Configure Certificate Authorities for the COS VPE in DCM
For IBM Cloud Storage Solutions for i (ICC) to use HTTPS communication with COS, the COS VPE’s certificate authority (CA) certificate and the other CA certificates in its certificate chain must be added to the *SYSTEM certificate store on the IBM i instance, and ICC must be added to the applications list for the certificate store.
Store the COS VPE CA in the IBM i file system
Either SSH into the IBM i using a command like ssh qsecofr@<ibmiIP>, enter a PASE shell by calling “CALL QP2TERM” or enter QSH from a console or 5250 emulated session. The following commands and paths assume you are logged in as QSECOFR. Another user profile with sufficient authority can be used.
In the shell session, run the following command which will store the COS VPE CA cert in the /home/qsecofr/coscert.txt file. The “s3.*” hostname in the command should be the COS VPE’s service endpoint.
< /dev/null openssl s_client s3.direct.us-south.cloud-object-storage.appdomain.cloud:443 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > coscert.txt
Ensure the coscert.txt file has an ASCII Coded character set ID (CCSID). The CCSID value can be checked by running the DSPATR OBJ('/home/qsecofr/coscert.txt') CL command. For example, the CCSID value 819 is the ISO 8859-1 (ASCII) CCSID and CCSID 37 is the EBCIDC set for “US, Canada, Netherlands, Portugal, Brazil, New Zealand, Australia”. The IBM i CCSID values can be found here. If necessary, change the CCSID value to an ASCII CCSID with the following command: CHGATR OBJ('/home/qsecofr/coscert.txt') ATR(*CCSID) VALUE(819)
Obtain additional COS VPE connection information
In the same SSH session, run the following command. It will produce a lot of output, some of which will be needed for the certificate store configuration. The “s3.*” hostname in the command should be the COS VPE’s service endpoint.
< /dev/null openssl s_client s3.direct.us-south.cloud-object-storage.appdomain.cloud:443
Two sections of the output are of interest:
1. The certificate chain which looks like this:
Certificate chain
0 s:C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, CN = *.s3.direct.us-south.cloud-object-storage.appdomain.cloud
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2. A section like this which lists the TLS version used and the Cipher which looks like this:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Sign into DCM and create or open the *SYSTEM cert store
To open DCM, open http://<ibm-i-IP-address>:2006/dcm/login in your local web browser. Sign in as QSECOFR or another user with sufficient authority.
Version note: The steps screen shots in the following sections were done using IBM i 7.5. The DCM steps may vary slightly for other releases.
Choose “Create Certificate Store” on the left to create the *SYSTEM certificate store. The store creation requires a password that will be used to unlock the store on future access.