Installing the CA certificate on an iSeries system

After transferring the certificate from IBM® Security Identity Manager, you must install it on each of the target iSeries servers.

About this task

Perform these steps to install the CA certificate:

Procedure

  1. Open the web browser to http://iSerieshostname:2001.
    iSerieshostname is the host name of the iSeries server.
  2. Enter your iSeries server user name and password, and click OK.
  3. On the iSeries Tasks window, select Digital Certificate Manager.
  4. On the Digital Certificate Manager window, select Create a Certificate Authority (CA).
  5. Type the information in the required fields.
    Note: The Certificate Authority (CA) name describes the name of the iSeries system.
  6. Click Continue.
  7. On the Install Local CA Certificate pane, click Continue.
    The local certificate does not need to be installed.
  8. On the Certificate Authority (CA) Policy Data pane, accept the default settings and click Continue.
    On the Policy Data Accepted pane, a message The policy data for the Certificate Authority (CA) was accepted. is displayed.
  9. Click Continue to create the default server certificate store, *SYSTEM, and a server certificate signed by your CA.
    If *SYSTEM exists, the certificate store is not created.
  10. On the next Digital Certificate Manager window, type in the information for the required fields.
    Note: Specify a different name in the Certificate label field for the certificate store database, *SYSTEM. The fields in the Subject Alternative Name section can be left blank.
  11. Click Continue.
    On the next Digital Certificate Manager window, a list of applications and certificates is displayed.
  12. Click Select All then click Continue.
    On the Application Status pane, a message The applications you selected will use this certificate. is displayed.
  13. Click Cancel.
    The creation of a signing certificate is optional.
  14. On the Select a Certificate Store pane, select *SYSTEM and click Continue.
  15. On the Certificate Store and Password pane, type the password for the *SYSTEM Certificate Store database and click Continue.
  16. If not already extracted, extract the CA certificate from the IBM Security Identity Manager system and copy the file to the iSeries system.
    See Extracting and transferring the self-signed CA certificate from the IBM Security Identity server.
  17. On the next Digital Certificate Manager window in the Fast Path menu, click Work with CA Certificates.
    A list of certificates is displayed.
  18. Click Import.
  19. On the Import Certificate Authority (CA) Certificate pane, specify the path and the file name on the iSeries system of the certificate that you extracted from IBM Security Identity Manager. Specify the path in the Import file: field.
    For example, type: /qibm/userdata/psdserver.der. The value of psdserver.der is the name of the certificate you extracted from the IBM Security Identity Manager system.
  20. Click Continue.
  21. On the Import Certificate Authority (CA) Certificate pane, type a label name in the CA certificate label: field.
    For example: IBM Security Identity Manager, and click Continue.
  22. In the Fast Path menu, select Work with Client applications and click Continue.
  23. On the Applications registered to use certificates: pane, click Add Application.
  24. On the next Digital Certificate Manager window in the Application: ID field, type TIVOLI_PWD_SYNCH.
    1. Select Application description: and type a description.
      For example, Password Sync Exit Handler.
    2. Click Add.
    On the Work with Client Applications pane, a message The application has been added. is displayed.
  25. Select Password Synch Exit Handler (the description you gave the application) and click Work with application.
  26. On the next Digital Certificate Manager window, click Update Certificate Assignment.
  27. On the next Digital Certificate Manager window, select the certificate you created from the list and click Assign New Certificate.
    In the Update Certificate Assignment pane, the message The certificate was assigned to the application. is displayed.
  28. In the Fast Path pane, click Work with CA certificates. Verify that IBM Security Identity Manager server is listed as enabled in the Certificate Authority (CA) list.