Creating the system security certificate store for digital certificates

Owned by Kathy Kurth
Last updated: May 07, 2020 by Brian Nordland
2 min read

To operate PowerHA using CSM requires HTTPS and signed, digital certificates residing in a local *SYSTEM security store

Before you begin

For this example, it is assumed that 1.5770SS1 Option 34 Digital Certificate Manager is installed on the system. For information about setting up DCM see the security section topics,Planning for DCM, Configuring DCM, and Creating and operating a local CA.

About this task

The communication used with the CSM storage controller takes place using HTTPS, which in most situations requires a digital certificate. Those nodes in the cluster using HTTPS require the *SYSTEM certificate store to manage the digital certificates.

To determine if the *SYSTEM security store has been created on a system, check for the file with the Display Object Links (DSPLNK) command.

DSPLNK OBJ('/QIBM/USERDATA/ICSS/CERT/SERVER/DEFAULT.KDB')

This command will return the file if the system certificate store exists on the system. If a CPFA0A9 message returns, then the certificate store needs to be created.

Procedure

To configure the server to use digital certificates, create a certificate store using the following steps:

  1. In a web browser, enter http://mysystem:2001, where mysystem is the host name of the system. This opens the IBM Navigator for i.

  2. Select Internet Configurations from the left panel menu.

  3. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.

  4. In the Digital Certificate Manager page, click Create New Certificate Store.

  5. In the page that appears, you should have an option for *SYSTEM. Make sure that the button is selected and click Continue.

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this node and these steps have already been performed.

  1. Select No - Do not create a certificate in the certificate store.

  2. Create a password for the *SYSTEM store and click Continue.

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Results

The *SYSTEM certificate store is created on the node.

What to do next

Check each cluster node that needs access to the CSM to verify that they have a system certificate store created. Repeat these steps to create a system certificate store on any cluster nodes without one. After the certificate stores are in place, you can import copies of your digital certificates to the system.

As an alternative option to importing digital certificates, consider setting a PowerHA policy to manage communications throughout the cluster. To learn about PowerHA policies read Planning for PowerHA policies, and for information on implementing and managing PowerHA policies consult the Managing PowerHA policies section.

Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.