| Table of Contents |
|---|
| minLevel | 1 |
|---|
| maxLevel | 6 |
|---|
| outline | false |
|---|
| style | none |
|---|
| type | list |
|---|
| printable | true |
|---|
|
...
| Expand |
|---|
| title | Creating the *SYSTEM certificate store |
|---|
| Procedure |
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i. Log in with an IBM i profile with sufficient authority. Click on Create Certificate Store on the left-hand navigation menu On the right-hand side of the page select *SYSTEM. 
| Info |
|---|
Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed. |
Create a password for the *SYSTEM store and click Create.
| Info |
|---|
Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts. |
ResultThe *SYSTEM certificate store is created on the node |
| Panel |
|---|
| panelIconId | atlassian-light_bulb_on |
|---|
| panelIcon | :light_bulb_on: |
|---|
| panelIconText | :light_bulb_on: |
|---|
| bgColor | #E3FCEF |
|---|
|
Tip: The system certificate store must be created on all nodes in the cluster. Ensure the *SYSTEM certificate store is created on all nodes in the cluster before continuing. |
...
There are two options for trusting the IBM Cloud Certificate Authority:
| Expand |
|---|
| title | Populate digital certificate manager with well known CAs. |
|---|
|
Open the *SYSTEM certificate store in Digital Certificate Manager| Info |
|---|
If the *SYSTEM certificate store was created in the previous step, simply select it in the left-hand menu in Digital Certificate Manager and continue on to the next section. |
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i. Log in with an IBM i profile with sufficient authority. Click Open Certificate Store. Select the *SYSTEM option, click continue.
| Info |
|---|
If *SYSTEM does not appear in the list, the system certificate store either does not exist, or is already open. If it does not exist, see Creating the *SYSTEM Certificate Store. If it is already open, select it in the left-hand menu. |
Sign in with the password for the certificate store and click Open.
Populate the *SYSTEM certificate store in Digital Certificate Manager with CAsClick the Populate with CAs link in Digital Certificate Manager  Click the Select All button to select all certificates Click the Populate button to populate the system certificate store with all well known CAs. Repeat these steps on all nodes in the cluster.
|
...
| Expand |
|---|
| title | Bypassing strict-certificate checking in PowerHA using a PowerHA Policy |
|---|
|
| Note |
|---|
Warning: While this step only needs to be performed on one node, it is not as secure as the option for trusting well-known certificates. While this option still uses encrypted communication between PowerHA and IBM Cloud services, it does not protect against a man-in-the-middle attack. |
Add a PowerHA policy to bypass strict certificate checking in PowerHA. For example, the following policy would bypass strict certificate checking for any configuration description: ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)') VALUE(*NO)
This step only needs to be performed on one node as the policy applies to the entire PowerHA cluster. |
...