If you use a root certificate from another computer system or party, you import it into *SYSTEM store. If you create a self-signed certificate in IBM i Local CA store of the server that run those services, you create a client/server certificate into *SYSTEM store based on the root one from Local CA store. And then you specify it as the default certificate. Thereafter, all IBM i services with no explicit assignment of any certificate will use this default one.
Original Message:
Sent: Wed September 27, 2023 08:01 AM
From: Robert Berendt
Subject: Assigning certificates via DCM for various IBM i Access Client Solutions services
What does "putting a root certificate into *SYSTEM store" mean?
------------------------------
Robert Berendt IBMChampion
Original Message:
Sent: Tue September 26, 2023 10:26 PM
From: Satid Singkorapoom
Subject: Assigning certificates via DCM for various IBM i Access Client Solutions services
Dear Robert
DId you assign the same client/server certificate to these IBM i services that you want ? If so, I found out long ago that just putting a root certificate into *SYSTEM store is enough. All IBM i services seems to use it by default. Navigator for i is not a service in there, so you still need to take the action as you did from the Technote.
------------------------------
Chance favors only the prepared mind.
-- Louis Pasteur
------------------------------
Satid S.
Original Message:
Sent: Tue September 26, 2023 10:47 AM
From: Robert Berendt
Subject: Assigning certificates via DCM for various IBM i Access Client Solutions services
By following the previous resolutions, and by completely restarting iACS, I can now do the connection verify and pass with flying colors
------------------------------
Robert Berendt IBMChampion
Original Message:
Sent: Tue September 26, 2023 08:14 AM
From: Robert Berendt
Subject: Assigning certificates via DCM for various IBM i Access Client Solutions services
I am trying to apply a certificate to the various IBM i Access Client Solutions services. I do not want to just apply the cert to all services. When I turn on SSL for one lpar I must be missing a few services as I am getting:
I've got most of these figured out:
Verifying connection to port mapper service...Success! using port number 449
Verifying connection to central server service...Success! using port number 9470 -> QIBM_OS400_QZBS_SVR_CENTRAL
Verifying connection to command service...Success! using port number 9475 -> QIBM_OS400_QZBS_SVR_RMTCMD
Verifying connection to database service...Success! using port number 9471 -> QIBM_OS400_QZBS_SVR_DATABASE
Verifying connection to data queues service...Success! using port number 9472 -> QIBM_OS400_QZBS_SVR_DTAQ
Verifying connection to file service...Success! using port number 9473 -> QIBM_OS400_QZBS_SVR_FILE
Verifying connection to print service...Success! using port number 9474 -> QIBM_OS400_QZBS_SVR_NETPRT
Verifying connection to signon service...Success! using port number 9476 -> QIBM_OS400_QZBS_SVR_SIGNON
Verifying connection to Telnet service...Success! using port number 992 -> QIBM_QTV_TELNET_SERVER
Verifying connection to Secure Shell (SSH) service...Success! using port number 22
Which DCM service pertains to
Verifying connection to record-level access service...Failed: MSGGEN004 - An unexpected end of the file or stream has been encountered. (SSL peer shut down incorrectly) using port number 448
Verifying connection to Navigator for i service...Failed: MSGSSL001 - An error was encountered during a secure socket operation. (Unsupported or unrecognized SSL message) using port number 2002
If I run this verification screen with ssl turned off I pass fine.
------------------------------
Robert Berendt IBMChampion
------------------------------