Setting the configuration properties
When you install the IBM® i operating system, the IBM Universal Manageability Enablement for i licensed program is installed on the system by default. Before you use the CIM function of this licensed program, you can configure the Common Information Model Object Manager (CIMOM).
You can use the cimconfig command with the -s option to set the current or planned configuration properties. To change the planned value of the CIM server, you use the -p -s options. To change the current value of the CIM server, you use the -c -s options.
- Ensuring that the operating system has the required installation requirements
- Set the configuration properties by using the cimconfig -p -s or cimconfig -c -s command.
- Grant users the authorizations required to work with CIMOM. In the operating system, Application Administration controls operations that change the local CIM schema, and object authorities control operations that change the system objects.
- Restart CIMOM
Enabling the CIM server with Secure Sockets Layer
To enable the CIM server to run in Secure Sockets Layer (SSL) mode, a private key and a certificate are required. The administrator can create the private key and certificate by signing it with a certificate authority (CA).
The CIM server checks for its private key and certificate during startup. If either of the files does not exist, the server creates its private key and a self-signed, 365-day certificate. These files are created in the location that is defined by the value of the sslCertificateFilePath and sslKeyFilePath properties.
- Country Name: US
- State or Province Name: Minnesota
- Locality: Rochester
- Organization Name: IBM
- Organizational Unit: IBM i
- Common Name: hostname of the system
- Email Address:
Creating the certificate
You can use Digital Certificate Manager (DCM) to create a CIM server certificate that is issued by a CA on the operating system, or by an external CA.
- Create an application definition in DCM. The recommended application ID is QUME_CIMOM.
- Create a certificate for the CIMOM application that is issued by a CA. Remember the subject name that you enter for CIMOM in the certificate.
- Export the certificate from DCM to CIMOM.
- In the left frame, choose Manage Certificates and Export Certificates.
- Click Server or client as the type of the certificate.
- Select the certificate that you created for CIMOM and click Export.
- Click File as the export destination.
- Use the directory that is defined by the sslCertificateFilePath property for the export file name, and name the file pegasuscert.p12. This file is in PKCS12 (Public Key Cryptography Standards) format.
- Remember the password that you enter here. The password is used to decrypt the exported certificate.
- Run the OpenSSL command to convert the certificate
from the PKCS12 format to the PEM format.
- On the operating system, use the CALL QP2TERM command to make the IBM i Portable Application Solutions Environment (IBM i PASE) environment available.
- Change the directory to the location of the exported certificate.
- Extract the certificate from the PKCS12 file and convert it to
the PEM format.
Use the OpenSSL command: OpenSSL pkcs12 -in pegasuscert.p12 -out pegasuscert.pem -nokeys -clcerts. This command prompts for the password that you entered in the DCM export window.
The PEM file might contain both the CIMOM certificate and the certificate of the CA that issues the CIMOM certificate. Because CIMOM does not support this type of PEM file, remove the CA certificate.
- Edit the PEM file and remove all the lines except the lines for
the CIMOM certificate.
The certificate has the CIMOM subject name that you used when creating the certificate in DCM. Keep the lines of CIMOM certificate starting with Bag Attributes and ending with End Certificate.
- Extract the private key from the PKCS12 file and convert it to
the PEM format.
Use the following OpenSSL command: OpenSSL pkcs12 -in pegasuscert.p12 -out pegasuskey.pem -nocerts -nodes. This command prompts for the password that you entered in the DCM export window.
After you have the certificate and private key in the PEM format, you can make them available to CIMOM by placing them in the paths that are defined by the sslCertificateFilePath and sslKeyFilePath properties.
- enableHttpsConnection: set the value to true
- enableHttpConnection: set the value to false
Enabling the CIM server to verify client certificates
To enable SSL client certificate verification on the main SSL port, you can use the sslClientVerificationMode property. With this property, you can be authenticated through certificate verification or basic authentication. The sslTrustStore property gives the location of the truststore.