Previous Topic: IBM i5/OS (OS/400) ConnectorNext Topic: Connector Specific Features

CA Identity Manager Connector GuidesConnectors GuideConnecting to EndpointsIBM i5/OS (OS/400) ConnectorOS/400 Installation

OS/400 Installation

The OS/400 Connector is installed with CA IAM Connector Server.

OS/400 Migration Steps

To migrate from the C++ OS/400 connector to the Java OS/400 connector, you must do the following:

Once this has been done, all types of operations can be executed against the existing OS400 endpoints seamlessly.

How to Configure your Machines

You must configure your OS/400 system to use the OS/400 connector. To do this, install and configure programs on your OS/400 system.

Install and Configure Programs on OS/400

The JTOPEN toolkit used by the OS/400 connector requires the following programs to be installed and configured on your OS/400 system:

These programs are necessary so the OS/400 connector can connect to your OS/400 system and access its data and services.

How to Secure Your Information (Optional)

You can send information through secured or unsecured channels.

For security purposes, we recommend that you secure the communications between all your machines. To do this, you must configure the following:

Connect Using SSL

Communication between the Provisioning Server/CA IAM Connector Server and the OS/400 machine is secured by SSL. Using SSL is optional in both links and can be switched on when acquiring the OS/400 machine. Certificates are used to authenticate the server and encrypt communications and the username and password are used to authenticate the client request on the OS/400 machine.

To use SSL, the CA IAM Connector Server machine must have the endpoint certificate installed in the Java certificate store in the JRE in which CA IAM Connector Server machine is running.

Configure Your OS/400 System

Secure the channel between CA IAM Connector Server and your OS/400 system by performing these steps:

  1. Prepare the system
  2. Select the certificate location
  3. Import the certificate authority
  4. Request a server certificate from the CA
  5. Request a server certificate for your system
  6. Import the server certificate
  7. Assign the Server Certificate to your OS/400 applications

Prepare the System

To prepare your OS/400 system, perform the following procedure:

On your OS/400 system

  1. Verify that one of the following client encryption licensed programs is installed:
    5722-CE2

    IBM iSeries Client Encryption (56-bit) Version 5, Release 1. This program is used in countries other than the United States or Canada.

    5722-CE3

    IBM iSeries Client Encryption (128-bit) Version 5, Release 1. This program is used in the United States and Canada only.

    5769-CE2

    IBM iSeries Client Encryption (56-bit) Version 4, Release 5. This program is used in countries other than the United States or Canada.

    5769-CE3

    IBM iSeries Client Encryption (128-bit) Version 4, Release 5. This program is used in the United States and Canada only.

    Note: These programs are an installation option on your OS/400 system.

  2. Verify that one of the following server encryption licensed programs is installed:
    5722-AC2

    IBM iSeries Server Encryption (56-bit) Version 5, Release 1. This program is used in countries other than the United States or Canada.

    5769-AC2

    IBM iSeries Server Encryption (56-bit) Version 4, Release 5. This program is used in countries other than the United States or Canada.

    5769-AC3

    IBM iSeries Server Encryption (128-bit) Version 4, Release 5. This program is used in the United States and Canada only.

    Note: These programs are an installation option on your OS/400 system.

  3. Verify that the following licensed programs are installed:
    5761-SS1

    Product Option 34 - Digital Certificate Manager

    5761-DG1

    IBM HTTP Server

  4. Create a file share from your OS/400 system to your Provisioning Server/CA IAM Connector Server.

Select the Certificate Location

Select the location where you will import the certificate on your OS/400 system.

To select the location

  1. Start the HTTP Administration Server using the Operations Navigator or run the following command at your OS/400 command prompt: 
    STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
  2. Connect to the HTTP Administration Server by pointing your browser at the following location and logging on with your system credentials: 
    http://server:2001
    server

    Specifies the name of the system running OS/400.

    Note: Your logon ID must have the All Object Access and System Configuration permissions.

  3. Select the Digital Certificate Manager link.

    The Digital Certificate Manager window appears. The left frame contains navigational buttons and the right frame contains command buttons.

    Note: The steps that reference the Digital Certificate Manager are based on Version 5, Release 1. If you are using another version, these steps may vary slightly.

  4. Click the Select a Certificate Store button in the left frame.
  5. Select the *SYSTEM store radio button and then click Continue.
  6. Enter the password for the *SYSTEM certificate store and then click Continue.

Import the Certificate Authority

Once you have selected the certificate location, import the certificate from your Certificate Authority (CA).

From the left frame

  1. Expand the Manage Certificates link.
  2. Select the Import Certificate link.

    The Import Certificate window appears.

  3. Select the Certificate Authority (CA) radio button and then click Continue.
  4. Enter the directory location that contains the certificate for the Integrated File System (IFS) on your OS/400 system and then click OK.

    For example, enter: \home\etadmin\certificate_file_name.

  5. Enter a unique name in the Label field for the certificate, for example etaCACert, and then click Continue.
  6. Click the OK button.

The Digital Certificate Manager reads the certificate file and imports it into the system.

Request a Server Certificate from the CA

After importing the Certificate Authority, you must now request a server certificate.

From the CA

  1. Select the Create Certificate option.

    The Create Certificate window appears.

  2. Select the Server or client certificate radio button and then click Continue.
  3. Select the Internet Certificate Authority radio button, for example VeriSign, and then click Continue.
  4. Enter at least the following information and then click Continue:
    Key size

    1024 bits

    Certificate Label

    The name of your certificate

    Common Name

    The name of your server

    Organization Name

    The name of your organization

    State or province

    The name of your state or province

    Country

    The name of your country

  5. Copy the generated lines (including the BEGIN and END lines) into a file and then save that file on your OS/400 system.

Request a Server Certificate for Your System

To request a server certificate for your OS/400 system, follow this procedure:

From a Certificate Authority (CA)

  1. Install and configure Microsoft Certificate Services on your Windows 2000 server.
  2. Point your browser to http://computer-name/certsrv.

    where computer-name is the name of the computer for which you are generating the certificate. The Microsoft Certificate Services Wizard appears.

  3. Select Request a certificate, and click Next.
  4. Select Advanced request, and click Next.
  5. Select Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file, and click Next.
  6. Open the certreq.txt file with Notepad and cut its contents.
  7. Paste the contents of certreq.txt in the Saved Request box, and click Submit.
  8. Select Base 64 Encoded, and click the Download CA Certificate.
  9. Save the certificate to your hard drive.

    Note: Remember the location where you save the certificate.

Import the Server Certificate

Once you generate a server certificate, you can import it into the system.

From the CA

  1. Expand the Manage Certificates link in the left frame.
  2. Select the Import Certificate link.

    The Import Certificate window appears.

  3. Select the Server or client radio button and then click Continue.
  4. Enter the directory path that contains the certificate for the IFS on your OS/400 system and click Continue.

    For example, enter: \home\etadmin\usildaaj.cer.

  5. Click OK.

Assign the Server Certificate to Your OS/400 Applications

After importing the certificate, you must assign the server certificate to the following applications:

From the CA

  1. Expand Manage Applications in the left frame.
  2. Select Update certificate assignment.
  3. Select Server and then click Continue.

    The Update Certificate Assignment window appears.

  4. Perform the following steps for each of the applications:
    1. Select the radio button for the application and then click the Update Certificate Assignment button.
    2. Select the server certificate and then click the Assign New Certificate button.
  5. Stop the applications by issuing the following command with each argument: 
    ENDHOSTSVR *CENTRAL
ENDHOSTSVR *RMTCMD

    ENDHOSTSVR *SIGNON
  6. Start the applications by issuing the following command with each argument: 
    STRHOSTSVR *CENTRAL RQDPCL(*TCP)
STRHOSTSVR *RMTCMD RQDPCL(*TCP)
STRHOSTSVR *SIGNON RQDPCL(*TCP)

Configure CA IAM Connector Server

If you are using a certificate from one of the following CAs, you do not need to perform this step:

If you want to use a certificate from a different CA, import the certificate into CA IAM Connector Server. If you use the same certificate for each OS/400 system, you will perform these steps only once.

Follow these steps: NEW STEPS

  1. Log in to CA IAM Connector Server Management Console.
  2. At the top, click the Certificates tab.

    This tab lists all of the certificates in the CA IAM Connector Server keystore. To filter the list of certificates by their names, type in the Certificate Filter box.

  3. To add a certificate, click Add, then enter the details of the certificate.

    Add a certificate:

    Add a keystore:

Follow these steps: OLD STEPS

  1. Stop the CA IAM Connector Server service.
  2. Copy the CA certificate from your certificate authority to the directory where the connector client certificate keystore is located. Refer to the server_jcs.properties for the setting of connectorManager.connectorClientCertStore to determine the location of the connector client certificate keystore. The default value is set to ../conf/ssl.keystore.
  3. Open a DOS screen and change the DOS prompt to the directory where the connector client certificate keystore is located. For example, 
    cd C:\Program Files\CA\Identity Manager\Connector Server\conf\
  4. Issue the following command to import the CA certificate into the CA certificate store for Java: 
    ..\..\bin\keytool -import -alias "eTrust Admin CA Certificate" -file 
certificate_name.cer -keystore ssl.keystore
    1. Enter the default password secret (if it has not been changed) at the "Enter a keystore password" prompt.

      Note: You can use bin\ ldaps_password.bat utility to change the keystore's password.

    2. Enter yes at the "Trust this certificate" prompt.
  5. Restart CA IAM Connector Server service.
Password Synchronization Agent

The Password Synchronization agent lets password changes, made on the OS/400 endpoint system, be propagated to your other accounts managed by CA Identity Manager. For more information, see the CA Identity Manager Administrator's Guide.

OS/400 Support for FIPS and IPv6

For this release of CA Identity Manager, the OS/400 Connector does not support FIPs or IPv6.

The OS/400 Password Synchronization Agent also does not support FIPS or IPv6.