Configuring encryption support

Content Manager OnDemand for i depends on the IBM i operating system for cryptographic support.

IBM i has a repository for master keys which are used to encrypt other keys, and keystore files to store encrypted keys. See the topic titled Cryptographic services key management in IBM Documentation for IBM i for more information and instructions for creating and managing these files.

Content Manager OnDemand for i requires that a keystore file exist on your IBM i server. If you do not have a keystore file, a new one must be created. Since encryption must be turned on explicitly for an individual instance, it makes sense that the keystore file for an instance be in the instance library.

The following steps are required to enable encryption for an instance. Instance name QUSROND is used in all the examples, but the examples will work for any instance if you replace QUSROND with your instance name.

If you do not have a master key, you must create one and then set the master key.

To load a master key from the IBM Navigator for i interface, follow these steps:
  1. Hover over the Security icon in the IBM Navigator for i window to display the Security menu.
  2. Select Cryptographic Services Key Management.
  3. Select Manage Master Keys.
  4. Select the Master Key.
  5. Select Load part from the Actions menu.
  6. Specify the Passphrase and click OK.
You can also use the Add Master Key Part (ADDMSTPART) command on IBM i to load a key part for the specified master key. For example: 
ADDMSTPART MSTKEY(1) PASSPHRASE('My Passphrase')
To set the master key from the IBM Navigator for i interface, follow these steps:
  1. Hover over the Security icon in the IBM Navigator for i window to display the Security menu.
  2. Select Cryptographic Services Key Management.
  3. Select Manage Master Keys.
  4. Select the Master Key.
  5. Select Set from the Actions menu to set the master key.
You can also use the Set Master Key (SETMSTKEY) command on IBM i to set the specified master key that has parts already added. For example: 
SETMSTKEY MSTKEY(1)

The next step is to create a keystore file. You can create as many keystore files as desired.

When you create a keystore file by using the IBM Navigator for i interface, it is automatically added to your list of managed keystore files. It is recommended that the keystore file for an instance be in that instance library. For example, the keystore file for the QUSROND instance would be in the QUSROND library.

To create a new keystore file by using the IBM Navigator for i interface, follow these steps:
  1. Hover over the Security icon in the IBM Navigator for i window to display the Security menu.
  2. Select Cryptographic Services Key Management.
  3. Select Manage Cryptographic Keystore Files.
  4. Click Create Keystore from the Actions menu.
  5. Enter the Keystore name for the new keystore you want to create and specify the Library in which you want to create the new keystore.
  6. Enter the Description of the new keystore that you want to create.
  7. Enter the Master key that you want to be associated with the new keystore file.
  8. Set the Public authority to Exclude.
  9. Click OK.
You can also use the Create Keystore File (CRTCKMKSF) command on IBM i to create a database file for storing cryptographic key records. For example: 
CRTCKMKSF KEYSTORE(QUSROND/KEYSTORE) MSTKEY(1) AUT(*EXCLUDE) TEXT('Keystore for instance QUSROND')
The instance user profile must be authorized to the keystore file with *ALL authority. You can use the Grant Object Authority command on IBM i to set the correct authority. For example: 
GRTOBJAUT OBJ(QUSROND/KEYSTORE) OBJTYPE(*FILE) USER(QUSROND) AUT(*ALL)
To enable encryption support for an instance, you must run the following command in QSHELL on your IBM i server: 
/qsys.lib/qrdars.lib/arssockd.pgm -I instanceName -d "keystore_location=instanceName/keyStoreFile,keystore_mkl=*"
For example, to enable encryption support for the QUSROND instance: 
/qsys.lib/qrdars.lib/arssockd.pgm -I qusrond -d “keystore_location=QUSROND/KEYSTORE,keystore_mkl=*"
The output from this command should look like this: 
keystore_type=PKCS12
keystore_location=QUSROND/KEYSTORE
keystore_mkl=ONDEMAND_QUSROND_QRDARS400_2017-01-27-16.50.23.063912
keystore_mkl_dt=2017-01-27 10:50:23.063912

The steps to configure encryption for an instance are now complete. No encryption will be performed until it is enabled in a Content Manager OnDemand application group.