IBM Support

Digital Certificate Manager (DCM) Data Locations, Cleanup, and Recovery Information

Troubleshooting


Problem

If the Digital Certificate Manager certificate store(s) are inaccessible (damaged, missing, and so on), they can be cleared and re-created or restored from a prior save. This document provides the location information needed to perform those tasks.

Resolving The Problem

There are a number of different problem scenarios associated with Digital Certificate Manager certificate stores that may require interaction with the associated IFS directories. General information is included in this document on how to recover damaged or missing files or to migrate DCM contents from a different system.

Digital Certificate Manager data (certificate stores, certificates, and so on) is located in the following IFS directory and sub-directories:

/qibm/UserData/ICSS

If you want to restore DCM certificate store contents from a prior save or from another system

o Restore the IFS directory /qibm/UserData/ICSS with all sub-directories and contents
Note: You must know the Certificate store passwords for access into each of the certificate stores that were active at the time of the Save from the source system. Password reset will not work and the certificate stores will be inaccessible without that password.

In the event that is has become necessary to clear DCM and re-create the Local Certificate Authority and certificate stores

o Step down through the /qibm/UserData/ICSS directory in IFS, deleting the contents of all subdirectories.
Note: Do not delete the ICSS directory or sub-directories themselves as they will not be automatically re-created, and attempts to create system stores from DCM will fail.

o After clearing the contents of the directories, start a new browser session (to avoid cached pages) and use the create functions in Digital certificate manager to re-create any/all desired contents.

If the the /qibm/UserData/ICSS directory or the sub-directories under it have been deleted so certificate stores cannot be created, they must be re-created and appropriate authorities defined to regain the ability to create and manage certificate stores. This can be accomplished by restoring the ICSS directory and all subdirectories from a prior system save or re-created manually using the steps below:

REMEMBER when you see '+' plus symbol in the command means the next line is included in the full command.

If the ICSS directory needs to be created:
1. MKDIR DIR('/qibm/userdata/icss') DTAAUT(*RX) OBJAUT(*NONE)

If the cert sub-directory needs to be created under ICSS:
2. MKDIR DIR('/qibm/userdata/icss/cert') DTAAUT(*RX) OBJAUT(*NONE)

If the CertAuth sub-directory needs to be created under ICSS/cert:
3. MKDIR DIR('/qibm/userdata/icss/cert/CertAuth') DTAAUT(*EXCLUDE) OBJAUT(*NONE)

If the Server sub-directory needs to be created under ICSS/cert:
4. MKDIR DIR('/qibm/userdata/icss/cert/Server') DTAAUT(*EXCLUDE) OBJAUT(*NONE)

If the Download sub-directory needs to be created under ICSS/cert:
5. MKDIR DIR('/qibm/userdata/icss/cert/Download') DTAAUT(*RX) OBJAUT(*NONE)

If the CertAuth sub-directory needs to be created under ICSS/cert/Download:
6. MKDIR DIR('/qibm/userdata/icss/cert/Download/CertAuth') DTAAUT(*RX) OBJAUT(*NONE)

If the Client sub-directory needs to be created under ICSS/cert/Download:
7. MKDIR DIR('/qibm/userdata/icss/cert/Download/Client') DTAAUT(*RX) OBJAUT(*NONE)

If the CertAuth sub-directory needs to be created under ICSS:
8. MKDIR DIR('/qibm/userdata/icss/certsvcs') DTAAUT(*RX) OBJAUT(*NONE)

If the log sub-directory needs to be created under ICSS/certsvcs/log:
9. MKDIR DIR('/qibm/userdata/icss/certsvcs/log') DTAAUT(*RX) OBJAUT(*NONE)

Then modify authorities to Add QSYS with *RWX and *ALL object Authority
10. CHGAUT OBJ('/QIBM/Userdata/ICSS') USER(QSYS) DTAAUT(*RWX) OBJAUT(*ALL) + SUBTREE(*ALL)

Also modify *Public *RW authorities:
11. CHGAUT OBJ('/QIBM/Userdata/ICSS') USER(*PUBLIC) DTAAUT(*RW) + SUBTREE(*ALL)

Adjust excluded *PUBLIC folders:
12. CHGAUT OBJ('/qibm/userdata/icss/cert/CertAuth') USER(*PUBLIC) DTAAUT(*EXCLUDE) + OBJAUT(*NONE) SUBTREE(*NONE)

13. CHGAUT OBJ('/qibm/userdata/icss/cert/Server') USER(*PUBLIC) DTAAUT(*EXCLUDE) + OBJAUT(*NONE) SUBTREE(*NONE)

Optional: (This may not exist if object signing store never created)
14. CHGAUT OBJ('/qibm/userdata/icss/cert/Signing') USER(*PUBLIC) DTAAUT(*EXCLUDE) + OBJAUT(*NONE) SUBTREE(*NONE)

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Historical Number

548664332

Document Information

Modified date:
22 September 2023

UID

nas8N1012549