Hi
I am not sure if we do REQUIRE both, I just know that an external auditor has determined that the data travelling between two internal servers should be encrypted.
As far as I know, with one of those servers being an iSeries, that can only be achieved by using SSL to secure the specific application which transfers the data (the iSeries calls a web service running on the other server and parses the results).
|From what we have experienced with Third parties like Experian, we define an application on the iSeries and the Third party issues us with a Server or Client level certificate which we import into the DCM *SYSTEM store and then link to the application name we have defined. They (the third party) handle the certification on the other server.
Because in this instance both servers are ours, we don't not really know how to go about asking for the relevant certificates or generating them.
We have tried using the DCM to create a local CA and then a Server or Client level certificate from that, but we then cannot import that certificate into a windows environment to decrypt at the other end.
If we create a CA certificate on Windows, we can import that into the iSeries DCM, but can't attach it to an application because it is the wrong level.
Is there some extra step I'm missing?
Alasdair
----------------------------------
Does your project REQUIRE a client side SSL certificate as well as a
service side certificate?
You most likely will, at the very least, have to import the CAs in the
chain from the Wintel server certificate.
Machine types don't matter. IBM i, linux, wintel, etc... they all do SSL
the same. The first step is to find out what you need for your project:
1. Just a server side certificate (on the Wintel machine)
or
2. A server side AND a client side certificate (I'm not referring to a CA
here, an actual client side certificate). In this case, normally the
admins of the server create this client cert for you to import and assign
to your application so it's used in the communications.
I have an article about using client side certificates with our GETURI
software, but it also applies to any client doing sockets over SSL that
requires a client side cert:
http://www.fieldexit.com/forum/display?threadid=297
Brad
www.bvstools.com
Target Group Registered in England & Wales No 01208137. Registered Office: Target House, Cowbridge Road East, Cardiff CF11 9AU.
CONFIDENTIALITY. This email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please do not disclose the contents to anyone, or take any action based on them, but notify the sender by return email and delete this email (and any attachments) from your system.
Messages sent to and from us may be monitored.
Internet communications cannot be guaranteed to be secure or error-free.
This e-mail and any attachments have been checked by virus detection software before transmission. You should carry out your own virus checks on the contents of this communication. We accept no liability for any loss or damage which may be caused by software viruses or by interception or interruption of this mail.
Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. We do not accept any liability arising in any way from relying upon such views or opinions.
Calls may be recorded for training and security purposes.
midrange.com
