The Advanced node failure detection function can reduce the number of failure scenarios that result in cluster partitions.
...
Create a *SYSTEM certificate store to hold the digital certificates
To create the *SYSTEM certificate store, use the following steps:
Expand |
---|
title | Creating the *SYSTEM certificate store |
---|
|
ProcedureIn a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i. Log in with an IBM i profile with sufficient authority. Click on Create Certificate Store on the left-hand navigation menu On the right-hand side of the page select *SYSTEM. Image Added
Info |
---|
Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed. |
Create a password for the *SYSTEM store and click Create.
Info |
---|
Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts. |
ResultThe *SYSTEM certificate store is created on the node. |
Open the IBM Navigator for i and click Internet Configurations.
On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.
In the Digital Certificate Manager page, click Create New Certificate Store.
In the page that appears, you should have an option for *SYSTEM. Make sure that the button is selected and click Continue. If the *SYSTEM option is not there, you already have a *SYSTEM store created. Skip forward to: Select the *SYSTEM certificate store below.
Select No - Do not create a certificate in the certificate store.
Create a password for the *SYSTEM store and click Continue. The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many retries. You have successfully created the *SYSTEM store.
...
Expand |
---|
title | Importing Self-Signed Certificates into the System Certificate Store |
---|
|
Begin by extracting the digital certificates for the HMC and copying them to the IBM® i system in the cluster node with these steps: Sign on your IBM i system and open the command line display. In the command line display, enter CALL QP2TERM to enter the PASE shell environment. Retrieve the digital certificates from the HMC with this command: Code Block |
---|
openssl s_client -showcerts -connect HMC_name:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | awk '/-BEGIN CERTIFICATE-/{a++}{print > "HMC_name"a".pem"}' |
Replace HMC_name with the name of your system's HMC. This copies the certificates into files named HMC_name1.pem … HMC_nameN.pem, where N is the number of certificates copied from your system's HMC. Press F3 to exit the QP2TERM environment. Run the following command for each of certificate file to convert the CCSID to 819 (ASCII) Code Block |
---|
CHGATR OBJ('HMC_nameX.pem') ATR(*CCSID) VALUE(819). |
Select the *SYSTEM certificate store in Digital Certificate ManagerOpen the IBM Navigator for i and click Internet Configurations. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password. Click Select a Certificate Store and select the *SYSTEM option, click continue. Sign in with the password for the certificate store and click Continue, then Manage Certificates.
Import the HMC certificates into the *SYSTEM certificate store.Select Import certificate and click Continue. If your HMC has only one certificate, perform these steps for that certificate. If your HMC has multiple certificates, perform these steps for each certificate except the first certificate (HMC_name1.pem), starting with the last certificate and moving backwards through the list of certificates. For example, if there are three certificates: HMC_name1.pem, HMC_name2.pem, and HMC_name3.pem, perform these steps for HMC_name3.pem first, then for HMC_name2.pem. Select Certificate Authority (CA) and click Continue. Enter the path name of the certificate you want to import. For example, the path and file name may be /HMC_name1.pem . Click Continue.
|
Importing a Trusted Certificate into the System Certificate Store
To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.
Results
The selected security certificate is imported into the certificate store.
...