Setting up SSL on the proxy client

The following procedure leads you through adding the server certificate to the certificate database on the client, which is stored in a Java .class file. Adding the server certificate to the client is necessary because the server uses a self-signed certificate.

Set up the proxy client to exchange encrypted data by completing the following tasks:

  1. Set up your proxy server to handle encrypted data, then start the proxy server.
  2. Set up your client to use SSL.
  3. Use KeyringDB to get the server certificate of the proxy server.
  4. Set up the client to use the updated KeyRing.class file.
  5. Set the secure proxy settings on the client.

Setting up your client to use SSL

The tool that downloads the certificate (KeyringDB) is a Java program. To use this program, you must be running Java 1.1.8 or Java 2 JVM on your client. KeyringDB is part of the IBM iSeries Client Encryption licensed program (5722-CE2 or 5722-CE3) in ssltools.jar. The procedure you use to set up your client to use SSL depends on which version of the licensed program you are running.

After setting up your proxy server, set up your client to use SSL by completing the following steps:

  1. Select the directory on your workstation where you want to put the necessary jar and zip files.
  2. Copy the necessary files to the selected directory:
  3. Add the jar file and the zip files to your CLASSPATH statement.
  4. Create a directory on your client named <SSL>\com\ibm\as400\access where <SSL> is the directory where you copied the jar and zip files.

Adding the server certificate for the proxy server

KeyringDB creates a new KeyRing.class file that contains the server certificate and puts it in the com\ibm\as400\access subdirectory off the current directory.

Use the KeyringDB tool to add the server certificate to KeyRing.class by completing the following steps:

  1. From the directory where you put the jar and zip files, run the following command:

         java utilities.KeyringDB com.ibm.as400.access.KeyRing -connect proxyServerName:port
    

    where:

  2. When asked which certificate to use, choose site certificate 0.
  3. When you are prompted to enter a certificate name, you can type any alphanumeric string.

Setting up the client to use the updated KeyRing.class file

The jt400Proxy.jar file contains KeyRing.class. To set up the client to use the updated KeyRing.class file, ensure the following are in your CLASSPATH statement:

Because jt400Proxy.jar contains the default copy of KeyRing.class, the directory that contains com\ibm\as400\access\KeyRing.class must be in the CLASSPATH before jt400Proxy.jar.

Note: Instead of adding the directory that contains the KeyRing.class file to your CLASSPATH statement, you can add the new KeyRing.class to your jt400Proxy.jar file. Adding the new KeyRing.class file to jt400Proxy.jar overwrites the old version.

Setting the secure proxy settings on the client

To tell the proxy client to communicate with the proxy server across a secure connection, set the following system properties:

     com.ibm.as400.access.AS400.proxyServer=proxyServer

where proxyServer is the name of the machine that is running the proxy server

     com.ibm.as400.access.SecureAS400.proxyEncryptionMode=mode

where mode is one of the following integers: