Digital Certificate Manager makes this process easier for you. Note: No matter which CA is used, the system administrator controls which issuing CA should be trusted on his system. If a copy of a certificate for a well-known CA can be found in your browser, your browser can be set to trust serer certificates that were issued by that CA. Howeer, if that CA certificate is not in your *SYSTEM certificate store, your serer will not trust user certificates that were issued by that CA. To trust user certificates that are issued by a CA, you need to get a copy of the CA certificate from the CA. It must be in the correct file format and you must receie that certificate into your certificate store. You may find it helpful to reiew some examples before you decide how you want to use certificates. Based on how you decide to use certificates, you can use Digital Certificate Manager to put your plan into action: Acting as your own CA describes the tasks you must perform should you choose to issue your own certificates.. 8 AS/400e: Digital Certificate Management

15 Using an Internet CA to issue certificates describes the tasks you must perform to use certificates from a well-known CA. Creating and exporting a CA to another system describes the tasks you must perform if you want to use a DCM local CA on more than one system.. Examples for using public ersus priate digital certificates The decision to use an Internet Certificate Authority (CA) or to create a priate CA depends on seeral factors. These factors include whom you want to hae access to your intranet and how secure you want to keep your data. The following scenarios depict different approaches to regulating access to your company s intranet. Scenario 1: Using public digital certificates for public access to internal resources Public certificates are certificates that are issued by a well-known Internet CA. Using public digital certificates to allow access to your corporate intranet is a practical choice under the following conditions: Your data and applications require arying degrees of security. There is a high rate of turnoer among your trusted users. You do not want to operate your own Certificate Authority (CA). If you work for an insurance company, for example, you might be responsible for maintaining different applications on your company s Intranet site. One particular application for which you are responsible is a rate-calculating application that allows agents to generate quotes for their clients. Although this application is not highly sensitie, you want to make sure that only registered agents can use it. Further, you do not trust the security that passwords proide because different agents can share them with each other. To deal with this situation, you can require the agents to obtain a certificate from a known and trusted CA. Once he or she obtains a certificate, an approed agent can isit your company s Intranet site and request access to your rate-calculating application. Your serer can then approe or reject the request. If your serer approes the request, the agent is gien access to the application. Scenario 2: Using priate digital certificates on an intranet Using priate (local) digital certificates on your intranet is a practical choice for your corporate intranet under the following conditions: You require a high degree of security. You trust the indiiduals to whom you issue certificates. You want to operate your own Certificate Authority (CA). If you work for a large corporation, your human resources department is probably concerned with such issues as legal matters and priacy of records. Further, you realize that passwords are an inadequate method of protecting such sensitie data. After all, people can share, forget, and een steal them. Therefore, you decide to set up a priate CA and issue certificates to all employees. This allows for the authentication of users, the signing of information, and the encryption of . Ultimately, by issuing certificates yourself, you hae increased the probability that your data remains secure. Chapter 2. Getting Started with IBM Digital Certificate Manager 9

16 The security that certificates proide is not limited to protecting your data from outside threats. You can also use certificates to restrict the access of certain employees to specific data as well. For example, you can use certificates to preent software deelopers within your company from accessing the human resource records in the prior scenario. They can also preent technical writers from using high-leel, management applications. You can effectiely use certificates to restrict or facilitate access across your entire network. Acting as your own CA After careful reiew of your security needs and policies you hae decided to be your own Certificate Authority (CA). You can now start Digital Certificate Manager (DCM) so that you can create and operate your own CA. DCM proides you with a guided task path that takes you through this process. The task path takes you through creating the CA itself, as well as to seeral additional tasks. This ensures that you hae eerything set up to start to use digital certificates for SSL security Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. To use DCM to create and operate a local CA, complete these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame of DCM, select Certificate Authority (CA) task. 3. Select the Create a Certificate Authority task. This displays the first of a series of forms. These will guide you through the process of creating a CA and completing other tasks needed to begin to use digital certificates and SSL. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 4. Complete all the forms for this guided task. These forms coer all the tasks you need to perform to set up a working CA, including: a. Creating a Certificate Authority. b. Installing the Certificate Authority Certificate on your PC or browser. c. Choosing the policy data for your Certificate Authority. d. Selecting which applications should trust your Certificate Authority. e. Creating a system certificate signed by your Certificate Authority. f. Selecting which applications should use the system certificate for SSL With these tasks complete, your local CA is up and running and the secured applications that you selected can begin using SSL. Users that will access these applications through an SSL connection must hae a copy of the CA certificate on 10 AS/400e: Digital Certificate Management

17 their PC or in their browser. This is so that they can authenticate the serer s identity as part of the SSL negotiation process. Before a user can access the selected applications through an SSL connection, the user must install a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. You can also use this CA to copy a certificate and export it to another AS/400 in your network. You will need to use DCM on the other system to receie a CA certificate to complete this task. Using an Internet CA to issue certificates After careful reiew of your security needs and policies you hae decided that you want to use certificates from a public Internet Ceritificate Authority such as VeriSign. For example, you operate a publicly aailable web site and want to use SSL to ensure the priacy of certain information transactions. You can now use Digital Certificate Manager to centrally manage these certificates and to configure your system to use them. Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. To use DCM to manage and use public Internet certificates, complete these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame of DCM, select System certificates to display a list of aailable tasks. A window will open requesting your password, click on cancel. When you hae created your certificate store you will also assign a password for future use. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 3. Select Create a new certificate store from the task list.. This displays a page which allows you to designate the type of Certificate Authority that you want to use. (You create a system certificate as part of creating the new certificate store.) 4. Choose the option for using a well-known CA to issue the certificate and select OK. A form for creating a system certificate displays. 5. Complete the form. Note: To be able to use DCM to work with your certificates you must designate *SYSTEM for the certificate store in the Certificate store path Chapter 2. Getting Started with IBM Digital Certificate Manager 11

18 and file name field. In the Certificate store path and file name field, the default is *SYSTEM. 6. Click OK. DCM displays a page which contains a text string. This text string is an encrypted copy of the public key for your system certificate. (DCM stores the priate key in the new certificate store.) You use this text string in the certificate application form required by most Internet CAs. 7. Copy the entire text string into your certificate application, including the start of file and end of file text.. Note: Be careful when you do the copy and paste. This is the only copy of the certificate request data. If you exit this page of your browser, you lose the certificate request data. You must perform the Create a system certificate task again to create a new certificate request. If you wish to sae a copy of the request data, copy and paste the data into a file. 8. Send the application to the CA that you selected. Note: You must wait for the CA to return the erified completed certificate before you can finish this procedure. 9. After the CA returns your erified certificate, you restart DCM. 10. Select receie the certificate from the System Certificates list in the left-hand naigation frame. This displays a form that allows you to load the completed certificate into the *SYSTEM certificate store. 11. Complete the form. 12. Select Work with secure applications from the System Certificates list. This displays a page that allows you to manage the certificates associated with specific applications. From this page you should perform these tasks: a. Select the applications that should use the new certificate for SSL communications. b. Ensure that these applications trust the CA that issued the certificate. With these tasks complete, you hae successfully managed the certificates for your applications. Howeer, before you can begin using SSL for these applications, you must secure the applications by configuring them to use SSL. for each application. Before a user can access the selected applications through an SSL connection, the user must obtain a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. Users must access the public website for the Internet CA and follow the directions proided for obtaining a copy of the CA certificate. Creating and exporting a CA to another system You may already be using a local CA on an AS/400 in your network. Howeer, you want to extend the use of this CA to another AS/400 in your network. For example, you want your current local CA to issue a system certificate for the another AS/400. This is so that you can use SSL for applications that run on it. You must perform a series of tasks on each AS/400 to do this. The system that hosts the local CA must not use a cryptographic access proider product (ACx) that proides function than the target system. Note: If you intend to use certificates with the HTTP Web Serer for AS/400, you should create and configure your web serer instance. This should be done 12 AS/400e: Digital Certificate Management

19 prior to starting DCM. When you configure a web serer instance to use SSL, an application ID is generated for the serer instance. You must make a note of this application ID so that you can use DCM to specify which certificate this application should use for SSL. Do not end and restart the serer instance until you use DCM to assign a certificate to the serer instance. Note: If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. Use DCM on the system that hosts your local CA, to perform these tasks: 1. Start a DCM session. 2. In the left-hand naigation frame, select Certificate Authority to display a list of aailable tasks. 3. Select Create a system certificate for another AS/400 task. Selecting this task displays the first of seeral pages which allow you to create a system certificate and key pair from your local CA. 4. Complete the pages that DCM proides for the task. Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. Note: This task creates three files if you are creating a certificate for V4R4 or later (kdb extension). Each file has the name that you designated for the file with extensions of.kdb,.rdb and.sth. The.kdb file contains a copy of the local CA certificate as well as the system certificate that you created. When creating the key label, you can make the certificate label unique for the target system. Note: If you are creating a certificate for a V4R3 or earlier target system, completing this task creates two key ring files. Each file has the name that you designated for the file with one of two extensions:.kyr and.sth. If you are creating a certificate for a V4R4 or later target system, completing the task creates three files. Each file has the name that you designated for the file with one of three extensions:.kdb,.rdb, and.sth. When using the form to create the certificate for the target system, you can specify a unique key label for the certificate.the same directory ( /qibm/userdata/icss/cert/serer/* ) can be used if a different file name is used - for example, MyDefaultForXYZ.KDB, MyDefaultForXYZ.RDB, and MyDefaultForXYZ.STH. This makes it easy to recognize what the target system should use for file names. 5. Use binary FTP or another method to transfer the files that you created. (3 files for V4R4 or later, 2 files for V4R3 or earlier as described in the Note aboe.) You must transfer all the files that you created to the /QIBM/USERDATA/ICSS/CERT/SERVER directory. Perform these tasks on the other (target) system: 1. Make sure that the files you transferred from the local CA host system in the preious procedure (key ring files: kyr and sth or the three KDB files: kdb, rdb, Chapter 2. Getting Started with IBM Digital Certificate Manager 13

20 and sth) that you transferred to this system are in the directory /QIBM/USERDATA/ICSS/CERT/SERVER. 2. Rename the files as follows: For V4R4 and later files, rename the files to default.kdb, default.rdb, and default.sth. By renaming these files, you essentially create the components that comprise the *SYSTEM certificate store for the target system. For V4R3 or earlier files, rename the files to default.kry and default.sth. When saed in the certificate store DCM will also create a copy of the existing CA. Attention: If you already hae default.*files you should not rename them. You will need to make unique names for them instead. To oerwrite the default files will cause major problems to your system. 3. Start DCM and complete the tasks appropriate for the release of DCM you hae on the target system. For V4R3 or earlier releases of DCM: Complete the Receiing a Certificate Authority certificate. This will put the CA certificate into a serer key ring file and designate the CA as a trusted root. If you used DCM to create the serer certificate from an Internet CA, you must receie it into the key ring file that you specified at that time. 4. For V4R4 or later releases of DCM: a. Select System certificates in the left-hand naigation frame to display a list of aailable tasks. The Certificate Store and Password window displays. b. In the appropriate fields, enter the name of the certificate store that you want to access and supply the password for it. For this procedure, make sure that you enter *SYSTEM for the certificate store and the password that you used when you created the files on the other system. c. Select Work with secure applications from the task list to display a page that allows you to manage the certificates associated with specific applications. d. From this page you should perform these tasks: 1) Select the applications that should use the certificate for SSL communications. 2) Select the applications that should trust the CA that issued the certificate. Then you can use this CA to copy a certificate and export it to another AS/400 in your network. You will need to use DCM on the other system to receie a CA certificate to complete this task. 5. Start a DCM session. 6. In the left-hand naigation frame, select System certificates to display a list of aailable tasks. The Certificate Store and Password window is displayed. You must enter the name of the certificate store that you want to access and supply the password for it. For this procedure, make sure that you enter *SYSTEM for the certificate store and the password used when you created the files on the other system Note: f you hae questions about how to complete a specific form in this guided task, select the question mark (?) button at the top of the page to access the on-line help. 7. Select Work with secure applications to display the Work with Secure Applications page. This page allows you to manage the certificates associated with your secure applications. (This option is aailable for the *SYSTEM 14 AS/400e: Digital Certificate Management

21 certificate store only.) From this page, you must complete two tasks for the certificates that you now hae in your *SYSTEM certificate store. 8. You must designate which applications should trust the local CA certificate. 9. You must designate which applications should use the system certificate. With these tasks complete, your applications can use the certificate issued by the local CA on another AS/400. Howeer, before you can begin using SSL for these applications, you mustsecure the applicationsby configuring them to use SSL. Before a user can access the selected applications through an SSL connection, the user must install a copy of the CA certificate. The CA certificate must be copied to a file on the user s PC or downloaded into the user s browser, depending on the requirements of the SSL-enabled application. Setting up system for digital certificates You must complete these tasks before setting up your intranet to use digital certificates: 1. Install one of the cryptographic proider products (5769AC1, 5769AC2, or 5769AC3). 2. Install OS/400 option 34 - Digital Certificate Manager. 3. Install the IBM HTTP Serer for AS/400 (5769DG1), then configure the IBM HTTP Serer. Most of the DCM part tasks can use the *ADMIN Serer with minimal setup. Howeer, some steps in DCM require the Secure Sockets Layer (SSL), so it is best to configure the SSL portion of the IBM HTTP Serer correctly. See HTTP web serer for complete details and the latest information for setting up the IBM HTTP Serer. Note: DCM uses the IBM HTTP Serer to make changes that the serer uses. You might need to end the IBM HTTP Serer and then restart it to use the new information. This depends on the changes you make and the method you use. 4. Start the *ADMIN Serer so you use your web browser to access DCM from the AS/400 tasks page. 5. After starting the *ADMIN Serer, you must enable it to use SSL for secure requests. You will know that the system enabled the *ADMIN Serer if both of the following are true when you start the instance: a. SSLMODE is ON. Either you or the IBM HTTP Serer code must turn SSLMODE ON. DCM does not set this directie. b. You hae properly registered the secure application. Note: You can do both of these by using the security configuration page of the HTTP Serer. 6. After you finish setting up the *ADMIN serer, you need to associate a certificate with the *ADMIN serer application in DCM before the serer can use SSL successfully. You must decide what kind of certificates you will use and then use DCM to set up your certificates. Based on the way you decide to set up and use certificates, you must complete one of these sets of tasks: Act as your own CA. Use an Internet CA. Create and export a certificate from another system. Chapter 2. Getting Started with IBM Digital Certificate Manager 15

22 Note: During the process of setting up your certificates, you will be able to select the applications that should use the certificates for SSL and the applications that should trust the issuing CA. DCM assigns an application ID to each registered application. You assign a certificate to an application by way of its application ID. For the *ADMIN serer, this application ID is QIBM_HTTP_SERVER_ADMIN. 7. After you use DCM to associate a certificate with the *ADMIN serer, you may need to stop and restart the serer before it is able to recognize and use the certificate for SSL connections. Note: Do NOTstop and restart the serer PRIORto associating a certificate with its application ID. If you end and restart the *ADMIN instance of the web serer prior to assigning a certificate to it, the serer will not start and you will not be able to use DCM to assign a certificate. Also, the user will not be able to use DCM to assign a certificate. Setting up the *ADMIN serer to use SSL correctly ensures that user certificate tasks in DCM that require the use of SSL will work as expected. The topic, SSL and the *ADMIN serer proides additional considerations about using SSL with the *ADMIN serer. 16 AS/400e: Digital Certificate Management

23 Chapter 3. Understanding digital certificates Before you start using digital certificates to protect your communications, you should understand what they are and what security benefits they proide. A digital certificate is a digital document that alidates the identity of the certificate s owner, much as a passport does. A trusted party, called a Certificate Authority (CA) issues digital certificates to users and serers. The trust in the CA is the foundation of trust in the certificate as a alid credential. Each CA has a policy to determine what identifying information the CA requires in order to issue a certificate. Some Internet Certificate Authorities may require ery little information, such as a distinguished name and address. A priate key and a public key are generated for each certificate. The certificate contains the public key, while the browser or a secure file stores the priate key. The owner of a certificate can use these keys to sign and encrypt data (using cryptography), such as messages and documents, sent between users and serers. Such digital signatures ensure the reliability of an item s origin and protect the integrity of the item. Using digital certificates and SSL-enabled browsers (such as Netscape Naigator and Microsoft Internet Explorer), your serer and clients can communicate securely using the Secure Sockets Layer (SSL). Your browser can also use certificates instead of user names and passwords for more secure authentication and authorization within your intranet. There are three types of digital certificates: Certificate Authority, System Certificates, and User Certificates. They are stored in a Certificate store. Digital Certificate Manager (DCM) registers user certificates that you create. You can also use the DCM to register user certificates that other Certificate Authorities issue. DCM automatically associates the registered certificate with the certificate owner s AS/400 user profile. Distinguished name A distinguished name (DN) is the name of the person or serer to whom a Certificate Authority (CA) issues a digital certificate. The certificate proides this name to indicate certificate ownership. Depending on the policy of the CA that issues a certificate, the DN can include other information. When you use Digital Certificate Manager to create your own intranet CA, the DN includes this information: certificate owner s common name organization organizational unit city state country Copyright IBM Corp. 1999,

24 Cryptography Cryptography is the science of keeping data secure. Cryptography allows you to store information or to communicate with other parties while preenting non-inoled parties from understanding the stored information or understanding the communication. Encryption transforms understandable text into an unintelligible piece of data (ciphertext). Decrypting restores the understandable text from the unintelligible data. Both processes inole a mathematical formula or algorithm and a secret sequence of data (the key). There are two types of cryptography: In shared or secret key (symmetric) cryptography, one key is a shared secret between two communicating parties. Encryption and decryption both use the same key. In public key (asymmetric) cryptography, encryption, and decryption each use different keys. A party has two keys: A public key and a priate key. The two keys are mathematically related, but it is irtually impossible to derie the priate key from the public key. A message that is encrypted with someone s public key can be decrypted only with the associated priate key. Alternately, a serer or user can use a priate key to sign a document and use a public key to decrypt the digital signatures. This erifies the document s source. Priate key A priate key is one of an asymmetric key pair and consists of a data string and an algorithmic pattern. Public key A user or serer can use a priate key to decrypt messages that were encrypted with the corresponding public key. A user or serer can also use a priate key to encrypt messages that only the corresponding public key can decrypt. A public key is usually bound to the owner s digital certificate and is aailable for anyone to use. A priate key, howeer, is protected by and aailable only to the owner of the key. This limited access ensures that communications that use the key are kept secure. A public key is one of an asymmetric key pair and is usually bound to the owner s digital certificate. Consequently, a public key is aailable for anyone to use. A public key consists of a data string and an algorithmic pattern. A user or serer can use a public key to decrypt messages that were encrypted with the corresponding priate key. A user or serer can also use a public key to encrypt messages that only the corresponding priate key can decrypt. Digital signatures A digital signature on an electronic document is equialent to a personal signature on a written document. A digital signature proides proof of the document s origin. The certificate owner signs a document by using the priate key that is associated with the certificate. The recipient of the document uses the corresponding public key to decrypt the signature, which erifies the sender as the source. 18 AS/400e: Digital Certificate Management

25 Certificate Authority A Certificate Authority signs certificates that it issues. This signature consists of a data string that is encrypted with the Certificate Authority s priate key. Any user can then erify the signature on the certificate by using the Certificate Authority s public key to decrypt the signature. Before you start using digital certificates to protect your communications, you should understand what they are and what security benefits they proide. Digital certificates Secure Sockets Layer (SSL) Cryptography Certificate Authority (CA) A Certificate Authority (CA) is a trusted party that creates and issues digital certificates to users and systems. The trust in the CA is the foundation of trust in the certificate as a alid credential. A CA uses its priate key to create a digital signature on a certificate that it issues to alidate the certificate s origin. Seeral businesses proide commercial Certificate Authority serices for Internet users. Howeer, organizations can use Digital Certificate Manager to create their own Certificate Authority to issue digital certificates to systems and users within an intranet. Certificate Authority usage A Certificate Authority (CA) is a central administratie entity that can issue digital certificates to users and serers. The Certificate Authority signs certificates with its priate key to alidate their authenticity. A CA can be either a publicly aailable entity, such as VeriSign, or it can be a priately created entity, such as a priate intranet CA. Digital Certificate Manager (DCM) allows you to use both types of CA. When you use DCM to create an intranet CA for your organization, you can use the CA to issue certificates. This can be to both serers and users on your system. When the Certificate Authority issues a user certificate, DCM automatically associates the certificate with the appropriate AS/400 user profile. This ensures that the access and authorization priileges for the certificate are the same as those for the owner s user profile. Certificate Authority policy data When you create a Certificate Authority (CA) with Digital Certificate Manager, you can specify the policy data for the CA. The policy data for a CA describes the signing priileges that it has. The policy data determines: Whether the CA can issue and sign user certificates. How long certificates that the CA issues are alid. You can set or change policy data only for a CA that you create in Digital Certificate Manager. Certificate Authority certificates A Certificate Authority certificate is a digital document that alidates the identity of the Certificate Authority (CA) that owns the certificate. A Certificate Authority certificate can be signed by another CA, such as VeriSign, or self-signed if it is an Chapter 3. Understanding digital certificates 19

26 independent entity. A CA that you create in Digital Certificate Manager is an independent entity. The Certificate Authority s certificate contains identifying information about the Certificate Authority, as well as its public key. When you download a Certificate Authority s certificate into your browser, the browser marks it as a trusted root. Your system must also recognize a CA as a trusted root before it can authenticate certificates that the CA issues. You can use Digital Certificate Manager to designate any Certificate Authority certificate as a trusted root for your system. Trusted root The term trusted root refers to a special designation that is gien to a Certificate Authority certificate. This trusted root designation allows the browser or system to alidate and accept certificates that the Certificate Authority (CA) issues. Secure Sockets Layer (SSL) System certificates When you use Digital Certificate Manager (DCM) to create or renew a system certificate, DCM allows you to designate the issuing Certificate Authority as a trusted root. You can also use Digital Certificate Manager to designate other Certificate Authorities as trusted roots. Users designate a CA as a trusted root when the users download the Certificate Authority certificate into their browsers. The Secure Sockets Layer (SSL), originally created by Netscape, is the industry standard for session encryption between clients and serers. SSL uses asymmetric, or public key, encryption to encrypt the session between a serer and client (user). The client and serer negotiate this session key during an exchange of digital certificates. The key expires automatically after 24 hours, and it creates a different key for each serer connection and each client. Consequently, een if unauthorized users intercept and decrypt a session key (which is unlikely), they cannot use it to eaesdrop on later sessions. A system certificate is a digital document that identifies the system or serer that owns the certificate. System certificates are issued by a Certificate Authority and contain identifying information about the system or serer, such as the system s distinguished name. The certificate also contains the system s public key. A serer must hae a digital certificate to use the Secure Sockets Layer (SSL) for secure communications. Browsers that support digital certificates can examine a serer s certificate to erify the identity of the serer when the client accesses the serer. The browser can then use the authentication of the certificate as the basis for initiating an SSL-encrypted session between the client and the serer. User certificates A user certificate is a digital document that alidates the identity of the client or user that owns the certificate. User certificates are issued by a Certificate Authority and contain information that identifies the client or user, such as the user s distinguished name (DN). The certificate also contains the user s public key. Serers can use the certificate to authenticate the identity of the client (or user) when initiating a Secure Sockets Layer (SSL) communications session. Other users may be able to determine the identity of the user by examining the user s certificate, but can only authenticate the user during SSL. 20 AS/400e: Digital Certificate Management

27 Certificate stores As of V4R4, Digital Certificate Manager (DCM) stores digital certificates in key database files instead of the key ring files that were used in V4R3. DCM started referring to both the old key ring files and the new key database files as certificate stores. The certificate store can also contain the certificate s priate key, but in general, only the original certificate store that created the key pair will be stored. So, for example, the copies of CA certificates that are in a system certificate store will not include the priate key, but the actual CA certificate store will hae both the CA certificate s priate and public keys. There are two types of certificate stores: system certificate stores, used with public CAs and Certificate Authority default certificate stores, used when the system has a local CA on it. DCM controls access to certificate stores through passwords in addition to access control of the IFS directory and the IFS files that constitute the certificate store. Chapter 3. Understanding digital certificates 21

28 22 AS/400e: Digital Certificate Management

29 Chapter 4. Using Digital Certificate Manager Each link in the naigational frame on the left represents a different task that you can perform in Digital Certificate Manager. Once you start DCM, there are three categories of tasks: Certificate Authority (CA) System certificates User certificates If the category has more than one task that you can perform, an arrow appears to the left of it. The arrow indicates that when you select the category link, an expanded list of tasks displays so that you may choose which task to perform. When you select a task link, a page for performing that task displays in the frame on the right. The category and number of links you see in the left-hand frame ary depending on the authorizations that your AS/400 user profile has. Some links and their associated tasks are aailable only to AS/400 security officers or administrators. The security officer or administrator must hae *SECADM and *ALLOBJ special authorities to iew and use these tasks. Users without these special authorities hae access to user certificate functions only. Selecting the AS/400 Tasks link returns you to the AS/400 Tasks page. Note: Selecting the? help will proide you with help for that screen. Because all help topics are in a single file, you can scroll among topics within the file for easier access to related information. Use the links below to obtain more detailed information about digital certificates and network security: VeriSign: information page proides more details about using digital certificates on the Internet. For more information reiew these pages in the Information Center. Starting Digital Certificate Manager. Migrating from a V4R3 ersion of DCM to a V4R5 ersion. Certificate administration. Certificate Authority (CA) Tasks. System certificate tasks. User certificate tasks. Starting Digital Certificate Manager Before you can use any of its functions, you need to start DCM. Follow these instructions to do so. 1. Install 5769 SS1 Option 34. Install 5769 DG1. Install either 5769 AC1, 5769 AC2, or 5769 AC3. These are cryptography products. 2. Start your Web browser. Copyright IBM Corp. 1999,

30 3. Start the HTTP Serer *ADMIN instance. 4. Using your browser, go to the AS/400 Tasks page on your system at 5. Click Digital Certificate Manager. If you are migrating from an earlier ersion of DCM this page will gie you the details you need to upgrade your system. Migrating from a V4R3 ersion of DCM to V4R5 ersion When you migrate from a V4R3 or earlier ersion of Digital Certificate Manager (DCM) to V4R5, DCM automatically upgrades your local Certificate Authority (CA) and system certificate store. DCM upgrades these files, which are located in default.kyr, into the corresponding certificate store files, which are located in default.kdb. The Hypertext Transfer Protocol (HTTP) and LDAP serers also migrate all of their alid certificates in associated key rings into default.kdb, which is the *SYSTEM certificate store. Note: If you are migrating from V4R4, nothing needs to be done to migrate to V4R5. If you use a.kyr file that DCM did not upgrade, DCM conerts it to a.kyr.kdb file. This occurs the first time you work with it. The first time you specify secure.kyr through DCM, for example, DCM conerts it into secure.kyr.kdb. Note: Key rings are different from certificate stores, so you must conert files in this manner. Manually changing the file extensions results in errors when you try to work with them. If you attempt to delete secure.kyr, DCM actually archies it and deletes secure.kyr.kdb instead. Key ring to certificate store migration. During installation, the system migrates the following key rings: DCM s default key rings. Key rings that the HTTP Serer configuration files use. Key rings that the LDAP Serer configuration files use. Default certificate store password. If the file /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR exists, the system migrates this key ring file and any other eligible key ring files into the *SYSTEM certificate store. The original password associated with the DEFAULT.KYR file is used as the password for the *SYSTEM certificate store. If the DEFAULT.KYR file does not exist but there are other key ring files eligible for migration, the system creates the *SYSTEM certificate store with a password of DEFAULT (all uppercase letters) and completes the migration. For information on errors and how to resole them read the page on Migrating errors and recoery solutions. 24 AS/400e: Digital Certificate Management

31 Certificate administration The AS/400 security officer can use Digital Certificate Manager (DCM) to create an intranet Certificate Authority (CA) and to issue certificates to systems or users. The security officer can also use DCM to designate an Internet Certificate Authority as a trusted root. This person can also register certificates that the Internet CA issues as alid for system authentication. The security officer must hae *SECADM and *ALLOBJ special authorities to perform the following tasks: Create a Certificate Authority. Renew a Certificate Authority Delete a Certificate Authority Change Certificate Authority policy data Change the Certificate Authority certificate store password Copy a Certificate Authority certificate for another AS/400 Create a system certificate for another AS/400 Create new system certificate store Renew a system certificate store Display a Certificate Authority certificate. Change a certificate store password Delete a system certificate store Receie a system certificate Receie a Certificate Authority certificate Work with Certificate Authorities Work with secure applications Manage user certificates for other users Note: Users without these special authorities hae access to user certificate functions only. Certificate Authority (CA) tasks Digital Certificate Manager (DCM) allows you to set up your system to use digital certificates in one of two ways. You can receie an Internet Certificate Authority (CA) certificate and designate it as a trusted root on your system. Or, you can create your own intranet Certificate Authority to issue digital certificates to your systems and users. By haing your own Certificate Authority, you can control which systems and users can receie certificates from the CA. This allows you to more securely control access to serers and Web sites. Regardless of which method you choose for establishing a CA, your system must hae a certificate. This is so that applications on the system can use the Secure Sockets Layer (SSL) for secure communications. Additionally, your users must install a copy of the CA certificate in their browsers. Consequently, when you create your own intranet CA, DCM takes you through the steps that are necessary to perform these tasks. If you choose to use an Internet CA, you must ensure that your system and users hae certificates from that CA. You must hae *SECADM, and *ALLOBJ special authorities to select the Certificate Authority (CA) link.you can then select one of these tasks to perform: Create a Certificate Authority. Selecting this task displays the first of seeral forms which allow you to create an intranet CA. This is the only task link Chapter 4. Using Digital Certificate Manager 25

32 aailable in this category until you perform it. If you create a CA, the task list changes so that the other CA tasks are aailable. This task, howeer, is no longer in the list. Renew. Selecting this link displays the first of seeral forms which allow you to renew your intranet CA. When you complete this process, DCM replaces the existing CA certificate in the default CA certificate store with a new CA certificate. Note: Any certificates issued by this CA will no longer be alid. Display. Selecting this task allows you to display information pertaining to the intranet CA certificate in the default CA certificate store. Delete. Selecting this task displays a page which allows you to delete your intranet CA certificate and the corresponding default CA certificate store. Change policy data. Selecting this task displays a page which allows you to change the policy that your intranet CA uses to issue certificates. Change password. Selecting this task allows you to change the password for the intranet CA certificate store and select the password expiration policy. Install CA certificate on your PC. Selecting this task displays the Install CA Certificate page. From this page you can install the CA certificate from the local or intranet CA certificate store in your browser. Or, you can copy the CA certificate into a file on your PC. Copy CA certificate for another AS/400. Selecting this task displays the Export Certificate page. From this page you can copy your intranet CA certificate to a file so that you can use it on other AS/400s and receie the CA certificate. You can then use DCM on another system to receie the CA certificate so that applications on the system recognize it as a trusted root. Selecting a target release for a certificate must be done before you can access the function, create a system certificate. Create a system certificate for another AS/400. This task displays seeral pages which allow you to complete the create a system certificate form for another AS/400 and key pair from your intranet CA. You can then transfer the file to another AS/400 for other applications to use for SSL. Completing the Create a Certificate Authority form You must proide the following information to complete the Create a Certificate Authority form: 1. Select a key size. A smaller key size is faster but less secure, while a larger key size is more secure but slower. 2. Proide information for these required fields: In the Certificate store password field, type a password to restrict access to the Certificate Authority local (or intranet) Certificate authority certificate store file. Use standard AS/400 password rules. In the Confirm password field, type the password that you entered in the password field for erification. Note: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it and you will lose access to your CA certificate store. In the Certificate Authority name field, type a name to describe the Certificate Authority. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. 26 AS/400e: Digital Certificate Management

33 In the Country field, type a two-letter designation for your country. In the Validity period for Certificate Authority (in days) field, type the number of days for which the Certificate Authority certificate is alid. The default is 1095 days (3 years). 3. Select OK. After DCM processes the form, it stores the official CA certificate in the local Certificate Authority certificate store. It also stores a copy of the CA certificate in the *SYSTEM certificate store if that certificate store exists. The CA Certificate Created Successfully page displays so that you can install a copy of the CA certificate in your browser. After you install the certificate in your browser, click the OK button. The Certificate Authority Policy Data page displays to allow you to select the CA policy data. Selecting a key size for System certificates and Certificate Authority The key sizes aailable in the selection box ary according to the country in which your system is located. Some countries, such as France, restrict the import of certain key sizes. The United States also has export restrictions on certain larger key sizes. The key sizes in the selection box represent those that you can legally use in your country. Because larger keys proide more secure encryption, choose the largest key size aailable to you. Installing the intranet Certificate Authority certificate in your browser when you create a Certificate Authority After you use Digital Certificate Manager to create a Certificate Authority (CA) certificate, you must install the certificate in your browser. Installing the certificate establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other certificates that the Certificate Authority issues. The browser must be able to authenticate system or serer certificates before it can use the Secure Sockets Layer to negotiate a secure Web session. To install the CA certificate in your browser, follow these steps: 1. Select Receie Certificate and follow the instructions that your browser proides. 2. Click OK. The Certificate Authority Policy Data page displays to allow you to select the CA policy data. Setting the policy data when you create an intranet Certificate Authority When you create a local (or intranet) Certificate Authority (CA) in Digital Certificate Manager (DCM), you must set the policy data for the CA. You perform this task after you complete the Create a Certificate Authority form and install the CA certificate in your browser. The Certificate Authority Policy Data page, displays when you click the OK button on the CA Certificate Created Successfully page. To set the policy data for an intranet CA follow these steps: 1. Select whether the CA can issue and sign user certificates. 2. Indicate the length of time for system certificates and user certificates that the CA issues is alid. The alidity period for certificates must be equal to or less than the alidity period of the CA. Chapter 4. Using Digital Certificate Manager 27

34 3. Click OK to display a page that confirms your policy data selection. The title of the page aries slightly depending on whether you accept the policy data that is proided or made changes to the policy data. From this page you can select the applications that should trust the new CA, if applications are registered with DCM. If no registered applications are aailable, the page displays a policy data confirmation message only. To complete the process of creating your intranet Certificate Authority, you must create a system certificate. Click the OK button to display the Create a System Certificate form. Selecting applications to trust a Certificate Authority when you create it If applications hae been registered with Digital Certificate Manager, you can select the applications that should trust your intranet Certificate Authority (CA) when you create it. You perform this task after you set the policy data for your CA. To specify the applications that should trust certificates that your intranet CA issues, follow these steps: 1. Select which applications from the list that you want to trust the CA. 2. Click the OK button. The Secure Applications Status page displays to confirm that the applications that you selected now trust the CA. To complete the process of creating your intranet Certificate Authority, you must create a system certificate. 3. Click the OK button to display the Create a System Certificate form. Completing the Create a System Certificate form when you create an intranet Certificate Authority To finish the process of creating an intranet Certificate Authority (CA), you must use the new CA to create a system certificate. The Create a System Certificate form displays after you select the applications that trust the new CA. If no registered applications are aailable, the Create a System Certificate page displays after you set the policy data for your CA. To complete the Create a System Certificate form, follow these steps: 1. Select a key size to use for the public and priate keys for the certificate. The bigger the key, the more secure the encryption it proides. 2. Proide information for these required fields: In the Certificate store password field, type a password to restrict access to the certificate store that you specified. Use standard AS/400 password rules. In the Confirm password field, type the password that you entered in the certificate store password field for erification. Attention: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password you cannot reset it or recoer it, and you will lose access to your certificate store files. In the Serer name field, type a name to describe the serer. Although you can gie the serer any name, you should use the TCP/IP host name for the serer wheneer possible. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. 3. Click the OK button. 28 AS/400e: Digital Certificate Management

35 The System Certificate Created Successfully page displays. This page allows you to select which applications should use this certificate for secure communications, if applications hae been registered with Digital Certificate Manager (DCM). 4. Select which applications in the list should use the new certificate for SSL communications, and click the OK button. The Secure Applications Status page displays to confirm that the selected applications are set to use the new certificate. Troubleshooting tip: When a system certificate is first assigned to the IBM HTTP Serer, you need to stop the serer and restart it. This ensures that the system performs SSL initialization at the IBM HTTP Serer startup. Completing the Renew a Certificate Authority form Use the Renew a Certificate Authority form to renew your current Certificate Authority (CA) certificate. When you access the form, the fields contain any preious information that you associated with the certificate. You can change any of this information as part of renewing your CA certificate. Follow these steps to complete the Renew a Certificate Authority form: 1. Select a key size. 2. Accept or change the information for these required fields: In the Certificate Authority name field, type a name to describe the Certificate Authority. In the Organization name field, type in the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. In the Validity period for Certificate Authority field, type the number of days for which the Certificate Authority certificate is alid. The default alue is 1095 days (3 years). 3. Click the OK button. After DCM processes the form, it deletes the preious CA certificate in the default CA certificate store and replaces it with the new CA certificate. The CA Certificate Renewed Successfully page displays so that you can install a copy of the new CA certificate in your browser. After you install the certificate in your browser, click the OK button. A page displays so that you can select which applications should trust the Certificate Authority, if applications hae been registered with DCM. Note: If you want to iew or change the policy data for your Certificate Authority, you must do so after you complete the renewal process. Installing the intranet Certificate Authority certificate in your browser when you renew the certificate After you use Digital Certificate Manager to renew a Certificate Authority (CA) certificate, you must install the certificate in your browser. Installing the certificate establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other certificates that the Certificate Authority issues. The browser must be able to authenticate system or serer certificates before it can use the Secure Sockets Layer to negotiate a secure Web session. Chapter 4. Using Digital Certificate Manager 29

36 To install the CA certificate in your browser, follow these steps: 1. Select Receie Certificate and follow the instructions that your browser proides. 2. Click OK. A page displays to allow you to select which applications should trust the new CA certificate, if applications hae been registered with DCM. Selecting applications that trust your intranet Certificate Authority From the Select Applications that Trust This Certificate Authority page, you can select which applications should trust certificates that the Certificate Authority (CA) issues. To do this, follow these steps: 1. Select which applications from the list that you want to trust the CA. 2. Click the OK button. A message displays to confirm that the applications that you selected now trust the CA. Deleting a CA From the Delete Certificate Authority page you can delete your intranet Certificate Authority (CA). When you access the page, it displays the certificate so that you can reiew it before you delete it. If there are secure applications which trust the CA, you can iew the list of applications by using the View applications button. When you delete a CA, Digital Certificate Manager does not delete the copy of the certificate that is in the *SYSTEM certificate store. Consequently, deleting the CA does not affect any applications that trusted the certificate. If you delete the copy of the CA certificate in the *SYSTEM certificate store, howeer, these applications cannot authenticate certificates issued by the deleted CA. Consequently, the affected applications cannot establish secure communications for systems that present certificates that the deleted CA issued. To confirm that you want to delete the CA, select the Delete button. Attention: Deleting a Certificate Authority is a permanent action; there is no way to undo the deletion. Changing the policy data for an intranet CA You can change the policy data for an intranet Certificate Authority (CA) that you create or renew by using Digital Certificate Manager only. To change the policy data for an intranet CA, follow these steps: 1. Select whether the CA can issue and sign user certificates. 2. Indicate the length of time for which system and user certificates that the CA issues are alid. The alidity period for certificates must be equal to or less than the alidity period of the CA. 3. Click OK to display the Policy Data Changed page which displays a message to confirm your changes. 4. Click Done to return to the Digital Certificate Manager entrance page. Changing the default Certificate Authority certificate store password To change the password for the default Certificate Authority certificate store, follow these steps: 1. In the Old password field, type the current password for the certificate store. 30 AS/400e: Digital Certificate Management

37 2. In the New password field, type the new password that you want to use for the certificate store. Use standard AS/400 password rules to create your new password. 3. In the Confirm password field, type the new password for erification. Note: You must remember the password that you set, or write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it, and you will lose access to your certificate store. 4. To hae the password expire after a specific length of time, select the Password expires option. Then type the number of days for which the new password is alid. 5. Click OK to display a page with a message confirming the change to your password. 6. Click Done to return to the Digital Certificate Manager entrance page. Installing a CA certificate on a PC From the Install CA Certificate page you can install the intranet (local) Certificate Authority certificate in your browser. Also you can copy and paste the certificate into a file on your PC. You should install the certificate in your browser before you request a user certificate. This establishes the Certificate Authority as a trusted root in your browser. The browser can then recognize and authenticate all other certificates that the Certificate Authority issues. The browser must be able to authenticate system certificates before it can negotiate a secure Web session by using the Secure Sockets Layer. To install the certificate in your browser, follow these steps: 1. Select the Receie Certificate link and follow the instructions that your browser proides. 2. Click Done to return to the Digital Certificate Manager entrance page. If you need the certificate for a non-browser application such as Client Access Express or IBM Personal Communications, you can copy and paste the certificate into a file on your PC. To copy and paste the certificate to a file on your PC, follow these steps: 1. Select the Copy and paste certificate link to display the Copy and Paste CA Certificate page. 2. Copy the text object shown on the page into your clipboard. You must later paste this information into a file. This file is used by a PC utility program (such as MKKF or IKEYMAN) to store certificates for use by client programs on the PC. 3. Click Done to return to the Digital Certificate Manager entrance page. Copying a CA certificate for another AS/400 Digital Certificate Manager (DCM) allows you to create an intranet Certificate Authority (CA) and use it to issue digital certificates to systems. Howeer, DCM writes the certificate and key pair to the AS/400 on which you access DCM to create the CA. If you want another AS/400 to use the intranet CA, you must transfer a copy of the CA certificate to the other system. Chapter 4. Using Digital Certificate Manager 31

38 From the Export Certificate page, you can copy your intranet CA certificate information into a file of your choice. Transfer this file manually to another system and use DCM to receie the CA certificate so that applications on the system recognize it as a trusted root. To export your CA certificate follow these steps: 1. In the Export file name field, type the path and file name of the file to which you want to export the certificate. Note: Do not use the extension.kdb for your file name. 2. Click OK to display the Export Successful page. Note: If you specify a path and file name for an existing file, you will get an error message because DCM does not allow you to oerwrite existing files. Selecting the target release for a certificate When you use Digital Certificate Manager (DCM) to create a system certificate for another AS/400, you must specify the target release for the certificate. The target release that you select must be compatible with the ersion of DCM on the other system. You can select one of these target release alues: V4R5M0. Select this format if DCM on the other system is at V4R5 or a subsequent release. V4R4M0. Select this format if DCM on the other system is at V4R4. V4R3M0. Select this format if DCM on the other system is at V4R3. V4R2M0. Select this format if DCM on the other system is at V4R2. Click OK to set your target release selection and display the Create a System Certificate page. This page allows you to proide information for the new certificate. The field names ary based on the target release that you selected for the certificate. Howeer, the information that you must proide is essentially the same. Completing the Create a System Certificate form for another AS/400 The field names for the Create a System Certificate form ary based on the certificate target release that you selected for the certificate. Howeer, the information that you must proide is essentially the same. Note: After DCM creates the certificate, you must transfer the files that were created for the certificate to the AS/400 that will use this system certificate (see below). After you hae transferred the files to the target system, you must use DCM on the target system to change the password for the certificate store or key ring file that you transferred. If the target system is using V4R4 or an earlier release of DCM, changing the password will create a stash (.STH) file for the certificate store or key ring file. If the target system is using the V4R5 release of DCM, changing the password will cause DCM to store the password internally on the system. When changing the password for the certificate store or key ring file on the target system, be sure to select the Automatic Login checkbox, if it is shown on the screen. You must know the current password for the certificate store or key ring file so you can change the password after you transfer the files to the target system. 32 AS/400e: Digital Certificate Management

39 If you selected either V4R4M0 or V4R5M0 as the target release, you must proide the following information to complete the form: 1. Select a key size to use for the public and priate keys for the certificate. The bigger the key, the more secure the encryption it proides. 2. Proide information for these required fields: In the Current system certificate key label field, accept the default key label or type a name to identify the system certificate priate key. In the Certificate store path and file name field, type the fully-qualified path and file name that you want to use for the new certificate. For example:, /mydirectory/myfile.kdb. In the Certificate store password field, type a password to restrict access to the certificate store that you specified. Use standard AS/400 password rules. In the Confirm password field, type the password that you entered in the certificate store password field for erification. Note: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it, and you will lose access to your certificate store files. In the Serer name field, type a name to describe the system that will use the certificate. Although you can gie the system any name, usually you should use the TCP/IP host name for the system. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. 3. Click OK. The System Certificate Created Successfully page displays. After DCM creates the certificate, you must transfer the certificate store (.KDB) and the request file (.RDB) to the AS/400 that will use this system certificate. You can use this new certificate store directly. Or, you can use DCM on that system to export the system certificate from this certificate store into a file. Then you can import the certificate into the *SYSTEM or another system certificate store. If you selected a target release prior to V4R4M0, you must proide the following information to complete the form: 1. Select a key size to use for the public and priate keys for the certificate. The bigger the key, the more secure the encryption it proides. 2. Proide information for these required fields: In the Key label field, accept the default key label or type a name to identify the serer certificate priate key. In the Key ring path and file name field, type the fully-qualified path and file name that you want to use for the new certificate. For example: /mydirectory/myfile.kyr Note: You should use the.kyr extension for this file. In the Key ring password field, type a password to restrict access to the key ring file that you specified. Use standard AS/400 password rules. In the Confirm password field, type the password that you entered in the Key ring password field for erification. Note: You must be sure that you remember the password that you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it and you will lose access to your key ring files. Chapter 4. Using Digital Certificate Manager 33

40 In the Serer name field, type a name to describe the serer that will use the certificate. Although you can gie the serer any name, usually you should use the TCP/IP host name for the system. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. 3. Click OK. The System Certificate Created Successfully page displays. 4. After DCM creates the certificate, you must transfer the key ring file (.KYR) to the AS/400 that will use this system certificate. You can manually change the HTTP serer directies to use this key ring. Or, you can use DCM on that system to import the certificate. System certificate tasks When you select the System Certificates link, the Certificate Store and Password window displays. You must enter the name of the certificate store that you want to access and supply the password for it. DCM creates the *SYSTEM certificate store when you create a system certificate as part of creating an intranet Certificate Authority. If you want to use DCM solely to manage certificates that an Internet Certificate Authority issues, you must create the *SYSTEM certificate store first. Digital Certificate Manager (DCM) allows you to create your own system certificate stores. Howeer, you can access the tasks for secure applications from the *SYSTEM certificate store only. When you select the System Certificates link, (you must hae *SECADM and *ALLOBJ special authorities to see the system certificate links) you can choose one of these tasks: Work with certificates: displays the Work with Certificates page. This page allows you to work with your system certificates in the current certificate store. You can iew, delete, renew, export, or set a certificate as a default. You can also import or create a certificate to add to the current certificate store. Change password: allows you to change the password for the current system certificate store. Create new certificate store: displays the first of seeral pages which allow you to create a new system certificate to populate a new system certificate store. The first page allows you to choose whether your local intranet CA or an Internet CA issues the certificate. If you do not hae an intranet CA, then this page allows you to select an Internet CA only. You must use this task to create the *SYSTEM certificate store if you want to use local certificates. Delete certificate store: allows you to delete the current system certificate store. If you delete a certificate store, you cannot undo the deletion. If you delete the *SYSTEM certificate store, your system will not be able to use SSL for secure communications. Receie a system certificate: allows you to add a new system certificate into the current certificate store. Use this task when you want to add a system certificate that an Internet CA issues. You can receie an Internet certificate only if you used DCM to create the certificate. Work with Certificate Authorities. :displays the Work with Certificate Authorities page. This page allows you to manage the CA certificates in the current system certificate store. You can designate a CA as a trusted root, remoe a CA s trusted root status, iew information for a CA certificate, delete a CA certificate. And in V4R5 you can also import or export a CA certificate. 34 AS/400e: Digital Certificate Management

41 Een though this function may show a CA as trusted in the certificate store, a secure application by default trusts only the CA that signed the system certificate that the application uses for secure connections. Therefore, you must use the Work with secure applications task to mark other CAs as trusted by the secure application if desired. Receie a CA certificate: allows you to add a new CA certificate into the current certificate store and designate the CA as a trusted root. This can be either an Internet CA certificate or an intranet CA certificate that you create in DCM on another AS/400. Work with secure applications: displays the Work with Secure Applications page. This page allows you to manage the certificates associated with your secure applications. (This option is aailable for the *SYSTEM certificate store only.) For each secure application, you can iew certificate information, work with system certificates that the application uses, or work with CA certificates that the application trusts. When a system certificate is associated with an application, DCM automatically marks the signers of the certificate as trusted by the application. Working with system certificates From the Work with Certificates page, you can manage many aspects of your system certificates. From this page, you can perform these actions for system certificates in the specified system certificate store: View information for a system certificate. Delete a system certificate. Renew a system certificate. Export a system certificate and keys to a file which you can transfer to another AS/400. Set a certificate as the default certificate for the current system certificate store. Import a system certificate from another AS/400 to the current system certificate store. Create a new system certificate. Viewing a system certificate To iew information for a system certificate, follow these steps: 1. From the list, select the certificate that you want to iew. 2. Click the View button to display the Certificate and Key Information page for the selected certificate. 3. When you finish iewing the information for the certificate, click the OK button to return to the Work with Certificates page. To delete a system certificate, follow these steps: 1. From the list, select the certificate that you want to delete. 2. Click the Delete button to display the Delete Certificate and Associated Key page for the selected certificate. This page allows you to reiew the information for a certificate to confirm that this is the certificate that you want to delete. If applications use a certificate that you delete, the applications may not be able to use SSL for secure communications. 3. After you reiew the certificate information, click the Delete button to return to the Work with Certificates page. At the top of the page, a message displays to indicate that the certificate and keys were deleted. Renewing a system certificate To renew a system certificate, follow these steps: 1. From the list, select the certificate that you want to renew. 2. Click the Renew button to display the Select a Certificate Authority page. This page allows you to select the type of Certificate Authority to renew the system Chapter 4. Using Digital Certificate Manager 35

42 certificate. After you select a Certificate Authority, you must complete the Renew a System Certificate form. When you complete the form, other pages in the task flow allow you to complete the process of renewing the certificate. Exporting a system certificate To export a system certificate and its keys to a file that you can transfer to another AS/400, follow these steps: 1. From the list, select the certificate that you want to export to a file. Generally, you would export a system certificate from an intranet Certificate Authority (CA) that you created in Digital Certificate Manager (DCM). 2. Click the Export button to display the Export Certificate page. 3. Complete the Export Certificate form and click the OK button. A message that the certificate was exported to the file that you specified displays at the top of the page. You can manually transfer the file to another AS/400 so that applications on that system can use it. Setting a certificate as a system default certificate To set a certificate as the default system certificate for the current certificate store, follow these steps: 1. From the list, select the certificate that you want to be the default. 2. Click the Set default button to display the Set Default Key page, which confirms your selection of the default certificate and keys for the current certificate store. 3. Click the Done button to return to the Work with Certificates page. Importing a system certificate from another AS/400 To import a system certificate from another AS/400 into the current certificate store, follow these steps: 1. Click the Import button to display the Import Certificate page. Generally, you would import a system certificate from an intranet Certificate Authority (CA) that you created in Digital Certificate Manager (DCM) on another AS/ Complete the Import Certificate form and click the OK button to return to the Work with Certificates page. A message that the certificate has been added to the current certificate store displays at the top of the page. The certificate that you imported should appear in the list of certificates as well. Use the Work with secure applications task if you want to specify that secure applications use this certificate. Creating a new system certificate To create a new system certificate for this certificate store, follow these steps: 1. Click the Create button to display the Select a Certificate Authority page. This page allows you to select the type of Certificate Authority that you want to sign the certificate. After you select a Certificate Authority, you must complete the Create a System Certificate form. When you complete the form, other pages in the task flow allow you to complete the process of creating the certificate. Note: References to actions that affect secure applications are meaningful for the *SYSTEM certificate store only. Functions for secure applications are not aailable for other system certificate stores. Deleting a system certificate From the Delete Certificate and Associated Key page, you can iew the information for a system certificate before you confirm the deletion. If there are secure applications which use the system certificate, you can iew the list of applications by using the View applications button. If you delete a certificate that a secure application uses to make SSL connections, you must select 36 AS/400e: Digital Certificate Management

43 a different certificate for that application to use. If you do not select a new certificate for the application, the application cannot use SSL for secure communications. Use the Work with secure applications task to specify the certificate that an application should use for SSL. After you reiew the information for the certificate, click the Delete button to confirm the deletion and return to the Work with Certificates page. A message that DCM deleted the certificate and keys displays at the top of the page. The deleted certificate no longer appears in the list of certificates for the certificate store. Deleting a system certificate is a permanent action; there is no way to undo the deletion. Selecting a Certificate Authority to sign a system certificate From the Select a Certificate Authority page, you can select the type of Certificate Authority (CA) that signs your system certificate. You must select the type of Certificate Authority whether you are creating a new system certificate or renewing an existing one. If you are renewing an existing certificate, you should select the same type of CA that you used to sign the original certificate. You can select one of two types of Certificate Authorities: Local Certificate Authority VeriSign or other Internet Certificate Authority Note: A Local Certificate Authority is one that you create in Digital Certificate Manager (DCM). To use a Local Certificate Authority, you must first use DCM to create one. If you use an Internet Certificate Authority, DCM creates the keys and other information that an Internet CA requires. You must copy and paste this information into the form that the Internet CA proides and send it to the CA for signing. After you receie the signed certificate file, you can use the Receie a system certificate task to add the new certificate to your system certificate store. Select the type of Certificate Authority that you want to sign your system certificate, then click the OK button. If you are creating a system certificate, the Create a System Certificate form displays. If you are renewing a system certificate, the Renew a System Certificate form displays. Completing the Renew a System Certificate form After you select the type of Certificate Authority that will sign the system certificate, the Renew a System Certificate form displays. When you access the form, the fields contain any preious information that you associated with the certificate. You can change any of this information as part of renewing your system certificate. Follow these steps to complete the Renew a System Certificate form: 1. In the New associated key label field, type a label name for the system certificate. This label name must be different from any other labels in the current certificate store, including the label of the certificate that you are renewing. 2. Select a key size. 3. Accept or change the information for these required fields: In the Serer name field, type a name to describe the system that will use the certificate. Although you can gie the system any name, usually you should use the TCP/IP host name for the system. Chapter 4. Using Digital Certificate Manager 37

44 In the Organization name field, type in the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. Select OK. The System Certificate Renewed Successfully page displays. This page proides you with the information that you need to complete the certificate renewal process. Completing the process for renewing a system certificate: The System Certificate Renewed Successfully page allows you to complete the process for renewing your system certificate. The contents of this page ary based on the type of Certificate Authority (CA) that you chose to renew your system certificate. Local Certificate Authority signs certificate When you use a local CA to renew a system certificate in the *SYSTEM certificate store, this page displays a list of applications. The list indicates if any of the applications used the original certificate. Select which applications in the list should use the new certificate for SSL communications, and click the OK button. The Secure Applications Status page displays to confirm that the selected applications are set to use the new certificate. Note: If you do not select an application that used the original certificate, the application remains associated with the original certificate. If the original certificate is no longer alid (for instance, it expires), then the application that uses it may not be able to use SSL. To correct this problem, you can use the Work with secure applications task to select a alid certificate for the application to use. Internet Certificate Authority signs certificate When you use an Internet CA to renew a system certificate, DCM stores the new system certificate priate key in the system certificate store that you specified. The System Certificate Renewed Successfully page displays the certificate request data that your Internet CA needs. This data contains an encrypted data string that represents the new system certificate public key. Copy and paste this data into the request form required by your Internet CA. Then send the form to the CA to receie your signed system certificate. Warning: Be careful when you do the copy and paste because this is the only copy of the certificate request data. If you exit this page of your browser, the certificate request data is lost. You must perform the Renew a system certificate task again to create a new one. After the Internet CA returns the signed certificate, use the Receie a system certificate task to add the certificate into the system certificate store that you specified when you renewed the certificate. You can then use the Work with secure applications task to set which applications should use the certificate for SSL communications. If the certificate that you renew is in a certificate store other than the *SYSTEM store, then this page displays a confirmation of the renewal only. You cannot select applications to use a certificate in certificate stores other than *SYSTEM. 38 AS/400e: Digital Certificate Management

45 Exporting a copy of a certificate From the Export Certificate page, you can copy a certificate and its associated keys to a file that you specify. You can then transfer the certificate to another AS/400. You can export either a system certificate or a Certificate Authority certificate. You could then use Digital Certificate Manager on the other system to import the certificate. To export the selected certificate, proide the following information on the Export Certificate page: 1. In the Export to file name field, type the full path and file name into which you want to copy the selected certificate. 2. In the Password field, type a password to encrypt the export file. Use standard AS/400 password rules. 3. In the Confirm password field, type the new password for erification. 4. Select a Target Release. Choose a target release of DCM on the system for which you are exporting the certificate. You can select one of these target releases: V4R5M0. Select this format if DCM on the other system is at V4R5 or a subsequent release. V4R4M0. Select this format if DCM on the other system is at V4R4. V4R3M0. Select this format if DCM on the other system is at V4R3. V4R2M0. Select this format if DCM on the other system is at V4R2. 5. Click OK. A message displays that DCM successfully copied the certificate to the file that you specified. You can manually transfer the file to another AS/400 so that applications on that system can use it. Note: If you specify a path and file name for an existing file, an error message displays. This is because DCM does not allow you to oerwrite existing files. If you export a system certificate for an AS/400 at V4R4 or later, use the Work with certificates task on the system that has the exported copy of the certificate. This allows you to import the certificate into a system certificate store. If you import the certificate into the *SYSTEM certificate store, you can then use the Work with secure applications task. This will allow you to specify which applications should use the certificate for SSL communications. If you export a CA certificate for an AS/400 at V4R4, you can use the Work with certificates task on the system that holds the exported the copy. From here you can import the certificate into a system certificate store. You can then iew the imported CA certificate by using the Work with Certificate Authorities task. If you export a CA certificate for an AS/400 at V4R5, you can use the Work with Certificate Authorities task on the other system. This will allow you to import the certificate into a system certificate store for use in setting the trust that the secure serer will need for SSL. If the AS/400 is V4R3 you can use the import task to import the certificate into a serer key ring file. This is true for either a system certificate or a CA certificate. Chapter 4. Using Digital Certificate Manager 39

46 Importing a copy of a certificate From the Import Certificate page, you can import a copy of a certificate to the current system certificate store. Generally, you would import a copy of a certificate that you exported from Digital Certificate Manager (DCM) on another AS/400. Note: To add a new system certificate that you just requested and was just issued by an Internet CA into the current system certificate store, use the Receie a system certificate task instead. You must proide the following information to import the certificate: 1. In the Import file field, type the full path and file name that contains the certificate that you want to import. 2. In the Password field, type the password for the file. Use the password that you set when you used DCM on the other system to export the certificate. 3. Select a Release leel of certificate being imported. Choose the release leel that matches the target release that you used to export the certificate from the other system. Normally, this should be the same as the release leel of DCM that you are using on this system. You can select one of these alues: V4R5M0 Select this alue if you selected V4R5M0 as the target release when you exported the certificate on the other system. V4R4M0 Select this alue if you selected V4R4M0 as the target release when you exported the certificate on the other system. V4R3M0 Select this alue if you selected V4R3M0 as the target release when you exported the certificate on the other system. V4R2M0 Select this alue if you selected V4R2M0 as the target release when you exported the certificate on the other system. 4. Click OK. A message displays that DCM successfully imported the certificate. The imported certificate appears in the list of certificates as well. If you imported the certificate into the *SYSTEM certificate store, you can use the Work with secure applications task to specify which applications should use the imported certificate for SSL communications. Note: You cannot select applications to use a certificate in certificate store other than *SYSTEM. Completing the Create a System Certificate form After you select the type of Certificate Authority that will sign the system certificate, the Create a System Certificate form displays. 40 AS/400e: Digital Certificate Management To complete the Create a System Certificate form, follow these steps: 1. Select a key size to use for the public and priate keys for the certificate. The bigger the key, the more secure the encryption it proides. 2. Proide information for these required fields: In the Key label field, type a name for the new system certificate priate key. You cannot use a key label that already exists in the current certificate store. In the Serer name field, type a name to describe the serer. Although you can gie the serer any name, you should use the TCP/IP host name for the serer wheneer possible. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. 3. Click the OK button.

47 The System Certificate Created Successfully page displays so that you may complete the process of creating your system certificate. Completing the process for creating a system certificate: The System Certificate Created Successfully page allows you to complete the process for creating your system certificate. The contents of this page ary based on the type of Certificate Authority (CA) that you chose to create your system certificate. Local Certificate Authority signs certificate. When you use a local CA to create a system certificate in the *SYSTEM certificate store, this page displays a list of applications. Select which applications in the list should use the new certificate for SSL communications, and click the OK button. The Secure Applications Status page displays to confirm that the selected applications are set up to use the new certificate. Internet Certificate Authority signs certificate. When you use an Internet CA to create a system certificate, DCM stores the new system certificate priate key in the specified system certificate store. The System Certificate Created Successfully page displays the certificate request data that your Internet CA needs. This data contains an encrypted data string that represents the new system certificate public key. Copy and paste this data into the request form required by your Internet CA Then send the form to the CA to receie your signed system certificate. Warning: Be careful when you do the copy and paste because this is the only copy of the certificate request data. If you exit this page of your browser, the certificate request data is lost. You must perform the Create a system certificate task again to create a new one. After the Internet CA returns the signed certificate, use the Receie a system certificate task. This will add the certificate into the system certificate store that you specified when you created the certificate. You can then use the Work with secure applications task to set which applications should use the certificate for SSL communications. If the certificate that you create is in a certificate store other than the *SYSTEM store, then this page displays a confirmation of the creation only. You cannot select applications to use a certificate in a certificate store other than *SYSTEM. Changing a system certificate store password From the Change Certificate Store Password page, you can change the password for the current system certificate store. From this page you can also set the password expiration policy for the certificate store. To change the password for the current system certificate store, follow these steps: 1. In the New password field, type the new password that you want to use for the certificate store. Use standard AS/400 password rules to create your new password. 2. In the Confirm password field, type the new password for erification. Chapter 4. Using Digital Certificate Manager 41

48 Note: You must be sure that you can remember the password you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it, and you will lose access to your certificate store. 3. If you want the password to expire after a specific length of time, select the Password expires option. Then type in the number of days for which the new password is alid. 4. Select OK. A page confirming the password change is displayed. Note: After you change the password for the current certificate store, you can no longer access system certificate tasks. You must first click on the System Certificates task link in the frame on the left. This allows you to exit the current certificate store and close the task list. When you select the System Certificates task link again, the Certificate Store and Password window displays. After you supply the correct new password for the certificate store, you can access tasks. Creating a new system certificate store In Digital Certificate Manager, you cannot create an empty system certificate store. You must create a system certificate to populate the new system certificate store. After you select the type of Certificate Authority that will sign your certificate, you must complete the Create a System Certificate form. You must proide the following information to complete the form: 1. Select a key size to use for the public and priate keys for the certificate. The bigger the key, the more secure the encryption it proides. 2. Proide information for these required fields: In the Key label field, type a name for the new system certificate priate key. In the Certificate store path and file name field, type the path and file name that you want to use for the new system certificate store. Note: The file name must end with an extension of.kdb, unless you are creating the *SYSTEM certificate store. (DCM automatically handles *SYSTEM as a.kdb.) An example of the file name could be /mydirectory/myfile.kdb. In the Certificate store password field, type the password that you want to use to protect access to the new certificate store. Use standard AS/400 password rules to formulate the password. In the Confirm password field, type the password for alidation. Note: You must be sure that you can remember the password that you set, or that you write it down and store it in a secure place. If you forget the password, you cannot reset it or recoer it and you will lose access to your certificate store. In the Serer name field, type a name to describe the serer. Although you can gie the serer any name, you should use the TCP/IP host name for the serer wheneer possible. In the Organization name field, type the name of your company or organizational section. In the State or proince field, type a designation for your state or proince. This designation must be a minimum of three characters in length. In the Country field, type a two-letter designation for your country. 3. After you complete the form, click the OK button. 42 AS/400e: Digital Certificate Management

49 The System Certificate Created Successfully page displays with a message that DCM created and stored the new certificate in the certificate store that you specified. When you use a local CA to create a system certificate, DCM stores the new certificate and priate key in the current system certificate store. When you use an Internet CA to create a system certificate, DCM creates certificate request data instead of a new system certificate. This data consists of an encrypted data string that represents the new system certificate public key. You must copy and paste this data into the request form required by your Internet CA, and send the form to the CA to receie your signed system certificate. After the Internet CA returns the signed certificate, use the Receie a system certificate task to add the certificate into the system certificate store that you specified when you created the certificate. Deleting a system certificate store From the Delete Certificate Store page, you can iew the keys that are contained in the current certificate store before you confirm the deletion. If there are secure applications which use a certificate in the current store, you can iew the list of applications. This is done by using the View applications button. When you delete a certificate store, you delete all certificates in that store. If any secure applications used a certificate from the deleted store to make Secure Sockets Layer (SSL) connections, the application cannot use SSL for secure communications. After you reiew the contents of the certificate store, click the Delete button to confirm the deletion. A message displays that the store was deleted. Attention: Once you delete a certificate store, you cannot undo the deletion. If you delete a certificate store, you need to use other Digital Certificate Manager (DCM) functions to recreate customizations done in the old certificate store. Receiing a system certificate From the Receie a System Certificate page, you can add an existing system certificate to the current system certificate store. Usually, this is a system certificate that is signed by an Internet Certificate Authority. To receie a system certificate into the current certificate store, follow these steps: 1. In the field that is proided, type the fully qualified path and file name of the system certificate that you want to receie. 2. Click OK. The Certificate Successfully Receied page displays. If you receied the certificate into the *SYSTEM certificate store, you can use the Work with secure applications task. This will allow you to specify which applications should use the certificate for SSL communications. Note: You cannot select applications to use a certificate in certificate store other than *SYSTEM. Chapter 4. Using Digital Certificate Manager 43

50 Working with CA certificates From the Work with Certificate Authorities page, you can manage the Certificate Authority (CA) certificates in the current system certificate store. You can perform these actions for CA certificates in the specified system certificate store: Specify a CA certificate as a trusted root. Remoe the trusted root designation from a CA certificate. View information for a CA certificate. Delete a CA certificate. Import a CA certificate from another AS/400 to the current system certificate store. Export a CA certificate to a file which you can transfer to another system. To specify a CA certificate as a trusted root, follow these steps: 1. Select the certificate that you want to designate as a trusted root. 2. Click the Trust button. A new page displays with a message at the top of the page to confirm the new trusted status for the certificate. From this page you can select which applications should trust the CA, if you are in the *SYSTEM certificate store. To remoe the trusted root status from a CA certificate, follow these steps: 1. Select the certificate from which you want to remoe the trusted root status. 2. Click the Do not trust button. If you are in the *SYSTEM certificate store and there are applications that trust the selected CA, a new page displays with a list of these applications. If you confirm the do not trust action, these applications cannot authenticate certificates issued by this CA. Consequently, the affected applications cannot establish secure communications for systems that present certificates that this CA issued. You must select another CA as a trusted root for these applications to trust. 3. Select the Do not trust button to confirm that you want to remoe the trusted root status of the specified CA certificate. To iew information for a CA certificate, follow these steps: 1. Select the certificate that you want to iew. 2. Click the View button to display the Certificate and Key Information page for the selected certificate. 3. When you finish iewing the information for the certificate, click the OK button to return to the Work with Certificate Authorities page. To delete a CA certificate, follow these steps: 1. Select the certificate that you want to delete. 2. Click the Delete button to display the Delete Certificate and Associated Key page for the selected certificate. This page allows you to reiew the information for a certificate to confirm that this is the certificate that you want to delete. 3. If you are in the *SYSTEM certificate store, and there are secure applications which trust the CA, you can iew the list of applications by using the View applications button. 4. When you finish reiewing the information for the certificate, click the Delete button to return to the Work with Certificate Authorities page. At the top of the page, a message confirming that the certificate and keys were deleted displays. To export a CA certificate and its public key to a file that you can transfer to another AS/400, follow these steps: 1. From the list, select the certificate that you want to export to a file. 2. Click the Export button to display the Export Certificate page. Complete the Export Certificate form and click the OK button. A message that the certificate 44 AS/400e: Digital Certificate Management

51 was exported to the file that you specified displays at the top of the page. You can manually transfer the file to another AS/400 so that applications on that system can use it. To import a certificate from another AS/400 into the current certificate store, follow these steps: 1. Click the Import button to display the Import Certificate page. Complete the Import Certificate form and click the OK button. A message that the certificate has been added to the current certificate store displays at the top of the page. The certificate that you imported should appear in the list of certificates as well. Use the Work with secure applications task if you want to specify that secure applications use this certificate. Note: References to actions that affect secure applications are meaningful for the *SYSTEM certificate store only. Functions for secure applications are not aailable for other system certificate stores. Deleting a Certificate Authority certificate From the Delete Certificate and Associated Key page you can delete the selected Certificate Authority (CA) certificate. When you access the page, it displays the certificate so that you can reiew it before you delete it. If there are secure applications which trust the CA, you can iew the list of applications by using the View applications button. Note: References to actions that affect secure applications are meaningful for the *SYSTEM certificate store only. Functions for secure applications are not aailable for other system certificate stores. If you delete the CA certificate, these applications cannot authenticate certificates issued by the deleted CA. Consequently, the affected applications cannot establish secure communications for systems that present certificates that the deleted CA issued. You must specify another CA as a trusted root for these applications to ensure that they can use SSL. To confirm that you want to delete the CA certificate, select the Delete button. Note: Deleting a Certificate Authority certificate is a permanent action; there is no way to undo the deletion. Receiing a CA certificate From the Receie Certificate Authority Certificate page, you can add a Certificate Authority (CA) certificate to the current system certificate store. This can be either an Internet CA certificate or an intranet CA certificate that you created in Digital Certificate Manager (DCM) on another AS/400. When you receie a CA certificate into a system certificate store, DCM automatically designates it as a trusted root. To receie a CA certificate into the current certificate store, follow these steps: 1. In the CA certificate label field, type a label name for the certificate. You cannot use a key label that already exists in the current certificate store. 2. In the CA certificate file name field, type the fully qualified path and file name that contains the CA certificate that you want to receie. 3. Click OK. The Receie Certificate Successful page displays which allows you to complete the process for receiing a CA certificate. Chapter 4. Using Digital Certificate Manager 45

52 Completing the process for receiing a CA certificate After you complete the Receie Certificate Authority Certificate page, the Receie Certificate Successful page displays. This page allows you to complete the process for receiing your CA certificate. The contents of this page ary based on which certificate store you are using. When you receie a CA certificate into the *SYSTEM certificate store, this page displays a list of applications. Select which applications in the list should trust the CA, and click the OK button. The Secure Applications Status page displays to confirm that the selected applications are set to trust the new certificate. If you receie the certificate into a certificate store other than the *SYSTEM store, then this page displays a confirmation message only. Working with secure applications From the Work with Secure Applications page, you can manage the certificates that your secure applications use. Note: The Work with Secure Applications tasks appears in the System Certificates task list only if you are working in the *SYSTEM certificate store. From this page you can perform the following actions for your secure applications: View application information in certificate. Manage system certifcates used by applications. Manage application trusted CA certificates. Viewing application information in certificate To iew certificate information for an application, follow these steps: 1. Select the application for which you want to iew certificate information. 2. Click the View button to display the Application Information page for the selected application. 3. Select the Show detail button to display the Certificate and Key Information page. This page allows you to iew detailed information about the system certificate that the application uses for secure communications. 4. When you finish iewing the information for the certificate, click the OK button to return to the Application Information page. 5. Click the OK button to return to the Work with Secure Applications page. Managing system certifcates used by applications To manage the system certificate that an application uses for secure communications, follow these steps: 1. Select the application for which you want to manage the system certificate. 2. Click the Work with system certificate button to display the Work with System Certificate page for the selected application. Information at the top of the page indicates which certificate from the displayed list that the application currently uses. 3. Select a certificate from the list. 4. Select an action to perform on the certificate. When you select the View button, the Certificate and Key Information page displays. When you finish iewing the information for the certificate, click the OK button to return to the Work with System Certificate page. When you select the Assign new certificate button, you change the certificate that the application uses for SSL to the one that you selected. The Assign System Certificate displays with a message confirming the change at the top of the page. 46 AS/400e: Digital Certificate Management

53 Table 1. Cluster Management Application ID QIBM_QCST_CLUSTER_SECURITY 5. To remoe the current system certificate associated with the application, click the Remoe certificate button. The Certificate and Key Information page is displayed so that you may reiew the certificate information before you confirm the remoal. Note: When you change or remoe a certificate for an application the application may or may not be able to recognize the change if the application is currently running. For example, Client Access Express serers will automatically apply any certificate changes that you make. Howeer, you may need to stop and start Telnet serers and IBM HTTP Serer instances before these applications can apply your certificate changes. Managing application trusted CA certificates To manage application trusted CA certificates, follow these steps: 1. Select the application for which you want to manage the CA certificate. 2. Click the Work with Certificate Authority button to display the Certificate Authority Information page for the selected application. This page displays a list of all CA certificates aailable in the *SYSTEM certificate store. The trusted status of the certificate for the application is indicated for each CA certificate in the list. 3. Select a CA certificate from the list. 4. Select an action to perform on the certificate. When you select the View button, the Certificate and Key Information page displays. When you finish iewing the information for the certificate, click the OK button to return to the Certificate Authority Information page. When you select the Trust button, you designate that the application should trust the CA certificate that you selected. A message confirming the new status for the CA certificate displays at the top of the page. When you select the Do not trust button, you remoe the trusted root status that the certificate has with the application. A message confirming the new status for the CA certificate displays at the top of the page. You can follow this link to iew a chart of IDs and their corresponding applications. Table 2. Base Certificate Authority (CA) Serer Application ID QIBM_OS400_QZBS_SVR_CENTRAL QIBM_OS400_QZBS_SVR_DATABASE QIBM_OS400_QZBS_SVR_DTAQ QIBM_OS400_QZBS_SVR_NETPRT QIBM_OS400_QZBS_SVR_RMTCMD QIBM_OS400_QZBS_SVR_SIGNON QIBM_OS400_QZBS_SVR_FILE Application IDs: Because it may be difficult to remember how IDs match with applications, we proide the following tables. They are not meant to be comprehensie. Corresponding Application OS/400 Cluster Security Corresponding Application OS/400 TCP Central Serer OS/400 TCP Database Serer OS/400 TCP Data Queue Serer OS/400 TCP Network Print Serer OS/400 TCP Remote Command Serer OS/400 Signon Serer OS/400 TCP File Serer Chapter 4. Using Digital Certificate Manager 47

54 Table 3. LDAP Serices Application ID QIBM_GLD_DIRSRV_SERVER QIBM_GLD_DIRSRV_PUBLISHING Corresponding Application Directory Serices serer Directory Serices publishing Table 4. DRDA Application ID QIBM_OS400_QRW_SVR_DDM_DRDA Corresponding Application OS/400 DDM/DRDA Serer-TCP/IP User certificate tasks Table 5. Telnet Application ID QIBM_QTV_TELNET_SERVER Table 6. SysMgt Platform Application ID QIBM_OS400_QYPS_MGTCTRL_SVR Corresponding Application OS/400 TCP/IP Telnet Serer Corresponding Application AS/400 Management Central Serer Table 7. Base Serer/Administration and Configuration Application ID Corresponding Application QIBM_HTTP_SERVER_ADMIN HTTP Serer Admin Instance QIBM_HTTP_SERVER_DEFAULT HTTP Serer Default Instance Note: For each HTTP instance, an application is created. The application ID will start with QIBM_HTTP_SERVER_, followed by the name of this instance. Note: These are not supplied by IBM and are customer type-secure applications. These would all begin with something other than QIBM_. When you select the User Certificates link, you can select one of these tasks: Request a new user certificate:allows you to request a user certificate from the intranet CA. Manage registered certificates: allows you to iew or delete user certificates for other users, if your user profile has *SECADM and *ALLOBJ special authorities. If your user profile does not hae these authorities, you can iew or delete your own certificates only. Register an existing user certificate: allows you to associate a certificate with a user profile. The certificate may be from an Internet CA or from any local or Intranet CA, but the issuing CA must be trusted by the serer, and the certificate must not already be associated with a user profile on this system. Requesting a user certificate If you want to use digital certificates for user authentication, users must hae certificates. If you use Digital Certificate Manager (DCM) to create an intranet Certificate Authority, you can use the CA to issue certificates to each user. Each 48 AS/400e: Digital Certificate Management

55 user must use DCM to request a certificate by using the Request a User Certificate form. Howeer, the system administrator must ensure that your CA policy allows your CA to issue user certificates first. To complete the Request a User Certificate form, follow these steps: 1. Type the appropriate information into any fields that the Digital Certificate Manager program did not update for you. 2. If the page displays a Key size list box, use it to select a key size for your public and priate keys. The bigger the key, the more secure the encryption it proides. 3. Select OK to process the form. The browser then generates a public/priate key pair, and may ask that you assign a password to protect your priate key. Your browser may display windows to guide you through this process. Follow the browser s instructions for these tasks. After the browser generates the keys, the User Certificate Created Successfully page displays. 4. Install the certificate in your browser as the page directs. Your browser may display windows to guide you through this process. Follow the instructions that the browser gies to complete this task. 5. Click the Done button to return to the Digital Certificate Manager entrance page. During processing, the Digital Certificate Manager automatically associates your AS/400 user profile with the certificate. If you prefer to use an Internet or other CA to issue user certificates, users must use DCM to register the existing certificate instead. Selecting a key size for user certificates The key sizes aailable in the selection box ary according to the country in which your system is located. Some countries, such as France, restrict the size of keys that may be imported for use. The United States also has export restrictions on certain larger key sizes. Additionally, browser software has built-in support for a limited set of key sizes. As a result, the browser actually generates the selection box for user certificate key sizes based on both of these factors. The key size that you select determines the size of the public key and priate key that accompany your certificate. Because larger keys proide more secure encryption, choose the largest key size aailable to you. Note: Not all browsers create a key size selection box for the Request a User Certificate page. Netscape browsers do proide the selection box. Managing registered certificates Digital Certificate Manager (DCM) allows you to manage registered user certificates. Any user profile with *SECADM and *ALLOBJ special authorities can use the Manage registered certificates task to iew or delete any registered certificate. Other users without both of those special authorities can use this task to manage their own user certificates only. A user certificate is registered in DCM when users request a new user certificate or when users register an existing certificate. Chapter 4. Using Digital Certificate Manager 49

56 If you hae authority to manage other users certificates, the Registered Certificates page displays when you select the Manage registered certificates task. If you only hae authority to manage your own certificates, a page that displays a list of your registered certificates displays instead. To manage registered certificates, follow these steps: 1. In the User profile name field, type the user name whose certificates you want to manage. 2. Click the OK button to display the registered certificates for the user name that you specified. From this page you can either iew a certificate or delete a certificate. Note: These first two steps are only successful if you hae the proper authority to manage certificates for the user profile you select. 3. Select the certificate that you want to manage from the list box. To iew the selected certificate, select View. Select Done. To delete the selected certificate, select Delete. A page displays with detailed information for the selected certificate so that you may reiew it before you delete it. Select Delete to confirm the deletion. Select Done. Note: If you are managing another user s certificates, you must select the Done button to return to the first Registered Certificates page. 4. If you are finished managing certificates, select Done to return to the Digital Certificate Manager entrance page. Registering an existing user certificate If you want to use digital certificates for user authentication, users must hae certificates. If you use an Internet Certificate Authority (CA) to issue certificates to your users, they can use Digital Certificate Manager (DCM) to register their certificates. This allows you and the user to use DCM to manage user certificates. When you select the Register an existing user certificate task, a new browser window is displayed. If you are not yet using https on your system s secure admin serer port (this is determined by the URL that is used to get to DCM-2001 is the default non-secure port for the admin serer), and if the secure admin serer is set up correctly on your system, and if your browser contains a certificate issued by a Certificate Authority that the system accepts as a trusted root, then the browser may display its own windows to help you select the certificate to use. DCM then displays the certificate information in the browser window it created when you selected the Register an existing user certificate task. If DCM does not display information from a certificate, you may hae one of seeral problems to resole. To complete the process of registering your certificate, follow these steps: 1. After reiewing the certificate information, select OK to confirm that you want to register the certificate. 2. Select Done to return to the Digital Certificate Manager entrance page. During processing, the Digital Certificate Manager automatically associates your AS/400 user profile with the certificate. If you prefer to use your own intranet CA to issue user certificates, users must request a new user certificate instead. 50 AS/400e: Digital Certificate Management

57 Chapter 5. Troubleshooting DCM You can use the following tables to troubleshoot some of the problems you may encounter while working with DCM. For troubleshooitng other errors, reiew Migrating errors and recoery solutionsand Troubleshooting for registering an exsisting user certificate in the Information Center. Key database concerns Concern You cannot find additional help for DCM. The system has not found the key database, or has found it to be inalid. Key database creation failed. The V4R3 system does not accept a CA text file transferred in binary from V4R4 or from V4R5. It does accept the file when it is transferred in American National Standard Code for Information Interchange (ASCII). You cannot change the password of a key database. A certificate in the key database is no longer alid. You need to use certificates for an Internet user and therefore need to use alidation lists but DCM does not proide functions for alidation lists. Possible Solution In DCM, click the? help icon. You can also search the Information Center and external sites on the Internet. Check your password and file name for typographical errors. Be sure that the path is included with the file name, including the leading forward slash. Check for a file name conflict. The conflict may exist in a different file than the one for which you asked. Key rings and key databases are binary files and, therefore, different than the CA text file.. You must use File Transfer Protocol (FTP) in ASCII mode for CA text files and FTP in binary mode for binary files, such as.kdb,.kyr,.sth (if it exists),.rdb, and so on. After erifying that an incorrect password is not the problem, find and delete the inalid certificate or certificates from the certificate store, and then try to change the password. If you hae expired certificates in your certificate store the expired certificates are no longer alid. Since the certificates are not alid, the password change function for the certificate store may not allow the password to be changed and the encryption process will not encrypt the priate keys of the expired certificate. This keeps the password change from occurring, and the system may report that certificate store corruption is one of the reasons. You must remoe the inalid (expired) certificates from the certificate store. Business partners who are writing applications to use alidation lists must write their code to associate the alidation list with their application as expected. They must also write the code that determines when the Internet user s identity is appropriately alidated so that the certificate can be added to the alidation list. Consult the System API Reference Manual for help with the QsyAddVldlCertificate API. Consult the Webmaster s Guide for help with configuring the secure serer instance to use the alidation list. Hypertext Transfer Protocol (HTTP) Concerns Concern Possible Solution Copyright IBM Corp. 1999,

58 Hypertext Transfer Protocol (HTTP) Concerns HTTPS does not work. The process for registering an HTTP Serer instance as a secure application needs clarification. You are haing difficulty setting up the HTTP Serer for alidation lists and optional client authentication. Netscape waits for the configuration directie in the HTTP Serer code to expire before allowing you to select a different certificate. You are trying to get the browser to present the X.509 certificate to the HTTP Serer so that you can use the certificate as input to the QsyAddVldlCertificate or QSYADDVC APIs. You cannot find the request file that is created when the HTTP Serer is installed. The system uses this file to indicate the alid keyrings found on the KEYFILE directie in the configuration files in its directory. The HTTP Serer takes too long to return or times out if you request a list of the certificates in the alidation list and there are more than 10,000 items. You obsered a problem with your certificate stores after installing V4R5 oer a preious release and /qibm/userdata/httpsr/keyring/keymreq.crt or /qibm/usedata/os400/dirsr/qdirsr.crt now exist. The system could not complete the automatic key ring to key database migration. Be sure the HTTP Serer is set up correctly. The V4R4 or later configuration file must hae SSLMODE ON and APPNAME set by using the HTTP Serer s graphical user interface (GUI), not by using wrkhttpcfg. Also, be sure the serer instance is created and the serer certificate is signed. On your AS/400 system, go to the HTTP Serer s web interface to do configuration and administration. Set the configuration for your serer. You must use the security configuration screen to set the directies in the configuration file or the system will not do the registration. Specifically, on the security configuration screen, you must allow SSL connections, you must select a suitable and unused port, and you must apply your changes. Note that registering your instance does not automatically choose which of your system certificates is the one to use. You must choose which certificate is the one that you determine is the right one. You must also assign that certificate to your application before you try to end and then restart your serer instance. See the HTTP Serer Webmaster s Guide for options on setting up the instance. This information is also aailable in the Information Center. A large certificate alue makes it hard to register a second certificate, since the browser is still using the first one. You must use HTTPS with SSLMODE ON and SSLClientAuth ON in order to get the HTTP Serer to load the HTTPS_CLIENT_CERTIFICATE enironment ariable. You can find these APIs in the System API Reference Manual. You may also want to look at these alidation lists or certificate related APIs: QsyListVldlCertificates and QSYLSTVC QsyRemoeVldlCertificate and QRMVVC QsyCheckVldlCertificate and QSYCHKVC QsyParseCertificate and QSYPARSC, and so on. The Information Center shows how to find these files in Migrating from a V4R3 ersion of DCM to a V4R5 ersion. For HTTP Serer: /qibm/userdata/httpsr/keyring/keymreq.crt For LDAP: /qibm/userdata/os400/dirsr/qdirsr.crt Create a batch job that looks for and deletes certificates matching certain criteria, such as all those that hae expired or are from a certain CA. Specify the old keyring files as the certificate store, and find and delete the inalid certificate or certificates from the keyrings before calling qicss/qyepmgrt to re-attempt the migrate. Or, ignore or delete the.crt file if the migration actiity has moed all the important certificates. 52 AS/400e: Digital Certificate Management

59 Hypertext Transfer Protocol (HTTP) Concerns The HTTP Serer will not successfully start with SSLMODE ON and DSPMSG QSYSOPR shows that QSECOFR receied an error message SSL_Init rc=-24 errno=-3021 when the HTTP Serer fails. Password and general concerns Concern You cannot access your certificate store Your password for CA and *SYSTEM certificate store does not work. Garbage characters appear in place of National Language Support (NLS) characters on the certificate store and password window. You cannot find a source for a CA certificate to receie it into AS/400. You cannot find *SYSTEM. You receied an error from DCM, and the error continues to appear after you hae fixed it. You hae an LDAP serer problem such as certificate assignments not being shown when the information about the secure application is displayed immediately after assigning a certificate. This problem occurs more often when using Operations Naigator to get to a Netscape web browser. Your default preference is set to, Document in cache is compared to document on network=once per session. Error number -24 means the certificate has expired. If the serer instance is the *ADMIN serer, then temporarily turn SSLMODE OFF so that you can use DCM on the *ADMIN serer. Use Work with Secure Applications and assign a different system certificate to the application, for example QIBM_HTTP_SERVER_ADMIN if the serer instance is the *ADMIN serer. Possible Solution When you restore a certificate store to an AS/400 system, you may need to change the certificate store password on that system using DCM to ensure that the password used to encrypt the contents of the certificate store matches the certificate store password that is stored internally on the system. If the passwords do not match, you will not be able to use the certificate store. The passwords will not match if you hae changed the password since the last time the certificate store was saed, or if you restore the certificate store to an AS/400 system other than the one on which the sae operation was done. Also, if you rename the certificate store or moe the certificate store to a different directory on the system, you must change the password of the renamed or moed certificate store using DCM to ensure that the passwords match. Passwords are case sensitie. Be sure the caps lock is the same as it was when you assigned the password. Use only the supported characters which do not include NLS characters. Some CAs do not make their CA certificate readily aailable. If you cannot get the CA certificate from the CA, then contact your VAR since your VAR may hae made special or monetary arrangements with the CA. The location is /qibm/userdata/icss/cert/serer/default.kdb. If that certificate store does not exist you need to use DCM to create the certificate store. Use the Create new certificate store function under System Certificates, and then click the Create button. Clear the cache. Set the cache size to 0, and then end and start the browser. Change your default preference to check the caching eery time. Chapter 5. Troubleshooting DCM 53

60 Password and general concerns Receie a System Certificate, when used to receie a system certificate signed by an external CA such as Entrust, gies, Message: The alidity period does not contain today or does not fall within its issuer s alidity period. You receied a base 64 error when trying to receie an Entrust certificate. Migrate system certificate does not work on expired system certificates. You cannot find the sample code for adding certificates into alidation lists. Browser concerns Concern Microsoft Internet Explorer (MSIE) does not let you select a different certificate until you start a new browser session. MSIE does not show all selectable client/user certificates in a browser s selection list. MSIE only shows certificates, issued by the trusted CA, that you can use at the secure site. MSIE 5 receies the CA, but cannot open the file or find the disk for Sae to disk. You receied a browser warning that the system name and system certificate do not match. You started MSIE with HTTPS instead of HTTP, and you receied a warning of a secure and non-secure mix. Windows Netscape 4.04 conerted hexidecimal alues A1 and B1 to B2 and 9A in the Polish code page. The system is using Generalized Time format for the alidity period. Wait a day and try again. Also, erify that your AS/400 has the correct alue for UTC offset (dspsysal qutcoffset). If you obsere Daylight Saings Time, your offset might be incorrectly set. The certificate is listed as being a specific format such as PEM format. If the copy function of your browser does not work well and, as a result, you copy extra material that does not belong with the certificate, such as blank spaces at the front of each line, then the certificate will not be the right format when you try to use it on the AS/400. Some web page designs cause this problem. Other web pages are designed to aoid this problem. Be sure to compare the appearance of the original certificate to the results of the paste since the pasted information should look the same. The expired system certificate is now bad and cannot get into the *SYSTEM certificate store. Remoe or rename old key rings from V4R3 before migrating, ignore the migration fail indicator, or try the migration again. The sample code is not yet aailable. Possible Solution Begin a new browser session for MSIE. A CA must be trusted in the key database as well as by the secure application. Be sure you signed on to the PC for the MSIE browser with the same user name as the one which put the user certificate in the browser. Get another user certificate from the system to which you are going. The System Administrator should be sure the key database still trusts the CA that signed the user and system certificates. This is a new browser feature for certificates that are not yet trusted by the browser. You can choose the location on your PC. Some browsers do different things for upper and lower case matching on system names. Type the URL with the same case as the system certificate shows. Or, create the system certificate with the case that will match what most users will use. Unless you know what you are doing, it is best to leae the serer name or system name as it was. You should also check that your domain name serer is set up correctly. Choose accept and ignore the warning. A future release fixes this. This is a browser bug that affects NLS. Use a different browser or een use the same ersion of this browser on a different platform, such as AIX Netscape AS/400e: Digital Certificate Management

61 Browser concerns In a user profile, Netscape 4.04 showed upper case user certificate NLS characters correctly, but showed lower case characters incorrectly. The browser continues to tell the end user that the CA is not yet trusted. MSIE requests reject the connection for HTTPS. Migrating errors and recoery solutions Errors and Error Recoery Some national language characters that were entered correctly as one character but are not the same character when displayed by the browser later, for example, on the Windows ersion of Netscape Communicator 4.04, the hexidecimal alues A1 and B1 were conerted to B2 and 9A for the Polish code page, resulting in different NLS characters being displayed. Use Work with Certificate Authorities task in DCM and mark the CA as trusted. This is a problem with the browser function or its configuration. The browser chose not to connect to a site that is using a system certificate that might be self signed or may not be alid for some other reason. The following indicators alert you to errors that might occur during migration: /QIBM/USERDATA/HTTPSVR/KEYRING/KEYMREQ.CRT The presence of this indicator after you hae successfully installed both option 34 and 5769DG1 means the key ring migration that 5769DG1 attempted did not succeed. You may need to perform key ring migration into the *SYSTEM certificate store. /QIBM/USERDATA/OS400/DIRSRV/QDIRSRV.CRT The presence of this indicator after you hae successfully installed options 32 and 34 means the key ring migration that option 32 attempted did not succeed. In addition to the indicated errors, there are possible migration errors that the system might not indicate. For example, when the system finds keyrings that it needs to migrate into the *SYSTEM certificate store, it might also find conflicts with existing IFS user data files. In such an instance, the system might not complete keyring migration, een though you completed the install successfully. In a rare scenario, it might be possible to hae keyring migration with partial system certificate assignment completed before an error preents the completion of migration. This can result in errors when you start the IBM HTTP Serer *ADMIN instance if SSLMODE is ON. Possible explanations are: A migrated keyring had a bad system certificate set as its default. DCM ended migration to presere user data that already existed in a critical file name. An unpredictable error occurred in the migration code. You can start the IBM HTTP Serer without SSLMODE ON by temporarily turning SSLMODE OFF for the *ADMIN instance before starting the *ADMIN instance. This allows you to inestigate the certificate stores with DCM and resole the problem before ending the *ADMIN instance. After you end the *ADMIN instance, you can then turn SSLMODE back ON and start the *ADMIN instance to initialize SSL correctly. After the migration of option 34, errors might occur during normal DCM requests that use the certificate stores. These errors occur on the browser, such as: Chapter 5. Troubleshooting DCM 55

62 Database error, Database Read error Database Write error, Database corruption, or Database table corrupted Further, the system might hae a file that is not a alid certificate store named default.kdb in the same directory as /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR or /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR. In this case, you need to complete the following, manual migration before using DCM to create new certificates: Note: If you choose not to migrate the keyfiles and instead create a new CA and system certificate, skip the following manual migration procedure. If you plan to install 5769ss1 option 32 and 5769dg1, install them now before continuing. Notes: 1. The 5769ss1 option 34 install code does not attempt migration again after you install option 34. Simply re-installing option 34 does not help. 2. The appropriate files are located in user data directories that hae been created with PUBLIC *EXCLUDE authority. Ensure that you are correctly authorized to them. Check to see if the following files exist: /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KDB /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB If they exist, use wrklnk to rename them and create backups. From a user profile that has *allobj authority, call the program QICSS/QYEPMGRT on a command line, as follows: CALL QICSS/QYEPMGRT If the result is successful, ensure that neither of the following files exist on your system: /QIBM/USERDATA/HTTPSVR/KEYRING/KEYMREQ.CRT /QIBM/USERDATA/OS400/DIRSRV/QDIRSRV.CRT DCM normally keeps a backup copy of the user data that you sae in files whose file names conflict with those that DCM uses. If the following files do not exist: /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KYR But the following files do exist: /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH Then the system attempts to rename them with an appended.old extension. If those files already exist as well, the system does not create any backup copies. Instead, it deletes the existing.sth files. Miscellaneous If your attempts to create a CA and a system certificate continue to fail due to file name conflicts, you might hae encountered one of the following: 56 AS/400e: Digital Certificate Management

63 Different file name conflict DCM attempts to protect user data in the directories that it creates, een if those files keep DCM from successfully creating the files when it needs to. Resole this by copying all of the conflicting files to a different directory and, if possible, use DCM functions to delete the corresponding files. If you cannot use DCM to accomplish this, manually delete the files from the original IFS directory where they were conflicting with DCM. Ensure that you record exactly which files you moe and where you moe them. The copies allow you to recoer the files if you find that you still need them. You need to create a new CA after moing the following files: /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.KDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.RDB /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STH.OLD (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.KYR /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POL /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.BAK /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.STHBAK(possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.TEMP.STH (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TXT /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.BAK /QIBM/USERDATA/ICSS/CERT/CERTAUTH/CA.TMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLTMP /QIBM/USERDATA/ICSS/CERT/CERTAUTH/DEFAULT.POLBAK /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CACRT /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CATMP /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CERTAUTH/CA.CABAK /QIBM/USERDATA/ICSS/CERT/DOWNLOAD/CLIENT/*.USRCRT You need to create a new *SYSTEM certificate store and system certificate after moing the following files, if they exist: /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.RDB /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STH.OLD (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.STHBAK (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.TEMP.STH (possibly created prior to V4R5) /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.TXT /QIBM/USERDATA/ICSS/CERT/SERVER/SRV.SGN /QIBM/USERDATA/ICSS/CERT/SERVER/SGN.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/SGN.BAK /QIBM/USERDATA/ICSS/CERT/SERVER/EXPSRV.TMP /QIBM/USERDATA/ICSS/CERT/SERVER/EXPSGN.TMP Missing prerequisite Ensure that you hae correctly installed the prerequisite LPPs. Code problem Contact your serice representatie. Troubleshooting for registering an existing user certificate When you use the Register an existing user certificate task, Digital Certificate Manager (DCM) displays certificate information for you to approe before registering the certificate. If DCM is unable to display a certificate, the problem could be caused by one of these situations: Chapter 5. Troubleshooting DCM 57

64 1. Your browser did not request that you select a certificate to present to the serer. This may happen if the browser cached a preious certificate (from accessing a different serer). Try clearing the browser s cache and try the task again. The browser should prompt you to select a certificate. 2. The certificate that you want to register is already registered with DCM. 3. The Certificate Authority that issued the certificate is not designated as a trusted root on the system. Therefore, the certificate you are presenting is not alid. Contact your system administrator to determine if the CA that issued your certificate is correct. If the CA is correct, the system administrator may need to receie the CA certificate into the *SYSTEM certificate store. Or, the administrator may need to use the Work with Certificate Authorities task to designate the CA as a trusted root on the system to correct the problem. 4. You do not hae a certificate to register. You can check for user certificates in your browser to see if this is the problem. 5. The certificate that you are trying to register is expired or incomplete. You must either renew the certificate or contact the CA that issued it to resole the problem. 6. The AS/400 HTTP Serer is not correctly set up to do certificate registration using SSL and client authentication on the secure *ADMIN serer instance. If none of the preious troubleshooting tips works, contact your system administrator to report the problem. To register an existing user certificate, you must connect to Digital Certificate Manager (DCM) by using an SSL session. If you are not using SSL when you select the Register an existing user certificate task, DCM displays a message that you must use SSL. The message contains a button so that you can connect to DCM by using SSL. If the message displays without the button, inform your system administrator of the problem. The Web serer may need to be restarted to ensure that the configuration directies for using SSL are actiated. 58 AS/400e: Digital Certificate Management

65

66 Printed in the United States of America on recycled paper containing 10% recoered post-consumer fiber.