Enabling TLS for IBM Digital Certificate Manager for i (DCM)

Troubleshooting

Problem

IBM Digital Certificate Manager for i (DCM) does not come enabled for TLS by default.

Environment

IBM i V7R3 and later

Resolving The Problem

Required PTFs

IBM i 7.5 - Included at GA

IBM i 7.4 - SI71936 is the primary DCM PTF however all PTFs from System TLS enhancements to the TLSv1.3 and TLSv1.2 protocols should also be applied to ensure a seamless user experience.

IBM i 7.3 - SI72421 is the primary DCM PTF however all PTFs from IBM i 7.3 System TLS support for Transport Layer Security version 1.3 (TLSv1.3) must also be applied to ensure a seamless user experience.

Digital Certificate Manager for i:

- Runs on the ADMIN3 server job using ports 2006(Non secure) and 2007 (with TLS configured)

- Non-TLS URL used to connect is http://systemname:2006/dcm

- TLS URL will be https://systemname:2007/dcm

NOTE: Install the latest HTTP Group PTF to ensure all options for ADMIN3 are available on the IBM Web Administration GUI. The following is a link to the preventative service planning page that shows the current levels:

https://www.ibm.com/support/pages/node/667567

You can enable HTTPS by either using the default Java keystore used within the ADMIN3 application server or by using the Digital Certificate Manager *SYSTEM store.

Choose ONE of the following options (either use the default JKS keystore that ADMIN3 ships with, or use certificates within the Digital Certificate Manager *SYSTEM store):

Enable HTTPS using the default Java keystore

NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.

1. Open a web browser and go to the following URL (login with your IBM i user profile):

http://hostname:2001/HTTPAdmin

2. Click Manage -> Application Servers-> select 'Admin3' on Servers list

3. Click 'Configure TLS'

4. Click Next on Step 1:

5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select at a minimum TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):

6. Configure 'dcm_key.jks' as the keystore on Step 3:

7. This will prompt to create the new keystore and set the password. Fill out the password fields and click Next:

8. Select 'Default Ciphers' and click 'Next' on Step 8:

9. Select the restart server style you like on Step 9:

10. You will be presented a summary screen of your choices. Click Finish. The server will need to be restarted and user should connect via the following URL:

https://hostname:2007/dcm

Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore
- Issue a new self-signed certificate
  
  1. Open a web browser and go to the following URL (login with your IBM i user profile):
  
  http://hostname:2001/HTTPAdmin
  
  2. Click Manage -> Application Servers-> select 'Admin3' on the Servers list.
  3. Click 'Configure TLS'
  
  4. Click Next on Step 1:
  
  5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select at a minimum TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
  
  6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
  
  7. Specify the password of the *SYSTEM store:
  
  8. Select 'Issue a new self-signed certificate' and click 'Next'
  
  9. Select ' Default ciphers' and click 'Next'
  
  10. Select your restart option and click Next:
  
  11. You will be presented a summary screen of your choices. Click Finish. The server will need to be restarted and user should connect via the following URL:
  
  https://hostname:2007/dcm
- Select an existing certificate from the *SYSTEM keystore
  
  1. Open a web browser and go to the following URL (login with your IBM i user profile):
  
  http://hostname:2001/HTTPAdmin
  
  2. Click Manage -> Application Servers-> select 'Admin3' on the Servers list
  
  3. Click 'Configure TLS'
  
  4. Click Next on Step 1:
  
  5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select at a minimum TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
  
  6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
  
  7. Specify the password of the *SYSTEM store:
  
  8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'
  
  9. Select 'No trust certificate to import' on Step 7 -> click 'Next'
  
  10. Select 'Default ciphers' on Step 8 and click Next:
  
  11. Select your restart option and click Next:
  
  12. You will be presented a summary screen of your choices. Click Finish. The server will need to be restarted and user should connect via the following URL:
  
  https://hostname:2007/dcm
NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used

Related Information

IBM Documentation - Digital Certificate Manager

How to Enable Transport Layer Security (TLS) for the IBM Web Administration Ser…

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"},{"code":"a8m0z0000000CSxAAM","label":"Digital Certificate Manager-\u003EFAQs"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0"}]

Tips

Enabling TLS for IBM Digital Certificate Manager for i (DCM)

Troubleshooting

Problem

Environment

Resolving The Problem

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?