Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Advanced node failure detection function can reduce the number of failure scenarios that result in cluster partitions.

...

Create a *SYSTEM certificate store to hold the digital certificates

To create the *SYSTEM certificate store, use the following steps:

Expand
titleCreating the *SYSTEM certificate store
Procedure
  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu

  4. On the right-hand side of the page select *SYSTEM.

    Image Added
Info

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

  1. Create a password for the *SYSTEM store and click Create.

Info

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Result

The *SYSTEM certificate store is created on the node.

  1. Open the IBM Navigator for i and click Internet Configurations.

  2. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.

  3. In the Digital Certificate Manager page, click Create New Certificate Store.

  4. In the page that appears, you should have an option for *SYSTEM. Make sure that the button is selected and click Continue. If the *SYSTEM option is not there, you already have a *SYSTEM store created. Skip forward to: Select the *SYSTEM certificate store below.

  5. Select No - Do not create a certificate in the certificate store.

  6. Create a password for the *SYSTEM store and click Continue. The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many retries. You have successfully created the *SYSTEM store.

...

Expand
titleImporting Self-Signed Certificates into the System Certificate Store

Extract the self-signed certificates to the IBM i

Begin by extracting the digital certificates for the HMC and copying them to the IBM® i system in the cluster node with these steps:

  1. Sign on your IBM i system and open the command line display.

  2. In the command line display, enter CALL QP2TERM to enter the PASE shell environment.

  3. Retrieve the digital certificates from the HMC with this command:

    Code Block
    openssl s_client -showcerts -connect HMC_name:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | awk '/-BEGIN CERTIFICATE-/{a++}{print > "HMC_name"a".pem"}'

    Replace HMC_name with the name of your system's HMC. This copies the certificates into files named HMC_name1.pem … HMC_nameN.pem, where N is the number of certificates copied from your system's HMC.

  4. Press F3 to exit the QP2TERM environment.

  5. Run the following command for each of certificate file to convert the CCSID to 819 (ASCII)

    Code Block
    CHGATR OBJ('HMC_nameX.pem') ATR(*CCSID) VALUE(819).

Select the *SYSTEM certificate store in Digital Certificate Manager

  1. Open the IBM Navigator for i and click Internet Configurations.

  2. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.

  3. Click Select a Certificate Store and select the *SYSTEM option, click continue.

  4. Sign in with the password for the certificate store and click Continue, then Manage Certificates.

Import the HMC certificates into the *SYSTEM certificate store.

  1. Select Import certificate and click Continue. If your HMC has only one certificate, perform these steps for that certificate. If your HMC has multiple certificates, perform these steps for each certificate except the first certificate (HMC_name1.pem), starting with the last certificate and moving backwards through the list of certificates. For example, if there are three certificates: HMC_name1.pem, HMC_name2.pem, and HMC_name3.pem, perform these steps for HMC_name3.pem first, then for HMC_name2.pem.

  2. Select Certificate Authority (CA) and click Continue.

  3. Enter the path name of the certificate you want to import. For example, the path and file name may be /HMC_name1.pem. Click Continue.

Importing a Trusted Certificate into the System Certificate Store

To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.

Results

The selected security certificate is imported into the certificate store.

...