Setting up HTTPS security certificates using GSKIT

If the client will connect to CS/AIX servers using HTTPS, it must have the GSKIT key manager software installed. See the README file on the installation media for more information about obtaining and installing the GSKIT software.

Before the IBM Remote API Client can connect to servers using HTTPS, you need to use the GSKIT key manager program to set up the security certificate configuration on the client. Take the following steps.

  1. Run the GSKIT key manager using the following command:
    /opt/ibm/sna/bin/snakeyman

    From within the key manager user interface, open the key database file /etc/opt/ibm/sna/ibmcs.kdb, which is in CMS format.

  2. The initial password for the key database is ibmcs. Before setting up the security certificates, you must change this password to keep your configuration secure. In the dialog for changing the password, you will need to mark the checkbox 'Stash the password to a file?' to ensure that the new password is saved so that the client can open the key database.
  3. Obtain a copy of the Certificate Authority (CA) certificate that was used to sign the Web Server's security certificate, and install it in the key database. To do this, select Signer Certificates from the key manager user interface and click on Add.
  4. If the WebSphere server is configured to require client security certificates, the client must have a certificate issued by a CA whose own certificate is in the Web Server's security certificate database. To request a new certificate:
    1. Select Create, New Certificate Request from the key manager user interface, and fill in the requested details.
    2. Save the certificate, extract it to a file and send it to the CA.
    3. When the certificate is issued, store it in the Web Server's database. To do this, select Personal Certificates from the key manager user interface and click on Receive.

    As a temporary measure for your own internal testing, you can create a self-signed client certificate rather than obtaining a certificate from the CA. However, this does not provide the required level of security and must not be used in a live system. To create a self-signed certificate:

    1. Select Create, New Self-Signed Certificate from the key manager user interface, and fill in the requested details.
    2. Save the certificate and extract it to a file.
    3. Store the certificate file in the Web Server's database. To do this, select Personal Certificates from the key manager user interface and click on Receive.
  5. Exit the GSKIT key manager when you have finished configuring certificates.