Using the Alpha level Expedite Base/400 with SSL



Obtaining your new certificates and updating your existing AS/400 application

You will need to obtain 2 certificates; a client certificate tied to your Information Exchange account/userid and the PKI Services Root CA certificate. We want the new client certificate, the new root CA and the old root CA to co-exist in the key database until July 9, then the new root CA will be the only one used.

1. Obtain a client and PKI Services Root CA Certificate

a. Create a certificate using the instructions on the Web site .

b. Export your certificate to files using the instructions on the Web site under the heading 'Method 2: Exporting your client certificate and CA as separate files'.



Make sure “Include all certificates in the certificate path if possible” is not selected when you export the certificate.

Note 1: The iSeries OS/400 DCM (Digital Certificate Manager) is not able to import the PKI services certificates directly. Since Internet Explorer can handle the PKI Services certificates (Trusted Root CA and Client), as well as the formats used by the iSeries, we need to first “install” the PKI Services certificates into Internet Explorer, and then “export” them in a format which can be imported into the iSeries. The Trusted Root CA certificate imported by the iSeries needs to be in a PKCS#7 format (.p7b file extension). The Client (user/Personal) certificates imported by the iSeries needs to be in a PKCS#12 format (.pfx file extension).

Method 2 instructions:

Exporting certificates - Method 2

Use this method if your client setup instructions tell you to do so. It creates two PKCS#12 export files, one containing your client certificate and private key, and another containing IBM's Signer Certificate.

Export the certificates (client certificate and private key, and root CA)

Client Certificate and Private Key

Follow steps 1 -13.

1. Select menu "tools/internet options.../content/certificates.../Personal

[pic]

2. Choose the certificate you wish to export and click "export..."

(the ‘Issued By’ should say PKI Services Root CA2)

[pic]

3. Select "Next >"

[pic]

4.

• Check "Yes, export the private key"

• Click "Next >"

[pic]

5. Check "Personal Information Exchange - PKCS #12 (.PFX)"

o Make sure that "Include all certificates in the certification path if possible" is NOT selected

o Make sure "Enable strong protection (requires IE 5.0, NT 5.0 or above)" is NOT selected

o Click "Next >"

▪ Please note - some versions may have the extra check box: "Delete the private key if the export is successful"

▪ Please ensure that this is definitely NOT checked!

[pic]

6.

• Choose a password for the file

• Click "Next >"

[pic]

7.

• Specify a name for the file

• Click "Next >"

[pic]

8. Click "Finish”

[pic]

9. Click “OK”

[pic]

10. Click OK

11. Click “Close”

12. Click "OK"

13. The certificate is now available in the file you selected in step 7

IBM's Signer Certificate ( PKI Services Root CA certificate)

Perform steps 14 - 22:

14. Select menu "tools/internet options.../content/certificates.../Trusted Root Certificate Authorities

[pic]

15. Select the new ‘PKI Services Root CA2’ certificate and click "export..."

[pic]

16. Click "Next >"

[pic]

17.

• Select the ‘Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)’ file format, and make sure no other options are checked.

• Click "Next >"

[pic]

18.

• Specify a name for the file (Ensure you enter a DIFFERENT name to the one you entered for the client certificate).

• Click "Next >"

[pic]

19. Click “Finish”

[pic]

20. Click “OK”

21. Click "Close"

22. Click "OK"

You are now finished with the exporting steps.

2. FTP the certificate files to the AS/400

a. After logging in, change the directory to a directory of your choice, for example “/tmp” (Please ensure you use an IFS subdirectory only)

b. Change to binary mode

c. Transfer the PKCS#12 client file, which was exported from your Internet Explorer browser, to the AS/400

[pic]

d. Similarly, transfer the new PKI Services Root CA Certificate to the AS/400

Managing Certificates in DCM

e. Using Internet Explorer, go to (replace AS400HOST with the IP address of your AS400)

f. Log in:

[pic]

g. Enter your AS/400 id and password and press “OK”

[pic]

h. From the main tasks page, select “Digital Certificate Manager”

i. Then press the “Select a Certificate Store” button

[pic]

j. To assign a certificate to an application id, you must select the “*SYSTEM” store, and press “Continue”

NOTE: if the *SYSTEM store doesn’t exist, you can create it by selecting the “Create New Certificate Store” link on the left)

k. Enter the password and press “Continue”

[pic]

l. Now, click on the “Manage Certificates” link

[pic]

m. Select “Import Certificate” and press “Continue”

[pic]

n. Select “Certificate Authority (CA) and press “Continue”

[pic]

o. Enter the location of the new PKI Services Root CA2 certificate and press “Continue”

[pic]

p. Enter a label for the certificate e.g. “PKI Services Root CA2 Certificate 2011” and press “Continue”

[pic]

q. The PKI Services Root CA2 is now imported

[pic]

r. Click on the “Import certificate” link on the left

s. Select “Server or client” and press “Continue”

t. Enter the name of the PKCS#12 client file that you ftpd to your AS/400 and press “Continue”

(Note: “Include all certificates in the certificate path if possible” should not have been selected when you exported your certificate from Internet Explorer)

[pic]

u. Enter the PKCS#12 file’s password and press “Continue”

[pic]

v. No need to press “OK”. The certificate is now imported.

w. Now, click on the “Manage Applications” link (we have done a ‘Collapse All’ to keep the screen tidy)

[pic]

x. Now, select the “Update certificate assignment” link

[pic]

y. Now, select “Client” and press “Continue”

[pic]

z. Select the radio button of your existing Application and press “Update Certificate Assignment”.

[pic]

aa. Select the certificate you just imported. Notice that the Certificate Name may or may not be useful. The “Common name” should be recognizable though.

ab. Press “Assign New Certificate”

[pic]

ac. Now, click on the “Define CA trust list” link (in “Manage Applications” pull down)

[pic]

ad. Now, select “Client” and press “Continue”

[pic]

ae. Select your application.

af. Press “Define CA Trust List”

[pic]

ag. Select the PKI Services Root CA2 Certificate 2011 and press “OK”. You should get a message on the screen saying “Certificate Authority (CA) changes applied.”.

ah. The certificate configuration is now complete.

ai. You should be able to use your existing job with the application id you just update.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download