Configuring Cloud Storage Solutions file transfer encryption

You can configure Cloud Storage Solutions to use Secure Socket Layer (SSL) to encrypt files while those files are being transferred to and from the cloud.

  • This task includes steps for creating a *SYSTEM certificate keystore. This keystore may have already been created. If so, you will require its password. Ask your IBM i administrator for that information.

  • To encrypt the files, you must download the correct certificate authorities from your cloud provider. To download the certificate authorities, you must enter your cloud storage Uniform Resource Identifier (URI) in a browser. When you create an account with a third-party cloud provider, the provider sends you this storage URI. You must make sure that the URI that you enter to download the certificate authorities is your actual storage location URI. If it is not, you will download the wrong certificate authorities and resource actions will fail.

    When you enter the URI in a browser, some provider sites automatically redirect you to a different page. If you are redirected, you must edit the URI to match your storage URI. Also, S3 resources are automatically generated. For example, when you create an S3 resource you provide the URI https://s3.amazonaws.com. But your actual bucket location might be https://companyA-west.s3.amazonaws.com/companyA-west, or something similar. You must make sure you enter the correct S3 URI.

  • You must know any policies within your enterprise that dictate SSL options you must use, such as SSL protocol, SSL cipher, and SSL signature algorithm.

To configure Cloud Storage Solutions for SSL encryption, you must download certificate authorities from the resource URI that you received from the cloud provider when you created the account. You can then use the IBM i Digital Certificate Manager (DCM) to create a *SYSTEM certificate keystore, add the certificate authorities to the keystore, and then associate the certificate authorities with the Cloud Storage Solutions application.

After you configure SSL, you must create or change resources that use the account and include the https protocol in their resource URIs. Files copied to the cloud using that resource are then encrypted while they are being copied, and decrypted when they reach the cloud computer. When you copy files from the cloud back to a host IBM i computer using the same resource, the files are encrypted while copied and then decrypted on the IBM i using the same key that encrypted them.

To encrypt files while they are "at rest" on the cloud computer, see Configuring Cloud Storage Solutions file at rest encryption.

SSL encryption is available with the Cloud Storage Solutions basic edition.

For general information on using SSL on IBM i, see the IBM i Security Sockets Layer Guide.

Take the following steps to configure SSL encryption:

  1. Create a *SYSTEM certificate keystore:
    1. Log into IBM Navigator for i as a user with authority to use the Digital Certificate Manager.
    2. In the navigation pane, click Internet Configurations.
    3. Click Digital Certificate Manager.
    4. Click Create New Certificate Store.
    5. Select *SYSTEM, and then click Continue.
      Note: If the only option is Other System Certificate Store, a *SYSTEM certificate store already exists. Click Cancel and proceed to Step 2.
    6. Select No - Do not create a certificate in the certificate store.
    7. Enter a password for the certificate keystore, enter it again to confirm it, and then click Continue.
    8. Click OK. Do not log out.
  2. Download the certificate authorities from the resource URI location. For example, in Chrome browsers on Microsoft Windows take the following steps:
    1. In a browser, enter the resource URI. (If the site displays an "Unauthorized" page, continue.)
      Make sure the cloud provider web site does not redirect you to another page. If so, edit the URI to exactly match your resource URI.
    2. Click the browser Customize and control icon.
    3. Select More tools > Developer tools.
    4. Click the Security tab, and then click View Certificate.
    5. In the Certificate dialog, click the Details tab.
    6. Click Copy to File.
    7. In the Certificate Export Wizard, click Next.
    8. Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) format, and then select Include all certificates in the certification path if possible.
      Regardless of your browser, you must make sure that all certificate authorities in the certificate path are downloaded.
    9. Click Browse to specify a file name and local location, then save the file.
    10. Copy the certificate file to any directory on the IBM i computer.
  3. Import the certificate into the *SYSTEM keystore:
    1. In IBM Navigator for i, open the Digital Certificate Manager.
    2. In the navigation pane, click Select a Certificate Store.
    3. Select *SYSTEM, and then click Continue.
    4. In the Certificate store password field, enter the *SYSTEM keystore password you created in Step 1, and then click Continue. The navigation pane displays tasks that you can perform with the *SYSTEM keystore.
    5. In the navigation pane, click Manage Certificates > Import certificate.
    6. Select Certificate Authority (CA) as the type of certificate to import, and then click Continue.
    7. Enter the path and file name of the certificate file that you copied to the IBM i computer in Step 2, and then click Continue.
    8. Enter a label for the certificate, and then click Continue. The certificate is imported into the *SYSTEM keystore. Click OK. Do not log out of the Digital Certificate Manager.
  4. Add Cloud Storage Solutions to the list of client applications:
    1. In the Digital Certificate Manager navigation pane, click Manage Applications > Add applications.
    2. Select Client, and then click Continue.
    3. In the Add application page, in the Application ID field, type IBM_QICC.
    4. Select Application description and in the field type IBM Cloud Storage Solutions for i.
    5. In the Define the CA trust list field, select No.
    6. Select any SSL values that match your enterprise policies, such as the SSL protocol, SSL cipher, or SSL signature algorithm.
    7. Click Add, then click OK.
  5. Add the certificate authorities to the Cloud Storage Solutions trust list:
    1. In the Digital Certificate Manager navigation pane, click Manage Applications > Define CA trust list.
    2. Select Client, and then click Continue.
    3. Select IBM Cloud Storage Solutions for i, and then click Define CA Trust List.
    4. Select all of the certificate authorities that you imported in Step 3, and then click OK.
To enable SSL in a resource, create or change the resource and specify the https protocol in the resource URI.