Power Virtual Server

 View Only

Certificate configuration for IBM i communication with IBM Cloud Object Storage

By Samuel Matzek posted Fri May 24, 2024 12:56 PM

  

Co-author:

Ricardo Martins
IBM Power Technical Leader @ Blue Chip Portugal
IBM Cloud Certified Professional Architect

Overview

The configuration of IBM Digital Certificate Manager for i (DCM) to allow IBM Cloud Storage Solutions for i (ICC) to communicate with IBM Cloud Object Storage (COS) using HTTPs can be confusing. In this article we will cover the configuration and provide some streamlined steps to fetch the COS certificate and certificate chain.

Prerequisites

  • The document assumes you have an IBM i instance (LPAR) running in IBM Power Virtual Server.
  • The recommended approach to communicate with COS from Power Virtual Server is to use a Virtual Private Endpoint (VPE) in a Virtual Private Cloud (VPC). This blog shows how to configure a COS VPE.
  • The document also assumes you have either network connectivity to the IBM i instance which is required for accessing the DCM web interface.

Set up name resolution for the COS VPE service endpoint

The IBM i instance needs to be set up to resolve the COS VPE service endpoint (hostname) to an IP address. This can be done in two ways depending on how the VPE was created.

If the VPE binds to multiple IP addresses or the VPE IPs will change, a DNS service with custom resolvers should be provisioned in the cloud to allow VPC and IBM i to resolve the name. See this blog for more information on setting up custom resolvers. Once the custom resolvers are configured, the second page of the CFGTCP option 12 screen can be used to add the resolver IPs.


If the VPE binds a single IP address, the resolution can be handled by the IBM i instance’s host table entries. This is analogous to editing the /etc/hosts file on Linux.

To add host entries run CFGTCP and choose option 10. From this screen you can add the VPE IP:

Configure Certificate Authorities for the COS VPE in DCM

For IBM Cloud Storage Solutions for i (ICC) to use HTTPS communication with COS, the COS VPE’s certificate authority (CA) certificate and the other CA certificates in its certificate chain must be added to the *SYSTEM certificate store on the IBM i instance, and ICC must be added to the applications list for the certificate store.

 Store the COS VPE CA in the IBM i file system

Either SSH into the IBM i using a command like ssh qsecofr@<ibmiIP>, enter a PASE shell by calling “CALL QP2TERM” or enter QSH from a console or 5250 emulated session. The following commands and paths assume you are logged in as QSECOFR. Another user profile with sufficient authority can be used.

In the shell session, run the following command which will store the COS VPE CA cert in the /home/qsecofr/coscert.txt file. The “s3.*” hostname in the command should be the COS VPE’s service endpoint.

< /dev/null openssl s_client s3.direct.us-south.cloud-object-storage.appdomain.cloud:443 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > coscert.txt

Ensure the coscert.txt file has an ASCII Coded character set ID (CCSID). The CCSID value can be checked by running the DSPATR OBJ('/home/qsecofr/coscert.txt') CL command. For example, the CCSID value 819 is the ISO 8859-1 (ASCII) CCSID and CCSID 37 is the EBCIDC set for “US, Canada, Netherlands, Portugal, Brazil, New Zealand, Australia”. The IBM i CCSID values can be found here. If necessary, change the CCSID value to an ASCII CCSID with the following command: CHGATR OBJ('/home/qsecofr/coscert.txt') ATR(*CCSID) VALUE(819)

Obtain additional COS VPE connection information

In the same SSH session, run the following command. It will produce a lot of output, some of which will be needed for the certificate store configuration. The “s3.*” hostname in the command should be the COS VPE’s service endpoint.

< /dev/null openssl s_client s3.direct.us-south.cloud-object-storage.appdomain.cloud:443

Two sections of the output are of interest:

1. The certificate chain which looks like this:

Certificate chain
 0 s:C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, CN = *.s3.direct.us-south.cloud-object-storage.appdomain.cloud
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

2. A section like this which lists the TLS version used and the Cipher which looks like this:

 SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Sign into DCM and create or open the *SYSTEM cert store

To open DCM, open http://<ibm-i-IP-address>:2006/dcm/login in your local web browser. Sign in as QSECOFR or another user with sufficient authority.

Version note:  The steps screen shots in the following sections were done using IBM i 7.5. The DCM steps may vary slightly for other releases.

Choose “Create Certificate Store” on the left to create the *SYSTEM certificate store. The store creation requires a password that will be used to unlock the store on future access.

If *SYSTEM is not an option under “Create Certificate Store”, it is already created on the LPAR and it should be opened with “Open Certificate Store”. The open action requires the store password.

Populate with CAs and import the COS VPE CA

Choose Populate with CAs from the *SYSTEM store menu:

Select the CAs that appear in the COS VPE’s certificate chain that was retrieved above. In this case example the DigiCert Global Root G2 and DigiCert TLS RSA SHA256 2020 CA1 CAs are selected.

NOTE: The CAs and their certificate chains change periodically. As of May 2024 the CAs in the COS certificate chain do not match what is in these older screenshots.

Click “Populate” and then “Back”.

Next, click “Import” and choose to import a Certificate Authority (CA).

Specify the COS cert file that was stored on the IBM i file system earlier and give a descriptive name:

Add an application definition for ICC

Click “Manage Application Definitions” and then click “Create”.

Fill in the fields as shown. You can click Specify under Protocols and Cipher Specifications to ensure the Protocol and Cipher obtained earlier are checked by default. The setting can be changed back to *PGM after verifying.  Press “Create” after filling in the fields and choosing the options.

 Optional: Define QICC CA Trust List

By default, the QICC profile will trust all the CAs in the *SYSTEM store. If you want to limit the trusted CAs to the certificate and CAs used by COS you use the following steps:
 
On the Application Definitions screen, search for the IBM_QICC application and click View.
On the View Application Definition screen, click Define CA Trust.

Select the certificates that were populated and imported in the previous steps.

Conclusion

After following these steps ICC can now use HTTPs to communicate with IBM Cloud Object Storage.

Additional resources

IBM Cloud Storage Solutions for i User’s guide: https://www.ibm.com/docs/en/ssw_ibm_i_75/icc/iccumstpdf.pdf
 
IBM Cloud Storage Solutions for i trouble shooting:

0 comments
32 views

Permalink