Administration Guide › Password Management › Synchronizing Passwords on Endpoints › Passwords on OS400 › Install the Provisioning Server Certificate

Install the Provisioning Server Certificate

The following operating system components must be installed on your iSeries machine to use SSL:

• Cryptographic access provider licensed program (5722-AC3)
• Digital Certificate Manager (Option 34 of OS/400)
• IBM HTTP Server for iSeries (5722-DG1)

On the iSeries

1. Upload the Provisioning server certificate from the Provisioning server machine to the iSeries. The certificate can be found at:

   C:\Program Files\CA\Identity Manager\Provisioning Server\Data\Tls\server\et2_cacert.pem
   

2. Log in to the DCM.

   Using a web browser, go to http://<hostname>:2001. When prompted, log on as QSECOFR and click Digital Certificate Manager.

3. Click Select a Certificate Store and select the *SYSTEM certificate store. If this store does not exist, create a store called *SYSTEM, then enter the certificate store password.
4. Import the certificate as a CA Certificate using the DCM.

   Click Manage Certificates, Import Certificate. Select the Certificate Authority (CA) option and enter the file name of the Provisioning server certificate. (This is where you uploaded the certificate in step 1). Enter the label Provisioning Server for the certificate.

5. After importing the CA certificate to the endpoint *SYSTEM keystore, verify that the IBM Directory client QIBM_GLD_DIRSRV_CLIENT can access the *SYSTEM keystore. Otherwise, the SSL initialization call of the PSA fails.
6. Configure the Directory Services client application to trust the Provisioning Server certificate by opening Manage Applications, Define CA Trust List and choosing Directory Services Client.

   The Provisioning Server certificate should be listed here if imported correctly from step 4.

   Click Trusted for the Provisioning Server certificate, then click OK.

7. Give PUBLIC read permission to the SSL files and grant read access to the *SYSTEM certificate store:

   (/QIBM/userdata/ICSS/Cert/Server/default.kdb)
   

   Grant read and execute permission to the parent folder

   (/QIBM/userdata/ICCS/Cert/Server)
   

   Note: Adopting authority of user PWDSYNCH does not work in the / file system, so access must be granted for all users.