Administration Guide › Password Management › Synchronizing Passwords on Endpoints › Passwords on OS400 › Install the Provisioning Server Certificate

Install the Provisioning Server Certificate

The following operating system components must be installed on your iSeries machine to use SSL:

• Cryptographic access provider licensed program (5722-AC3)
• Digital Certificate Manager (Option 34 of OS/400)
• IBM HTTP Server for iSeries (5722-DG1)

On the iSeries

1. Upload the Provisioning server certificate from the Provisioning server machine to the iSeries. The certificate can be found at:

   C:\Program Files\CA\Identity Manager\Provisioning Server\Data\Tls\server\et2_cacert.pem
   

2. Log onto the DCM.

   Using a web browser, go to http://<hostname>:2001. When prompted, log on as QSECOFR and click the Digital Certificate Manager link

3. Work with the *SYSTEM certificate store.

   Click the 'Select a Certificate Store' button and select the *SYSTEM certificate store. If this store does not exist, create a new store called *SYSTEM and then enter the certificate store password.

4. Import the certificate as a CA Certificate using the DSM.

   Click Manage Certificates, Import Certificate and select the Certificate Authority (CA) option and then enter the file name of the Provisioning server certificate. (This is where you uploaded the certificate in step 1). Enter the label Provisioning Server for the certificate.

   Importing the certificate is complete.

5. After importing the CA certificate to the endpoint *SYSTEM keystore, you must make sure that the IBM Directory client QIBM_GLD_DIRSRV_CLIENT can access the *SYSTEM keystore. Otherwise, the SSL initialization call of the PSA fails.
6. Configure the 'Directory Services client' application to trust the Provisioning Server certificate by opening Manage Applications, Define CA trust list and choosing Directory Services Client.

   The Provisioning Server certificate should be listed here if imported correctly from step 4.

   Click 'Trusted' for the Provisioning Server certificate and click OK at the bottom of the list.

7. Give PUBLIC read permission to the SSL files and grant read access to the *SYSTEM certificate store:

   (/QIBM/userdata/ICSS/Cert/Server/default.kdb)
   

   Grant read and execute permission to the parent folder

   (/QIBM/userdata/ICCS/Cert/Server)
   

   Note: Adopting authority of user PWDSYNCH does not work in the / file system, so access must be granted for all users.