Skip to content

IBM i TLS Connection Configuration

Overview

InfoConnect products support interacting with IBM i services over encrypted channel, which is our recommended mode of communications for all production and non-production environments, except perhaps for the initial product trials where no sensitive data is exchanged.

IBM i Digital Certificate Manager is an out of the box IBM i tool where customers can manage TLS certificates and apply them to various IBM i communication services, including Program Call, Data Queue, and other services InfoConnect leverages.

Below are general instructions on how to configure and apply the self-signed TLS certificate to IBM i services, and how to extract it into InfoConnect-compatible trust store. In most production environments, companies should use the certificate officially signed by Certificate Authority. Note that managing TLS certificates on IBM i is a separate admin function not limited to InfoConnect operations, and the specific requirements and instructions could vary.

IBM i TLS Certificate Setup

Connect to IBM i Digital Certificate Manager from IBM i Navigator (https://:2004) -> Internet Configurations -> Digital Certificate Manager

The screen shots below may have a different look and feel depending on Navigator for i version, but the steps should be roughly the same.

Digital Certificate Manager Main Page

Click on Select Certificate Store and select *SYSTEM.

Select *SYSTEM Certificate Store

If there’s no *SYSTEM store available, create one by clicking on Create New Certificate Store and following the prompts. When creating the store, choose to not create the certificate yet.

Create a new Local Certificate Authority if not already created. Follow the prompts to create a new Local CA. Get to the page where the system asks to create *OBJECTSIGNING store and press Cancel.

Click on the Select Certificate Store button again to switch back to *SYSTEM store.

Now we are ready to create a new certificate for encrypting the Host server’s communications. Click on Create new Server or Client certificate, and use Local Certificate Authority for signing. Follow the prompts. On the Applications page, assign the newly created certificate to the servers that need to use this certificate for SSL connections, for example, Database server, Data Queue server, File Server, DRDA server, Remote Command server, Signon server, and QIBM_HTTP_SERVER_.

Next, Restart host servers on IBM i so that new certificate rules will take an effect

Restart Host Services

Extract TLS Certificate into Truststore

In IBM i Digital Certificate Manager, select *SYSTEM certificate store then click on Install Local CA Certificate on your PC, then select Copy and paste the certificate

Extract TLS Certificate

Copy Paste Certificate

Copy/paste the certificate content into a text file on your file system.

Create a new truststore or import certificate into existing truststore

keytool -import -alias <IBMi Certificate Allias> -file <certificate file name> -keystore <truststore name>

Provide store passwords and confirm that this certificate must be trusted. Now the truststore can be used with Mulesoft and Kafka connectors as well as InfoConnect Hub.