Set up certificates and the keystore configuration file on IBM i

Your first task when setting up Advanced Message Security protection is to create a certificate, and associate that with your environment. The association is configured through a file held in the integrated filesystem (IFS).

Procedure

1. To create a self-signed certificate using the OpenSSL tooling shipped with IBM® i, issue the following command from QShell:

   /QOpenSys/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout
   $HOME/private.pem -out $HOME/mycert.pem -nodes -days 365
   

   The command prompts for various distinguished name attributes for a new self-signed certificate, including:
   • Common Name (CN=)
   • Organization (O=)
   • Country (C=)
   This creates an unencrypted private key and a matching certificate, both in PEM (Privacy Enhanced Mail) format.

   For simplicity, just enter values for common name, organization, and country. These attributes and values are important when creating a policy.

2. AMS requires that both the certificate and private key are held in the same file. Issue the following command to achieve this:

   cat $HOME/mycert.pem >> $HOME/private.pem
   

   The private.pem file in $HOME now contains a matching private key and certificate, while the mycert.pem file contains all of the public certificates for which we can encrypt messages and validate signatures.

   The two files need to be associated with your environment by creating a keystore configuration file, keystore.conf, in your default location.

   By default, AMS looks for the keystore configuration in a .mqs subdirectory of your home directory.

3. In QShell create the keystore.conf file:

   mkdir -p $HOME/.mqs
   echo "pem.private = $HOME/private.pem" > $HOME/.mqs/keystore.conf
   echo "pem.public = $HOME/mycert.pem" >> $HOME/.mqs/keystore.conf
   echo "pem.password = unused" >> $HOME/.mqs/keystore.conf