• Subject: Re: Use of certificates in the AS400 environment
  • From: neilp@xxxxxxxxxxx
  • Date: Thu, 23 Nov 2000 22:45:14 -0500

I've heard that somethiing along these lines (certificates for application security, object signing ability, etc.) will be in V5R1 around 2Q2001.
Anyone care to comment further ?


"Tom Litney" <Tom.Litney@net-reliance.com>
Sent by: owner-midrange-l@midrange.com

2000/11/23 00:48
Please respond to MIDRANGE-L

        To:        <MIDRANGE-L@midrange.com>
        Subject:        Use of certificates in the AS400 environment

Hi Guru's,

 I'm a rookie in the AS400 environment so please be gentle with me.  I hope
I'm not rehashing an old topic.  I have checked the recent list archives and
couldn't find any information.  If I am, I apologize in advance and would
appreciate any pointers to appropriate posts.  

I have read (and read between the lines) many IBM publications and other
articles regarding the use of digital certificates for authentication and
non-repudiation in the AS400 environment.   I have made several assumptions
regarding the information that I encountered and I'm hoping that you experts
will straighten me out.  What I have been able to surmise is that the AS400
base code contains API's that an application could use to provide
cryptographic functionality.   That the Digital Certificate Manager is an
application written by IBM to make use of these API's in the browser
environment but my assumption is that another application, that is not
browser based, could make it's own use of the API's.  Is this a valid
assumption?  The application usage I'm envisioning would not be internet or
intranet (browser) based.  I was hoping that by loading valid certificates
into a validation list object and making the application "cryptographic API"
aware, I could provide authenticated logons to an application for users over
a TCP/IP network.  This would involve transmitting user certificates to the
application during session initiation.  Assuming that the application could
check the validation list object to ensure that the certs were valid; that
only valid certs (contain the valid CA signature and have not expired) were
in the validation list object; that a security administrator would provide
the CRL function by weaning the validation list object of revoked
certificates;  and that I could prove that the holder of the cert was in
possession of the valid secret key.   The underlying assumption is that the
CA and RA function would be performed offline somewhere by a trusted source.
So, if I haven't gone to far off the deep end so far, I could use public key
from the certificate in the validation list object to verify the signed
message hash value created by the user to provide non-repudiation.

Has anyone created their own PKI aware environment in the AS400?
How many folks are currently using the DCM to provide authentication in the
Is the use of the DCM a requirement? Or can one "roll there own"?

Ok have at me!  I hope someone out there takes pity on me and throws me a
few clues.  

Tom Litney
Director of Cryptographic Engineering
NetReliance, Inc
3017 Douglas Blvd., Ste 300
Roseville, CA  95661
916-788-7202 ext 8828
cell - 916-802-3069


This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].