Enabling SSL on the IBM HTTP Server (i5/OS or OS/400 platform)

SSL is a security protocol. SSL ensures that data transferred between a client and a server remains private. It allows the client to authenticate the identity of the server and the server to authenticate the identity of the client.

Digital certificates are electronic documents that authenticate the servers and clients involved in secured transactions over the Internet. The issuer of digital certificates is called a certificate authority (CA). The iSeries system can perform the role of CA in an Intranet environment issuing server and client certificates, and run as an authenticated server with server certificates issued either by an iSeries CA or an Internet CA like VeriSign. As a Web server, the IBM HTTP Server for iSeries can also be configured to request client certificates for authentication of SSL-enabled clients.

For detailed information on how to enable SSL on the IBM HTTP Server for iSeries, refer to the IBM iSeries Information Center (http://publib.boulder.ibm.com/html/as400/infocenter.html). Once you are at the site, select your operating system version and your language, and then click Go. Search for the topic "Securing applications with SSL" for guidance on how to enable SSL.

Using SSL with WebSphere Commerce Payments

If you create the system certificate store after creating your WebSphere Commerce instance, you must grant both the WebSphere Commerce Payments instance and the WebSphere Commerce instance access to the system certificate store. For example, the following commands will grant the WebSphere Commerce Payments instance the required access on a V5R1 system:

CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server') USER(QPYMSVR) DTAAUT(*RX)
CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB') USER(QPYMSVR) DTAAUT(*R)

and the following commands will grant the WebSphere Commerce the required access on a V5R1 system:

CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server') USER(QEJBSVR) DTAAUT(*RX)
CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB') USER(QEJBSVR) DTAAUT(*R)

If you choose to use a remote WebSphere Commerce Payments instance, you must configure both the WebSphere Commerce instance and the WebSphere Commerce Payments instance to trust the remote certificate authority that issues the digital certificate. To establish a trust relationship between the two remote applications, refer to the following high-level procedure:

  1. On the WebSphere Commerce machine, use the Digital Certificate Manager to export the server's certificate authority.
  2. Transfer the certificate file to the WebSphere Commerce Payments machine.
  3. On the WebSphere Commerce Payments machine, use the Digital Certificate Manager to import the WebSphere Commerce Server's certificate authority.
  4. Configure the WebSphere Commerce Payments application server to trust the imported WebSphere Commerce Server's certificate authority.
  5. On the WebSphere Commerce Payments machine, use the Digital Certificate Manager to export the server's certificate authority.
  6. Transfer the certificate file to the WebSphere Commerce machine.
  7. On the WebSphere Commerce machine, use the Digital Certificate Manager to import the WebSphere Commerce Payments server's certificate authority.
  8. Configure the WebSphere Commerce application server to trust the imported WebSphere Commerce Payments server's certificate authority.

For detailed information refer to the following Web address, and look for Hints and Tips: WebSphere Commerce Technical Library Web page

Feedback