Setting the configuration properties

When you install the IBM® i operating system, the IBM Universal Manageability Enablement for i licensed program is installed on the system by default. Before you use the CIM function of this licensed program, you can configure the Common Information Model Object Manager (CIMOM).

You can use the cimconfig command with the -s option to set the current or planned configuration properties. To change the planned value of the CIM server, you use the -p -s options. To change the current value of the CIM server, you use the -c -s options.

To configure CIMOM, follow these steps:
  1. Ensuring that the operating system has the required installation requirements
  2. Set the configuration properties by using the cimconfig -p -s or cimconfig -c -s command.
  3. Grant users the authorizations required to work with CIMOM. In the operating system, Application Administration controls operations that change the local CIM schema, and object authorities control operations that change the system objects.
  4. Restart CIMOM

Enabling the CIM server with Secure Sockets Layer

To enable the CIM server to run in Secure Sockets Layer (SSL) mode, a private key and a certificate are required. The administrator can create the private key and certificate by signing it with a certificate authority (CA).

The CIM server checks for its private key and certificate during startup. If either of the files does not exist, the server creates its private key and a self-signed, 365-day certificate. These files are created in the location that is defined by the value of the sslCertificateFilePath and sslKeyFilePath properties.

The server creates its certificate with the following fields for the distinguished name:
  • Country Name: US
  • State or Province Name: Minnesota
  • Locality: Rochester
  • Organization Name: IBM
  • Organizational Unit: IBM i
  • Common Name: hostname of the system
  • Email Address:
Note: The Common Name is replaced by the hostname of this system, and the Email Address is left blank.

Creating the certificate

You can use Digital Certificate Manager (DCM) to create a CIM server certificate that is issued by a CA on the operating system, or by an external CA.

Note: CIMOM is not integrated with DCM. All certificates that are created in DCM for CIMOM must be exported to CIMOM. CIMOM only supports the Privacy Enhanced Mail (PEM) format for certificates.
To create a certificate for CIMOM, follow these steps:
  1. Create an application definition in DCM. The recommended application ID is QUME_CIMOM.
  2. Create a certificate for the CIMOM application that is issued by a CA. Remember the subject name that you enter for CIMOM in the certificate.
  3. Export the certificate from DCM to CIMOM.
    1. In the left frame, choose Manage Certificates and Export Certificates.
    2. Click Server or client as the type of the certificate.
    3. Select the certificate that you created for CIMOM and click Export.
    4. Click File as the export destination.
    5. Use the directory that is defined by the sslCertificateFilePath property for the export file name, and name the file pegasuscert.p12. This file is in PKCS12 (Public Key Cryptography Standards) format.
    6. Remember the password that you enter here. The password is used to decrypt the exported certificate.
  4. Run the OpenSSL command to convert the certificate from the PKCS12 format to the PEM format.
    1. On the operating system, use the CALL QP2TERM command to make the IBM i Portable Application Solutions Environment (IBM i PASE) environment available.
    2. Change the directory to the location of the exported certificate.
    3. Extract the certificate from the PKCS12 file and convert it to the PEM format.

      Use the OpenSSL command: OpenSSL pkcs12 -in pegasuscert.p12 -out pegasuscert.pem -nokeys -clcerts. This command prompts for the password that you entered in the DCM export window.

      The PEM file might contain both the CIMOM certificate and the certificate of the CA that issues the CIMOM certificate. Because CIMOM does not support this type of PEM file, remove the CA certificate.

    4. Edit the PEM file and remove all the lines except the lines for the CIMOM certificate.

      The certificate has the CIMOM subject name that you used when creating the certificate in DCM. Keep the lines of CIMOM certificate starting with Bag Attributes and ending with End Certificate.

    5. Extract the private key from the PKCS12 file and convert it to the PEM format.

      Use the following OpenSSL command: OpenSSL pkcs12 -in pegasuscert.p12 -out pegasuskey.pem -nocerts -nodes. This command prompts for the password that you entered in the DCM export window.

      After you have the certificate and private key in the PEM format, you can make them available to CIMOM by placing them in the paths that are defined by the sslCertificateFilePath and sslKeyFilePath properties.

Note: When CIMOM starts, the private key file is created automatically. It is important to keep the private key in a protected directory. By default, the CIMOM private key is put in a directory that is owned by QSYS, with PUBLIC *EXCLUDE and no private authorities. If the administrator changes the sslKeyFilePath property, the new key directory should be protected.
After the SSL certificates are created, set the following configuration properties to enable the CIM server with SSL and disable the non-SSL port:
  • enableHttpsConnection: set the value to true
  • enableHttpConnection: set the value to false

Enabling the CIM server to verify client certificates

To enable SSL client certificate verification on the main SSL port, you can use the sslClientVerificationMode property. With this property, you can be authenticated through certificate verification or basic authentication. The sslTrustStore property gives the location of the truststore.