Re: SSL certificates for applications

Hi

I am not sure if we do REQUIRE both, I just know that an external auditor
has determined that the data travelling between two internal servers should
be encrypted.

As far as I know, with one of those servers being an iSeries, that can
only be achieved by using SSL to secure the specific application which
transfers the data (the iSeries calls a web service running on the other
server and parses the results).

|From what we have experienced with Third parties like Experian, we define
an application on the iSeries and the Third party issues us with a Server
or Client level certificate which we import into the DCM *SYSTEM store and
then link to the application name we have defined. They (the third party)
handle the certification on the other server.

Because in this instance both servers are ours, we don't not really know
how to go about asking for the relevant certificates or generating them.

We have tried using the DCM to create a local CA and then a Server or
Client level certificate from that, but we then cannot import that
certificate into a windows environment to decrypt at the other end.
If we create a CA certificate on Windows, we can import that into the
iSeries DCM, but can't attach it to an application because it is the wrong
level.

Is there some extra step I'm missing?

Alasdair

----------------------------------
Does your project REQUIRE a client side SSL certificate as well as a
service side certificate?

You most likely will, at the very least, have to import the CAs in the
chain from the Wintel server certificate.

Machine types don't matter. IBM i, linux, wintel, etc... they all do SSL
the same. The first step is to find out what you need for your project:

1. Just a server side certificate (on the Wintel machine)

or

2. A server side AND a client side certificate (I'm not referring to a CA
here, an actual client side certificate). In this case, normally the
admins of the server create this client cert for you to import and assign
to your application so it's used in the communications.

I have an article about using client side certificates with our GETURI
software, but it also applies to any client doing sockets over SSL that
requires a client side cert:
http://www.fieldexit.com/forum/display?threadid=297

Brad
www.bvstools.com


Target Group Registered in England & Wales No 01208137. Registered Office:
Target House, Cowbridge Road East, Cardiff CF11 9AU.

CONFIDENTIALITY. This email and any attachments are confidential and may
also be privileged. If you are not the intended recipient, please do not
disclose the contents to anyone, or take any action based on them, but
notify the sender by return email and delete this email (and any
attachments) from your system.

Messages sent to and from us may be monitored.

Internet communications cannot be guaranteed to be secure or error-free.
This e-mail and any attachments have been checked by virus detection
software before transmission. You should carry out your own virus checks on
the contents of this communication. We accept no liability for any loss or
damage which may be caused by software viruses or by interception or
interruption of this mail.

Any views or opinions presented are solely those of the author and do not
necessarily represent those of the company. We do not accept any liability
arising in any way from relying upon such views or opinions.

Calls may be recorded for training and security purposes.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD