Your first task when setting up Advanced Message Security
protection is to create a certificate, and associate that with your environment. The association is
configured through a file held in the integrated filesystem (IFS).
Procedure
-
To create a self-signed certificate using the OpenSSL tooling shipped with IBM® i, issue the following command from QShell:
/QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout
$HOME/private.pem -out $HOME/mycert.pem -nodes -days 365
The command prompts for various distinguished name attributes for a new self-signed certificate, including:
- Common Name (CN=)
- Organization (O=)
- Country (C=)
This creates an unencrypted private key and a matching certificate, both in PEM (Privacy
Enhanced Mail) format.
For simplicity, just enter values for common name, organization, and country. These attributes
and values are important when creating a policy.
-
AMS requires that both the certificate and
private key are held in the same file. Issue the following command to achieve this:
cat $HOME/mycert.pem >> $HOME/private.pem
The private.pem file in $HOME now contains a matching
private key and certificate, while the mycert.pem file contains all of the
public certificates for which you can encrypt messages and validate signatures.
The two files need to be associated with your environment by creating a keystore configuration
file, keystore.conf, in your default location.
By default, AMS looks for the keystore
configuration in a .mqs subdirectory of your home directory.
-
In QShell create the keystore.conf file:
mkdir -p $HOME/.mqs
echo "pem.private = $HOME/private.pem" > $HOME/.mqs/keystore.conf
echo "pem.public = $HOME/mycert.pem" >> $HOME/.mqs/keystore.conf
echo "pem.password = unused" >> $HOME/.mqs/keystore.conf
![[IBM i]](ngibmi.gif)