Configuring SSL on Db2 for i

To configure a System i host system to use the Secure Sockets Layer (SSL) protocol you must have the following components:

Following are general procedures for configuring SSL on the IBM i host. Refer to your IBM documentation for details, especially the IBM i product documentation and the IBM Redbook IBM iSeries Wired Network Security OS/400 V5R1 DCM and Cryptography Enhancements (GSG24-6168).

  1. Start the Admin HTTP instance. To verify that it is running, enter WRKACTJOB JOB(ADMIN). If it is not running, start it with STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).

  2. Use a browser and the URL https://myas400:2001 to connect to the Digital Certificate Manager. On i 6.1 and later, this URL will redirect you to IBM Navigator for i, running on port 2005; from there, select IBM i Tasks Page to see the previous version of the 2001 port tasks, which includes the Digital Certificate Manager.

  3. Create a local Certificate Authority or obtain a certificate from a public Internet Certificate Authority.

  4. Create a *SYSTEM certificate store.

  5. Use “Manage Applications” to assign a server certificate to the OS/400 DDM/DRDA server and to the iAccess/JTB host servers (Central Server, Database Server, Data Queue Server, Remote Command Server, Signon Server, Host Servers, File Server).

  6. If you are using a local Certificate Authority, select Install Local CA Certificate on Your PC from the left column of tasks.  You may need to return to the main IBM Navigator for i page and re-enter DCM before Install Local CA Certificate to your PC is visible.

  7. Select Copy and paste certificate; this will display the CA certificate in Base64-encoded ASCII data format.  Select the contents of the certificate (all of the text from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----) and save it in a text file, to be pasted into the SQDR Control Center's Certificate Manager, as described in Configuring SSL to Db2 for i Source.