Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

To operate PowerHA using CSM requires HTTPS and signed, digital certificates residing in a local *SYSTEM security store

Before you begin

For this example, it is assumed that 1.5770SS1 Option 34 Digital Certificate Manager is installed on the system. For information about setting up DCM see the security section topics,Planning for DCMConfiguring DCM, and Creating and operating a local CA.

About this task

The communication used with the CSM storage controller takes place using HTTPS, which in most situations requires a digital certificate. Those nodes in the cluster using HTTPS require the *SYSTEM certificate store to manage the digital certificates.

To determine if the *SYSTEM security store has been created on a system, check for the file with the Display Object Links (DSPLNK) command.

DSPLNK OBJ('/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB')

This command will return the file if the system certificate store exists on the system. If a CPFA0A9 message returns, then the certificate store needs to be created.

Procedure

To configure the server to use digital certificates, create a certificate store using the following steps:

  1. In a web browser, enter http://mysystem:2001, where mysystem is the host name of the system. This opens the IBM Navigator for i.
  2. Select Internet Configurations from the left panel menu.
  3. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.
  4. In the Digital Certificate Manager page, click Create New Certificate Store.
  5. In the page that appears, you should have an option for *SYSTEM. Make sure that the button is selected and click Continue.

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this node and these steps have already been performed.

  1. Select No - Do not create a certificate in the certificate store.
  2. Create a password for the *SYSTEM store and click Continue.

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Results

The *SYSTEM certificate store is created on the node.

What to do next

Check each cluster node that needs access to the CSM to verify that they have a system certificate store created. Repeat these steps to create a system certificate store on any cluster nodes without one. After the certificate stores are in place, you can import copies of your digital certificates to the system.

As an alternative option to importing digital certificates, consider setting a PowerHA policy to manage communications throughout the cluster. To learn about PowerHA policies read Planning for PowerHA policies, and for information on implementing and managing PowerHA policies consult the Managing PowerHA policies section.

  • No labels