Configuring SSL on DB2 for i

To configure a System i host system to use the Secure Sockets Layer (SSL) protocol you must have the following components:

• Digital Certificate Manager -  option 34 of 5722-SS1 (v5r4), 5761-SS1 (6.1), or 5770-SS1(7.x)

• TCP/IP Connectivity Utilities - 5722-TC1(v5r4), 5761-TC1 (6.1), or 5770-SS1 (7.x)

• IBM HTTP Server - 5722-DG1 (v5r4), 5761-DG1 (6.1) or 5770-DG1 (7.x)

Following are general procedures for configuring SSL on the IBM i host. Refer to your IBM documentation for details, especially the IBM i product documentation and the IBM Redbook IBM iSeries Wired Network Security OS/400 V5R1 DCM and Cryptography Enhancements (GSG24-6168).

1. Start the Admin HTTP instance. To verify that it is running, enter WRKACTJOB JOB(ADMIN). If it is not running, start it with STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).

2. Use a browser and the URL https://myas400:2001 to connect to the Digital Certificate Manager. On i 6.1 and later, this URL will redirect you to IBM Navigator for i, running on port 2005; from there, select IBM i Tasks Page to see the previous version of the 2001 port tasks, which includes the Digital Certificate Manager.

3. Create a local Certificate Authority or obtain a certificate from a public Internet Certificate Authority.

4. Create a *SYSTEM certificate store.

5. Use “Manage Applications” to assign a server certificate to the OS/400 DDM/DRDA server.

6. After you assign the certificate, restart the DDM/DRDA server:

7. ENDTCPSVR *DDM

8. STRTCPSVR *DDM

9. If necessary, set the port on which the DDM/DRDA server listens for SSL conversations. Use WRKSRVTBLE to view and modify service table entries; the entry for SSL is ddm-ssl, and the default value is 448.