Configuring IBM System i servers for secure connection

If you are using self-signed certificates or certificates from a signing agency that is not in the well-known list, use the P12Keyring utility to configure the CustomizedCAs keyring. For more details, refer to P12 Keyring utility.

Follow the steps below to configure a CustomizedCAs keyring:
  1. Ensure that java is installed in the system.
  2. Open a unix/AIX-based command line. For example, QSHELL or IBM I PASE shell.
  3. Navigate to the Host On-Demand publish folder in the Host On-Demand installation directory. Generally, it is /QIBM/ProdData/Host On-Demand/HOD/.
  4. Enter the command 
    java -classpath .:your_install_dir/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs connect myServer.raleigh.ibm.com:702
    . This command can take a few minutes to complete. If you are asked for a password, type hod and press Enter.
  5. Select the certificate number that corresponds to the Certificate Authority (CA) that you want to add to the keyring. Be sure to add the CA certificate and not the site certificate. If the port is not responding, refer to Configuring IBM i 7.1 servers for secure connection.
  6. Repeat steps 3to 5for each target server.
To view the contents of the CustomizedCAs keyring, perform the following steps:
  1. Ensure that java is installed in the system.
  2. Open a linux-based shell, for example, QSHELL or IBM i PASE shell.
  3. Navigate to the Host On-Demand publish folder in the Host On-Demand installation directory. Generally, it is /QIBM/ProdData/Host On-Demand/HOD/.
  4. Enter the command 
    java -classpath .: your_install_dir/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs list
    .