Easycom can accept client certificates for two purposes:
• Additional security of the network. The server can give access only to clients that have a valid certificate.
• Use the client certificate to assign the OS/400 user to use. The client certificate subject can be use to define the OS/400 username, or the EIM database can be used for this.
The client certificate must be valid for the AS/400. The certificate is considered valid if it is issued by one of the CA (Certificate Authority) that are installed on the AS/400, in the *SYSTEM certificate store.
So the certificate can be issued by the AS/400; in this case the CA is the Local CA.
Create a X.509 registry in EIM, and configure LDAP location (optional)
This step is required if you want to use the EIM database to map the certificate to the OS/400 user.
In this case the supplied username must be "*SSL".
Using system i access, go to "Network"/"Enterprise Identity Mapping"/"Domain Management"/"<your domain>"/"User Registries", and click "Add a new system registry".
Choose a name, and "X.509" registry type.
Under "configuration", select properties, and select the X.509 registry just created.
Now we need configuring the LDAP location for the *SYSTEM store. This will make the user certificates creation process linked to the EIM.
Use Digital Certificate manager. Connection is at: http://my_iseries:2001. Select "Digital Certificate Manager" (on V6R1 select "i5/OS management" and then "Internet configuration" first. Logon as QSECOFR when prompted).
Select "Manage LDAP location", and enter:
LDAP server: fully defined host name : my_series.mydomain.com
Directory distinguished name (DN): dc=
Use Secure Sockets Layer (SSL): No
Port Number: 389
Login distinguished name (DN): cn=
Password: xxxx (password for LDAP used by EIM).
Create a user certificate
Go to https://my_iseries:2010/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0 using the user login for which you want to create the certificate.
Then select "Create Certificate". The login name will be the user under you connected to the web site.
Then click on "install certificate". This will install the certificate into the web browser. Then you can export it into a portable format if needed.
If you created the X.509 registry and specified the LDAP location the DCM configuration, the EIM settings is automatically updated. Note: an EIM mapping MUST exist for this user before doing this (with an i5/OS target equal to that user).
Install the user certificate on your local store
Use the web browser to transfer the user certificate locally.
Enable the Easycom server part
CHGCURLIB EASYCOM
CFGEACAUTH LIB(EASYCOM) SSL(*ON) SSLAUTH(*ON) SSLROLE(*EIM)
Use "SSLROLE(*EIM)" if you use a X.509 registry or *SUBJECT if you use the certificate Distinguish name for username.
EIM must be configured with CFGEACEIM as well.
You can try connections with "*SSL" userprofile and no password if EIM is activated, or with a regular user and password if not.
Now type DSPMSG EASYCOM/EACMSGQ. You should see:
EASYCOMD:Starting from library EASYCOM, Version 3.00.05, (Jun 23 2009
16:29:38/OS530).
EASYCOMD:Eim connection OK - X.509 registry is 'p520 certicates'
EASYCOMD:EASYCOM - (c)AURA Equipments -
http://www.easycom-aura.com
======================================================
EASYCOMD-V.3.00.05(EASYCOM/EASYCOMD); Lib=EASYCOM; PJ=Off; SSO=Off;
Eim=On; Pwd=2; Port=6077; IPv6; SSL
EASYCOMD:Configuration used for Library EASYCOM is Dq=EASYCOM, Vers=
KerbAuth=Off, SSL=On, SSLAuth=On *EIM
This shows the the X.509 (certificates) registry is detected, and named ‘p520 certificates’.
This also confirms SSL capability for EASYCOMD.
This also shows (from first connection attempt) that the EASYCOM library is with SSL activated, and SSL authentication activated with *EIM role.
If there is a problem with authentication a message will appear here.