Using a self-signed certificate

When you choose not to use a certificate from a trusted authority, you must download the server certificate (to each server that has a self-signed certificate) so that the AS/400 Toolbox for Java classes can use it. You also have to get the zip files that contain the encryption algorithms and add it to your CLASSPATH statement.

To use the self-signed certificate, complete the following steps:

  1. Select the directory where you want to put the zip files.
  2. Download the version of SSL that you want to use by copying both the encryption algorithms and the utilties you need to work with a self-signed certificate:
  3. Add ssltools.jar and the zip files to your CLASSPATH statement.End change
  4. Create a directory on your client named <SSL>\com\ibm\as400\access where <SSL> is the directory where you copied the jar and zip files.
  5. Begin changeFrom a command prompt on your client, run the following command:
    java utilities.KeyringDB com.ibm.as400.access.KeyRing connect <systemname>:<port>End change

    where <port> is the server port of any of the host servers to which you have access. For example, you can use 9476, which is the default port for the secure sign-on server on the AS/400.

    Note: You must use com.ibm.as400.access.KeyRing because it is the only location where the AS/400 Toolbox for Java looks for your certificates.

  6. When you are prompted to enter a password, type toolbox, which allows the SSL tool to connect to the server and list the certificates it finds.
  7. Type the number of the Certificate Authority (CA) certificate that you want to add to your server. Be sure to add the CA certificate and not the site certificate. You need to run KeyRingDB on each server that has a self-signed certificate to add each certificate to the KeyRing class.

    Begin changeNote: For each certificate that you want to add, run the command:

    java utilities.KeyringDB com.ibm.as400.access.KeyRing connect <systemname>:<port>End change

After completing the above steps, you have finished setting up the self-certificates. You can run the application, after you ensure the following are in your CLASSPATH statement:

Because jt400.jar contains the default copy of KeyRing.class, the directory that contains com\ibm\as400\access\KeyRing.class must be in the CLASSPATH before jt400.jar.

Note: Instead of adding the directory that contains the KeyRing.class file to your CLASSPATH statement, you can add the new KeyRing.class to your jt400.jar file. Adding the new KeyRing.class file to jt400.jar overwrites the old version.