Question & Answer
Question
How to set up DDM /DRDA SSL connectivity between two IBM i systems
Answer
Client/server role definitions:
"Client" - The IBM i system that initiates the connection - usually the system where CRTDDMF is run. Commonly referred to as the DDM 'source' or the Application Requester (AR) using DRDA.
"Server" - Remote IBM i system the DDM file is referencing. Commonly referred to as a DDM 'target' or the Application Server (AS) using DRDA.
The IBM i Digital Certificate Manager needs to be accessed on both the Client and Server systems.
The direct URL for IBM i Digital Certificate Manager is:
http://<system_name or IP address>:2006/dcm
NOTE: These instructions assume no previous SSL connectivity is configured and established between the client and server (secure telnet, for example).
Configuration checklist:
Server-side (using DCM):
__ Ensure a CA certificate exists on Server system. If not, create one.
__ Ensure a server certificate signed by the CA exists. If not, create one.
__ Assign the server certificate to the DRDA/DDM server ("QIBM_OS400_QRW_SVR_DDM_DRDA").
__ Ensure the DRDA SSL daemon is listening on port 448 using NETSTAT *CNN . This requires a restart of the *DDM TCP server.
__ Export the CA on the Server (usually as a ".cer" file), and copy to the Client system.
Client-side:
__ On the Client system, import the CA into *SYSTEM certificate store using DCM.
__ Create new RDB directory entry on Client pointing to Server, specifying port 448 and *ssl. For example:
ADDRDBDIRE RDB(RMTDBSSL) RMTLOCNAME(remoteDB.xyz.com *IP) PORT(448) SECCNN(*SSL)
The target (server) system must have an RDB entry (or Alias) named "RMTDBSSL"
__ CRTDDMF on the Client, referencing remote location of *RDB and specifying the RDBDIRE created in previous step. For example:
CRTDDMF FILE(TESTSSL) RMTFILE(QIWS/QCUSTCDT) RMTLOCNAME(*RDB) RDB(RMTDBSSL)
__ To test, execute:
DSPPFM TESTSSL
Special case: Connecting to the local system that uses SSL
Admittedly, this case does not make a lot of sense. When you connect to the local system, no data ever leaves the TCP/IP stack; nothing is ever transmitted onto the network. Thus, encryption is not necessary. However, if this setup is wanted, it must be done by making an alias for the local database. The local database directory entry is simply a name, you cannot define the type of connection to the local system using the *LOCAL location, so it must be done using an alias. For example:
ADDRDBDIRE RDB(LOCALRDBNAME LOCALSSL) RMTLOCNAME(*LOOPBACK) PORT(448) SECCNN(*SSL) TEXT('SSL CONNECTION TO LOCAL DB')
Related Information
Was this topic helpful?
Document Information
Modified date:
20 May 2024
UID
nas8N1020710