IBM Support

How to make SSL connection from IBM i ACS - Windows Application Package

Question & Answer


Question

How do I configure SSL connectivity from IBM i Access Client Solutions - Windows Application Package to an IBM i.

Answer

This document makes the following assumptions:

1) The certificate authority was already created on the IBM i and a Server Certificate is associated with the IBM i Host Servers in the digital certificate manager. If these steps are not yet completed, see "Digital Certificate Manager, Getting Started" link.

2) The Windows PC is able to make a non-SSL connection to the IBM i in order to download the certificate. See "IBM i Access Ports Required When Downloading Certificate Authority" link to ensure that the necessary connectivity is available.

Steps to download and install the certificate to allow SSL connectivity:


Note: These instructions assume ONLY the IBM i Access Client Solutions Windows Application Package is installed.
  1. On the Windows system, run "cwbcossl.exe".
  2. In the box to the right of the "Start CA download from..." button, type in the name or IP address of the IBM i. Then, click the "Start CA download from..." button.
  3. Answer Yes to "Are you sure you want to trust all certificates issued by this certificate authority?"
  4. Enter the password to allow the cwbcossl tool to store the certificate into the key database.
    The default password is "ca400".
  5. Exit and restart the cwbcossl tool so that it picks up the configuration changes.
  6. Test SSL connectivity with the "SSL" button under Verify Connections.
  7. Assuming the test was successful, change the IBM i connection object to default to SSL connectivity. To do so, open an Administrator-level CMD prompt and execute:
    C:\> cwbcfg /host <the name or IP address of the IBM i used in step 2> /ssl 1 /s /r
  8. Finally, configure your data connection to the IBM i. For most data provider connections (OLE DB, ODBC, .NET) traffic is now using the SSL database host server port 9471.

Alternate option, which assumes both the IBM i Access Client Solutions Windows Application Package AND the Java-based IBM i Access Client Solutions base package are installed:

If SSL/TLS has already been configured for use with 5250 or some other function in the IBM i Access Client Solutions base (Java) package, administrators can go to the "Tools" drop down menu and select "Key Management". The following window shows trusted certificates.
Highlight the trusted certificate for the desired connection and click the "Push to Windows..." button.
This function makes the certificate available for Windows-native functions such as ODBC.
The default password for the Windows Application Package key manager is "ca400".

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHZAA2","label":"Data Access"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
11 December 2024

UID

nas8N1021962

Page Feedback