Assigning a user certificate

 

You can assign a user certificate that you own to your i5/OS^® user profile or other user identity. The certificate may be from a private local CA on another system or from a well-known Internet CA. Before you can assign a certificate to a user identity, the issuing CA must be trusted by the server, and the certificate must not already be associated with a user profile or other user identity on the system.

Some users may have certificates from an outside Certificate Authority (CA) or a local CA on a different iSeries™ system that you, as an administrator, want them to make available to Digital Certificate Manager (DCM). This allows you and the user to use DCM to manage these certificates, which are most often used for client authentication. The Assign a user certificate task provides a mechanism for allowing a user to create a DCM assignment for a certificate obtained from an outside CA.

When a user assigns a certificate, DCM has one of two ways of handling the assigned certificate:

• Storing the certificate locally on the System i™ with the user's user profile. When an LDAP location is not defined for DCM, the Assign a user certificate task allows a user to assign an outside certificate to an i5/OS user profile. Assigning the certificate to a user profile ensures that the certificate can be used with applications on the system that require certificates for client authentication.

• Storing the certificate in a Lightweight Directory Access Protocol (LDAP) location for use with Enterprise Identity Mapping (EIM). When there is a defined LDAP location and the System i model is configured to participate in EIM, then the Assign a user certificate task allows a user to store a copy of an outside certificate in the specified LDAP directory. DCM also creates a source association in EIM for the certificate. Storing the certificate in this manner allows an EIM administrator to recognize the certificate as a valid user identity that can participate in EIM.

  Before a user can assign a certificate to a user identity in an EIM configuration, EIM must be configured appropriately for the user. This EIM configuration involves the creation of an EIM identifier for the user and the creation of a target association between that EIM identifier and the user profile. Otherwise, DCM cannot create a corresponding source association with the EIM identifier for the certificate.

To use the Assign a user certificate task, a user must meet the following requirements:

1. Have a secure session with the HTTP Server through which you are accessing DCM.

   Whether you have a secure session is determined by the port number in the URL that you used to access DCM. If you used port 2001, which is the default port for accessing DCM, you do not have a secure session. Also, the HTTP Server must be configured to use SSL before you can switch to a secure session.

   When the user selects this task, a new browser window displays. If the user does not have a secure session, DCM prompts the user to click Assign a User Certificate to start one. DCM then initiates Secure Sockets Layer (SSL) negotiations with the user's browser. As part of these negotiations, the browser may prompt the user as to whether to trust the Certificate Authority (CA) that issued the certificate that identifies the HTTP Server. Also, the browser may prompt the user as to whether to accept the server certificate itself.

2. Present a certificate for client authentication.

   Depending on the configuration settings for your browser, your browser may prompt you to select a certificate to present for authentication. If your browser presents a certificate from a CA that the system accepts as trusted, DCM displays the certificate information in a separate window. If you do not present an acceptable certificate, the server may prompt you instead for your user name and password for authentication before allowing you access.

3. Have a certificate in the browser that is not already associated with the user identity for the user who is performing the task. (Or, if DCM is configured for working in conjunction with EIM, the user must have a certificate in the browser that is not already stored in the LDAP location for DCM.)

   Once you establish a secure session, DCM attempts to retrieve an appropriate certificate from your browser so that it can associate it with your user identity. If DCM successfully retrieves one or more certificates, you can view the certificate information and choose to associate the certificate with your user profile.

   If DCM does not display information from a certificate, you were not able to provide a certificate that DCM can assign to your user identity. One of several user certificate problems may be responsible. For example, the certificates that your browser contains may be associated with your user identity already.

 

Parent topic:

Managing user certificates

Related tasks
Creating a user certificate Troubleshooting assigning a user certificate

Related information
EIM Information Center Overview