Securing AS400 / iSeries (Comodo Free SSL)

Enabling SSL certificates with Comodo’s Free 90 Day trial SSL Certificate.  This process enables you to secure both web services, login, and SSL across all other servers/services on the AS400 / iSeries.

Note:  If you are replacing/renewing your cert and something goes wrong, do not be afraid to delete your certificate store (if this is your only cert) and start fresh with this tutorial.  I’ve done it twice, now, as the key in store had trouble matching the new cert, etc…  I deleted certificate store, followed my own tutorial and was up and going in minutes.

Selecting / Creating a Certificate Store

First step is to get a “request” key (large block of encrypted text) FROM the AS400.  To do this, you must create the key (CSR) on the server in the Digital Certificate Manager.  First, select your Certificate store:

→ Digital Certificate Manager (www.myas400.com:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0)

Select a Certificate Store and Select *SYSTEM

IF YOU DO NOT SEE THIS, YOU WILL NEED TO CREATE A STORE.

  • Create a New Certificate Store
  • Select *SYSTEM
  • Yes, I want to create a certificate store
  • Fill out form
    • Make sure encryption (dropdown) is MINIMAL 2048-bit. AS400 default is 1028-bit.
    • I filled in only required fields
    • Certificate “Label” will be how you see it on the as400 (I used: MYCOMPANY-SSL).
    • Choose a password for it (case sensitive)
    • Common name is the domain, like: iseries.mycompany.com
    • Country is the 2 letter code
  • After you create the store, go back up and Select Certificate Store (in picture above)
  • Select *SYSTEM
  • Enter the password you created above
  • At the end, you should get a request key that looks like this:
    • —–BEGIN CERTIFICATE REQUEST—–
      MIIDUDCCArkCAQAwdTEWMBQGA1UEAxMNdGVzdC50ZXN0LmNvbTESMBAGA1UECxMJ
      TWFya2V0aW5nMREwDwYDVQQKEwhUZXN0IE9yZzESMBAGA1UEBxMJVGVzdCBDaXR5
      (more encoded data)…….
      Rq+blLr5X5iQdzyF1pLqP1Mck5Ve1eCz0R9/OekGSRno7ow4TVyxAF6J6ozDaw7e
      GisfZw40VLT0/6IGvK2jX0i+t58RFQ8WYTOcTRlPnkG8B/uV
      —–END CERTIFICATE REQUEST—–
    • Copy this, save it in a safe place.

Buying (Free Trial) the SSL Certificate

Before starting this, you should have an email to verify your domain, SPECIFICALLY (two examples I remember):  admin@mydomain.com, webmaster@mydomain.com.   Comodo will verify your domain by emailing these addresses, you choose from a list:

admin@
administrator@
postmaster@
hostmaster@
webmaster@

Next, go to Comodo’s Free 90-day Trial SSL Certificate:

→ Free Trial SSL

  • Copy the CSR you saved above into the field requesting it.
  • Fill out the rest of the information and hit Next
  • The next page asks to verify you own the domain, I DID THIS BY EMAIL
    • Make sure you have an email like admin@mydomain.com, I used webmaster@mydomain.com
    • Select this email off the list – it will email your confirmation there.
    • Continue with free purchase (no card required), keep invoice page open.
    • Go to email – in the email, you will have a verification code, return to invoice and enter the verification code there.
  • You will receive an email with a zip file, download the zip, unzip.

Importing Certificates

Select your Certificate Store (like above, just to make sure).  Then go to Manage for importing.

In your zip file from Comodo you should have:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  • Your Free SSL Certificate – www.mydomain.crt

When you import them..

IMPORT THEM IN THIS ORDER!

First, you have to upload them to the AS400.  I used FTP and put them in www/mycerts.

My path looked like:  /www/mycerts/AddTrustExternalCARoot.crt

The first three files will be under, Import Certificate / Certificate Authority, you should get a green message after each import if it was successful.  But, don’t be afraid, I tried all combos, I even deleted the store, everything was fine.. but this order will save you time (especially the last file in next step).

I named them as such:

  • Comodo SSL Root CA Certificate
  • Comodo SSL Intermediate CA Certificate
  • Comodo SSL Intermediate CA Certificate DV

On the last file, SWITCH TO SERVER/CLIENT:

Here, install the final file:

  • Your Free SSL Certificate – www.mydomain.crt

(I named it Comodo SSL Certificate)

Now, all you have to do is go back into Manage Certificates/Assign Certificates and assign it to the servers/services you want.  For example, I selected Assign Certificate -> Choose the HTTP Zendcore server and clicked ok.

Enabling SSL for Web Services

Now that you’ve assigned that certificate to the webserver/services, you need to enable SSL on the front end of the server.  To enable SSL for our Web Services, go to:

 → HTTPADMIN (www.myas4oo.com:2001/HTTPAdmin)

 Go to the HTTP Servers Tab

  • Server Properties/ Security
  • Enable SSL
  • Certificate App Name: Select the name from the drop down list and note the name.
  • Save settings
  • Then, back to the Digital Certificate Manager (www.myas400.com:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0)
  • Manage Certificates/Assign Certificate
  • Assign to applications
  • Select the same name (Certificate App Name) you chose (QIBM_HTTP_SERVER_WSERVICE)
  • Save settings

 

.. More posts coming soon as to creating your own API off the AS400/iSeries (AND HOW EASY IT IS!).  Open that database up to the world it deserves!