Installation of new Bacstel-iP SSL Certificate Bacstel-iP for iseries BACS will change over to a new certificate on Monday 22 February 2010. You must follow the instructions below before this date. Failure to do so will prevent you from submitting any files to the Bacstel-iP service on or after that date. The installation instructions below refer to OS/400 release 5.1, but will apply to later releases as well. These instructions only apply if you transmit directly from the iseries. If you submit via an attached PC, you do not need to install the new certificate on the iseries see the website instructions for Windows PC systems. It is possible that the new certificates are already installed on your iseries as later versions of OS/400 were shipped with a selection of SSL certificates. The procedures below will determine what action you need to take. Copy the new certificate(s) to the /grange folder on the IFS The certificate is available for download from our website http://www.grangesystems.com/new_ssl_cert_10/ The new certificate is called Bacs_Intermediate_2010.p7b The easiest method to transfer these to the iseries grange folder is to use any PC that has a mapped drive or other link to the grange folder on the iseries IFS. Any PC that runs the grange server program (gr_svr.exe) will have this link. Use Windows explorer to copy the new certificate file to the grange folder on the IFS. Start the HTTP server on the iseries Start the http (ADMIN instance only) on the iseries: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) Connect to the iseries server using Internet Explorer (or other Browser) You can connect to port 2001 either by IP address or by Computer name if your system can resolve to it. e.g. http://192.168.1.5:2001 or http://myiseriesname:2001 note this may take some time to connect. You will be prompted for an iseries user name and password:
You must use a profile with a high level of authority, as you will be working with security certificates. After signon you should see this screen or equivalent (the i5 or V5R4 has more options) : Take the option for Digital Certificate Manager. Again this may take some time.
This screen or equivalent should appear: Select the option to Select a Certificate Store. If you do not see this option, you have signed onto the http server with insufficient authority.
Select the *SYSTEM Certificate store & click on Continue Enter the system store password and Continue. If you have forgotten this, you will be able to Reset the password if signed on with sufficient authority i.e. QSECOFR or similar.
This screen should appear: Click on the Expand All button and this screen should appear:
If you do NOT see the options to Work with CA certificates you do not have sufficient authority to proceed. You must close down the session and start again with a higher level of authority. Take the option to Work with CA Certificates: A list of CA certificates will appear. They may not be the same as the example above. We now need to check for the presence of a certificate in the list: Search for the name VeriSign International Server CA - Class 3, or similar. If it appears (or similar) select the Certificate(s) and View button. Check the Serial number against 46FCEBBAB4D02F0F926098233F93078F If it is the same take a note of the Certificate label. If the certificate is present, take the following actions. If absent, go directly to the Import Section below.
Actions when the certificate is already present. Select Work with client Applications from the left hand panel Select Grange Bacstel-iP and Work with Application button A screen similar to this appears: In the Define the CA trust list box, click No and Apply
The following screen appears, and the application trust list disappears. That is the completion of the process. You can return to the main screen via the Return to OS tasks menu item in left hand pane and close Internet Explorer. The HTTP server *ADMIN can be shut down on the iseries if required. ENDTCPSVR SERVER(*HTTP) End of section.
Import Section You are in this section because the new SSL certificate is not in your DCM. Take the Import button. Enter /grange/ Bacs_Intermediate_2010.p7b in the Import file box & click on Continue (note that the file name is case sensitive) Enter a CA Certificate label VERISIGN INTERMEDIATE BACS 10 and click on Continue
You will get the confirmation screen as below (example only) or an error screen:
Error screen: This occurs if the certificate already exists on your system. In which case move on to the next step. Take the Work with client Applications option from the left hand pane:
The list of client applications may not be the same as those listed above. There will be an application name similar to Grange Bacstel-iP or something obviously referring to the Grange Bacstel-iP application. Select this option and click on Work with Application button. A similar screen to this will appear: In the Define the CA trust list box, click No and Apply The following screen appears, and the application trust list disappears.
That is the completion of the process. You can return to the main screen via the Return to OS tasks menu item in left hand pane and close Internet Explorer. The HTTP server *ADMIN can be shut down on the iseries if required. ENDTCPSVR SERVER(*HTTP) End of section.