How to renew or create/assign a new digital certificate in DCM
Last Post 10 Feb 2010 09:05 PM by J Taylor. 13 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages Not Resolved
Robert Clay
Veteran Member
Veteran Member
Posts:915

--
02 Dec 2009 08:08 PM
I apologize in advance if this is the wrong forum but it seemed like the best place to put it. Moderators: feel free to move it as you see fit. It's that time of year when we must "renew our digital certificate". Since this is a once a year thing I have a few notes; however, the past two years I've had to open a PMR with IBM because it just didn't work. Typical of IBM, they closed the PMRs with no list of steps to follow, just a comment along the lines of, "talked to user; fixed the problem". Therefore, I have very little to go on. The issue is that this is a V5R3 LPAR and is therefore no longer supported by IBM so I cannot open a PMR this year. The certificate expires 2009-12-17 11:56:34. I know which "application" I need to assign it to (one of our HTTP servers). Here is what I have so far: Start the ADMIN HTTP server and sign in as QSECOFR. Select Digital Certificate Manager and allow it to completely start. In the left-hand frame, click Select a Certificate Store Select *SYSTEM and click Continue Enter the password and click Continue In the left-hand frame, expand Manage Certificates To verify that the current certificate has expired (or nearly expired), select View Certificate Select 'Server or client - View a server or client certificate.' and click Continue The current certificate will already be selected (using the radio button). Click View Check the values in the Validity Period cell. If it is expired or nearly expired, renew it. In the left-hand frame, select Renew certificate The current certificate will already be selected (using the radio button). Click Renew 'Local Certificate Authority (CA)' will already be selected (using the radio button). Click Continue Give the certificate a new name. Click Continue At this point, it gets fuzzy. I think that I have a new certificate at this point but I'm afraid to "test" any further so I'm unsure. If I do have a new certificate, I need to assign it to the "application". What is next? Any assistance is greatly appreciated, Robert
"Contrariwise, if it was so, it might be; and if it were so, it would be; but as it isn't, it ain't. That's logic."--Tweedledee
Scott Klement
Editorial Staff Member
Editorial Staff Member
Posts:16399
Avatar

--
02 Dec 2009 08:50 PM Accepted Answer
You're correct, it's not actually possible to "renew" an existing certificate. The renew option actually generates a new certificate with the same parameters as the old certificate (except, of course, for the validity period) after you've generated the new certificate, you need to assign it to the applications. Personally, I look for applications that used the old certificate (the one that's expiring) and I change them all to the new one. To me, this is easier than trying to remember which applications to assign it to. (Plus, if any new applications have been added since the certs were last renewed, I'll catch those as well.) I don't think you have to do anything else after that. There's a section on renewing certificates in the Information Center if that's helpful: http://publib.boulder.ibm.com/infoc...ficate.htm
Robert Clay
Veteran Member
Veteran Member
Posts:915

--
03 Dec 2009 04:18 PM Accepted Answer
Thanks for the insight, Scott. One more quick question: I can't tell whether this will require stopping/restarting the HTTP server. If so, I need to schedule it for a low-activity time. Do you know if the HTTP server needs to be bounced after the new certificate is applied? Thanks, Robert
"Contrariwise, if it was so, it might be; and if it were so, it would be; but as it isn't, it ain't. That's logic."--Tweedledee
Bryan Leaman
Veteran Member
Veteran Member
Posts:1745
Avatar

--
03 Dec 2009 10:06 PM Accepted Answer
I just updated my certs in November, and forgot to restart one of my HTTP servers -- it gave the expired cert. So, yes, you need to restart the HTTP servers. --Bryan
Robert Clay
Veteran Member
Veteran Member
Posts:915

--
04 Dec 2009 01:34 PM Accepted Answer
Thanks, Bryan. Curiously, on V5R3, I didn't have to bounce the HTTP server. It applied the new certificate immediately. Weird. Robert
"Contrariwise, if it was so, it might be; and if it were so, it would be; but as it isn't, it ain't. That's logic."--Tweedledee
Scott Klement
Editorial Staff Member
Editorial Staff Member
Posts:16399
Avatar

--
04 Dec 2009 06:36 PM Accepted Answer
I was told that I didn't have to restart my servers. However, I think there are still bugs in that support. We don't use certs with the HTTP server, but we use them heavily with the telnet server. Years ago I had a lot of problems with having to restart stuff. Both the telnet server and even the DCM. Since then it's been my policy to check for the certs expiring in advance (I have a job on the job scheduler that tells me if the certs will expire in 7 days). If they are going to expire, I renew them on Saturday evening. We IPL every saturday night, so everything is restarted. Since I've been doing it that way for a long time, I have no clue whether you still have to restart or not :)
gruman
New Member
New Member
Posts:7

--
07 Dec 2009 04:46 PM Accepted Answer
A question for you Scott, I see that you use CA with Telnet Server - Can you please tell me which "applications" you selected within DCM. I think I have selected much more than is necessary for Telnet and I was wondering if by doing that it would have an adverse effect on anything? I know the TCP/IP Ports required for iSeries Access for Windows (from the IBM Client Access tech site, but these are not named the same within DCM). Your help will be greatly appreciated. Thank you in advance.
Scott Klement
Editorial Staff Member
Editorial Staff Member
Posts:16399
Avatar

--
07 Dec 2009 06:12 PM Accepted Answer
I don't use a CA certificate with the telnet server. I use a server certificate with the telnet server. The server certificate is, of course, signed by a CA (as are all SSL certificates.) Is that what you mean? Which applications you assign a certificate to depends on what you want to SSL-enable. If you want to SSL-enable the telnet server, then assign the certificate to the telnet server. If you want to SSL-enable something else, then assign the certificate to whatever it is you want to SSL-enable. Is that what you're asking? I don't use iSeries Access, so I don't what exactly it uses.
gruman
New Member
New Member
Posts:7

--
08 Dec 2009 11:11 AM Accepted Answer
Thank you for your reply Scott, you are right, I mean the server certificate. Sorry. I was trying to establish: 1. which "applications" I should assign to the certificate for SSL-enable connections through 5250 emulator sessions iSeries Access for Windows. 2. I wondered if I assigned to many and unnecessary “applications” what effect this would have now and for any future ssl enabled stuff for applications not already ssl enabled 3. if an “application” is already assigned to a sever certificate then I presume it cannot be assigned to a new server certificate. 4. so if we have separate certificates for separate applications – then I need to know which "applications" I should assign to the certificate for SSL-enable connections through 5250 emulator sessions iSeries Access for Windows (my first question). Help would be appreciated.
Scott Klement
Editorial Staff Member
Editorial Staff Member
Posts:16399
Avatar

--
08 Dec 2009 05:29 PM Accepted Answer
1. which "applications" I should assign to the certificate for SSL-enable connections through 5250 emulator sessions iSeries Access for Windows.
Again, I don't use iSeries Access for Windows. I have never set up SSL for it. I can guarantee that you'll need to assign a certificate to the Telnet server, I don't know what else it requires.
3. if an “application” is already assigned to a sever certificate then I presume it cannot be assigned to a new server certificate.
No, that's not true. (Indeed, if it were, this whole thread would be pointless.) You can assign a different certificate to an application quite easily.
Scott Klement
Editorial Staff Member
Editorial Staff Member
Posts:16399
Avatar

--
08 Dec 2009 05:38 PM Accepted Answer
Here's IBM's instructions for setting up SSL for iSeries Access (again, I have no experience with this... Google found this page for me...) http://www-912.ibm.com/s_dir/slkbas...enDocument Step 10 states the following:
When using Client Access Express and PC5250, the Telnet Server, Central Server, Signon Server, and Remote Command Server must be assigned. For all Client Access Express functions to be secured, assign the Database Server, Data Queue Server, and Network Print Server.
J Taylor
Senior Member
Senior Member
Posts:4007

--
10 Feb 2010 02:34 PM Accepted Answer
I'm working on renewing a CA certificate that we use to FTP into a bank. Can DCM automatically get the new certificate, or is this something I have to download manually? Whenever I try the Renew option, it gives me a "No certificates found for this certificate store" message for certificate type "Server or client". My certificate is "Certificate Authority (CA)", not "Server or client". Does Renew not work for CA certificates?
Bryan Leaman
Veteran Member
Veteran Member
Posts:1745
Avatar

--
10 Feb 2010 08:25 PM Accepted Answer
If you're FTPing into a bank, didn't they issue the original certificate to you? If so, they need to give you the updated one and you'll have to install it manually via DCM. --Bryan
J Taylor
Senior Member
Senior Member
Posts:4007

--
10 Feb 2010 09:05 PM Accepted Answer
So it's not really a renewal. I just need to import a new certificate and replace the old one.
You are not authorized to post a reply.

Acceptable Use Policy