Versions Compared

Version Old Version 2 New Version 3
Changes made by

Brian Nordland

Brian Nordland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

...

Expand
titleCreating the *SYSTEM certificate store
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu

  4. On the right-hand side of the page select *SYSTEM.

    Image RemovedImage Added
Info

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

  1. Create a password for the *SYSTEM store and click Create.

Info

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Result

The *SYSTEM certificate store is created on the node.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

Tip: The system certificate store must be created on all nodes in the cluster. Ensure digital the *SYSTEM certificate manager store is created on all nodes in the cluster before continuing.

...

There are two options for trusting the IBM Cloud Certificate Authority:

  • Recommended: Populate digital certificate manager with well known CAs.

...

Expand
titleBypassing strict-certificate checking in PowerHA using a PowerHA Policy
Note

Warning: While this step only needs to be performed on one node, it is not as secure as the option for trusting well-known certificates. While this option still uses encrypted communication between PowerHA and IBM Cloud services, it does not protect against a man-in-the-middle attack.

Add a PowerHA policy to bypass strict certificate checking in PowerHA. For example, the following policy would bypass strict certificate checking for any configuration description:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)') VALUE(*NO)

This step only needs to be performed on one node as the policy applies to the entire PowerHA cluster.

...