Setting up iSeries 400 servers to use SSL
To set up your iSeries servers to use SSL with AS/400 Toolbox for Java, complete
the following steps:
Install
the Cryptographic Access Provider licensed program for AS/400 (5769-AC2 or
5769-AC3) on your iSeries servers to provide server-side encryption.
- Cryptographic Access Provider licensed program 5769-AC2 provides 56-bit
encryption
- Cryptographic Access Provider licensed program 5769-AC3 provides 128-bit
encryption.
- Install the AS/400 Client Encryption licensed program (5769-CE2 or 5769-CE3)
on your iSeries server.
The AS/400 Client Encryption license program provides the Java classes and
utilities used by the AS/400 Toolbox for Java classes on the client side.
- Change the authority of the directory
that contains the client encryption files.
- Get and configure the
server certificate.
- Apply the certificate to the following iSeries servers that are used by
AS/400 Toolbox for Java:
- QIBM_OS400_QZBS_SVR_CENTRAL
- QIBM_OS400_QZBS_SVR_DATABASE
- QIBM_OS400_QZBS_SVR_DTAQ
- QIBM_OS400_QZBS_SVR_NETPRT
- QIBM_OS400_QZBS_SVR_RMTCMD
- QIBM_OS400_QZBS_SVR_SIGNON
- QIBM_OS400_QZBS_SVR_FILE
- QIBM_OS400_QRW_SVR_DDM_DRDA
Changing the authority of the directory that contains the client encryption files
To help you meet the SSL legal responsibilities required when using cryptography algorithms,
the directory that contains the files is shipped with public authority *EXCLUDE. You must change the authority of the directory to allow access by only those users authorized to use encryption algorithms.
Use OS/400 object security to control access to the client encryption files by completing the following steps:
- On your server, enter the following command:
wrklnk '/QIBM/ProdData/HTTP/Public/jt400/*'
- Select option 9 in the SSL56 or SSL128 directory.
- Ensure that *PUBLIC has *EXCLUDE authority.
- Give *RX authority to the directory to individual or groups of users who
need access to the SSL files.
Note:You can not deny access to the SSL files to users
that have *ALLOBJ special authority.
Before you get and configure your server certificate, you need to install the following products:
The process you follow to get and configure your server certificate depends on the kind of certificate you use:
- If you get a certificate from a trusted authority (such as VeriSign, Inc.,
or RSA Data Security, Inc.), install the certificate on AS/400 then apply it to
the host servers.
- If you choose not to use a certificate from a trusted authority, you can build
your own certificate to be used on AS/400. Build the certificate by using the
digital certificate manager.
- Create the
certificate authority on the AS/400.
- Assign which host servers will trust the certificate authority that you created.
- Create a system certificate from the certificate authority that you created.
- Assign which host servers will use the system certificate that you created.