Creating the key database file

Creating a server-side certificate

To create a server-side certificate, complete the following steps:

1. Go to the /usr/local/ibm/gsk8_64/bin directory, and then run this command:

   gsk8capicmd_64 -keydb -create -db serverkey.kdb -pw mypassword –stash serverkey.kdb

2. Add the serverkey.kdb file to the LDAP server for certificate verification.
3. Create a certificate for serverkey.kdb:

   gsk8capicmd_64 -cert -create -db serverkey.kdb -pw mypassword -label serverlabel -dn "cn=hostname,o=ibm.com" -expire 7300 -ca true -sigalg SHA256_WITH_RSA -size 2048

   Replace hostname with the name of the host computer (do not use its IP address.)

4. Export the certificate file:

   gsk8capicmd_64 -cert -extract -db serverkey.kdb -pw mypassword -label serverlabel -target server.der -format binary

Adding the certificate file to the library server

You must send the certificate to the Content Manager Enterprise Edition Library server, and then add it to the cacerts of the Java runtime.

1. Generate the client certificate library (clientkey.kdb):

   gsk8capicmd_64 -keydb -create -db clientkey.kdb -pw mypassword

2. Import the server-side certificate:

   gsk8capicmd_64 -cert -add -db clientkey.kdb -pw mypassword -label serverlabel -file server.der -format binary

3. Check the certificate:

   gsk8capicmd_64 -cert -list all -db clientkey.kdb -pw mypassword -type cms

4. Copy the clientkey.kdb file to the directory that is specified by the IBMCMROOT/CMGMT environment variable on the library server computer.

Next, see Configuring the system administration client for SSL and TLS communication.