Create a TLS-SSL DCM Application

Published: 2024-05-15

An SSL Application in the IBM i DCM is used to assign certificates, specify cyphers and encryption algorithms. These settings are then used by the HTTP server when negotiating the SSL tunnel with a remote SSL server or client for a request. 

Create the SSL Application

To begin, verify that the *ADMIN HTTP server job is running with the following command:

WRKSBSJOB SBS(QHTTPSVR)

If you don’t see *ADMIN in the list, please run the following command to start it:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

After you’ve ensured that the *ADMIN server is running, open a web browser (Microsoft Edge or Chrome is recommended), and go to http://[youribmiserver]:2001/HTTPAdmin - you should see a login page as seen below:

from the landing page elect (if not already selected) the "related links tab" which will bring up the page below:

Now, click the “Digital Certificate Manager” link. You may be prompted to log in again - if you are, enter your IBM i username and password. It is recommended to log into the Digital Certificate Manager on a profile with elevated authority.

After you are logged in, click on the “Select a Certificate Store” button in the far left of the page. Then, select the *SYSTEM store and press the “Continue” button. If you do not see *SYSTEM, you will need to go set up SSL on your IBM i.

It will then prompt you for your *SYSTEM store password. Enter your password and select the “Continue” button. Note: If you do not remember the password, you can simply select “Reset Password” - you will be allowed to reset the password without knowing the previous password.

Next, select “Manage Applications” on the left, and then select "Add Application" and the continue button:

Then select "Server" and the continue button:

Now add a suitable name for the application and select Application description and provide an applicable one (Kindly consult your networking/infrastructure staff for an appropriate name):

Scroll down to "SSL protocols" and select the appropriate protocols and versions. (Kindly consult your networking/infrastructure staff for which to select):

Scroll down to "SSL cipher specification options" and select "Define cipher specification list:" and leave default sort order(Kindly consult your networking/infrastructure staff for which to select):

Scroll down to "Define CA Trust list:" and select "Yes":

Scroll down to "SSL Signature Algorithms" and select "Define signature algorithms supported:"(Kindly consult your networking/infrastructure staff for which to select) :

Finally elect the "Add" button. The following screen should appear:

Update Certificate Assignment

Next a certificate from the system store must be allocated to the Application you have created above.

from the "Manage Applications" menu on the left, select "Update Certificate Assignment". from the screen that appears select "Server" and the continue button

from the next screen that appears, select the server application created above, and the "Update Certificate Assignment" button:

from the next screen below, select an appropriate certificate and the "Update certificate Assignment" button. This assumes you have already Setup SSL on your IBM i:

From here you should receive this message:

Define CA Trust List (optional)

This step is optional. Kindly consult your networking/infrastructure staff for which to select.

Start by selecting "Define CA Trust List" from the "Manage Applications" menu on the left:

from the window that appears, select "Server" and the "Continue" button:

Now select the recently created application, and the "Define CA Trust list" button:

From the list that appears select the CA certificates recently imported (the Entrust ones for example from ServiceNow):

The following validation message should appear:

SSL for a client/consumer on IBM i is now complete.