Setting up the SSL *SYSTEM Store on IBM i

This process will guide you through initial setup with IBM’s Digital Certificate Manager (DCM) and either creating the *SYSTEM certificate store if it does not exist, or confirming you can access it if it already does exist.

Doing this allows you to perform further SSL/TLS configuration and enables your IBM i system to interact as a client to other external servers requiring secure SSL/TLS connections as well as act as a server to offer your own secure SSL/TLS service. Most web services available today expect to use SSL/TLS.

Accessing IBM Digital Certificate Manager

To begin, verify that the IBM *ADMIN HTTP server is running on your system with the following command:

WRKSBSJOB SBS(QHTTPSVR)

If you don’t see several ADMIN jobs in the list, please run the following command to start it:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

After you’ve ensured that the *ADMIN server is running, open a web browser and go to http://YourIBMIPAddress:2001 - you should see a login page as seen below:

Enter your IBM i username and password, and click “Log in”. You should see a page split into two sections - a menu on the left, and a larger content area on the right that looks like the below image:

Click the “IBM i Tasks Page” link which should update the right section to look similar to the below image.

Depending on your IBM i operating system version and installed PTFs, you may not have “http” and “https” links and instead “Digital Certificate Manager” is a direct link. In this case, click “Digital Certificate Manager”. Otherwise, if you do see “http” and “https” links as circled above, you should click one of the two links. Note: Many customers do not have HTTPS properly set up for their *ADMIN server which can cause issues when selecting “https”, so we recommend selecting “http” unless you know your *ADMIN server is configured correctly for HTTPS.

In either case, you will be redirected to a URL that looks similar to this:

http://YOUR_IBM_IP_ADDRESS:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

and your web browser will prompt you to log in again. Enter your IBM i username and password and click Sign In. Note: It is recommended to log into the Digital Certificate Manager on a profile with elevated authority such as a *SECOFR profile.

Creating the *SYSTEM Certificate Store

Once you’re in Digital Certificate Manager, you should have a menu on the left side of the screen.

From the side menu, select the link to “Create New Certificate Store”. This will take you to a page that asks you which type of certificate store you wish to create.

Ensure *SYSTEM is selected, and then select the “Continue” button. Note: If *SYSTEM does not appear as an option, this process has most likely already been completed on your IBM i. You should proceed to Verify *SYSTEM Certificate Store Access

You will then be asked if you wish to create a Certificate Authority (CA) certificate in the certificate store.

Select “Yes”, and then press the “Continue” button.

Depending on your operating system version, the form you’re presented may look very different from the above screenshot. Fill in all required fields. Record whatever you specify for the Certificate store password, and record it for future reference. This password is used to access the *SYSTEM certificate store through DCM. It is very easy to both change and recover this password, so don’t spend too much time worrying about the security of this password.

After filling out the required fields, select the “Continue” button. You will then be presented with certificate request data.

Copy and paste the certificate request data into a plain text document (like Notepad) and save it somewhere secure. You cannot retrieve this certificate request data again in the future if you lose it. You would instead need to perform some of these setup steps again if you need it in the future and do not have it. If you find yourself in that situation, please contact our support team.

After you’ve saved the certificate request data, select the “OK” button.

Verify *SYSTEM Certificate Store Access

Selecting the “Select a Certificate Store” button at the top of the left sidebar will place you at the below screen.

Make sure *SYSTEM is selected, and then select the “Continue” button. You will be prompted to enter the certificate store password. Enter the Certificate store password you specified when setting up the *SYSTEM store.

Enter the password you specified in Step 4, and select the Continue button. Note: If you ever forget the password, you can simply select “Reset Password” - by design, you will be allowed to reset the password without knowing the previous password.

If your page looks like below, you have successfully set up the SSL *SYSTEM store on your IBM i!