3 CL commands help you manage business-critical IBM i digital certificates.
I recently enjoyed spending a couple of days at a IBM technical convention here in Copenhagen. The many interesting and current topics discussed at the event included digital certificates and their vital role in authenticating and securing a modern communication and transaction infrastructure.
One of the issues that came up during the discussion at the IBM convention was a problem relating to certificates expiring without the system issuing any notice of this. Using the IBM i’s Digital Certificate Manager (DCM), you can list and check certificates approaching expiration within a specified number of days. (For more information about using DCM, see the sidebar “How to Start the Digital Certificate Manager,” after the main article.) But currently there’s no system function that automatically issues certificate-expiration notification messages to the QSYSOPR message queue, or similar system message queues, where critical notifications relating to other system components would normally surface.
However, IBM supplies a digital certificate management API that provides program access to the functions of listing and expiration-checking certificates. The Retrieve Certificate Information (QycuRetrieveCertificateInfo) ILE API and its Original Program Model (OPM) counterpart were both added by IBM in release 6.1. In this article, I’ll provide an overview of the Retrieve Certificate Information API along with several CL commands I created based on the API that can make it easier for you to manage your IBM i digital certificates and track their expiration dates. (See the sidebar “Creating the CHKCERTEXP, WRKCERT, and DSPCERT Commands” for instructions on downloading and creating the CL commands discussed in this article.)
Digital Certificates on IBM i
A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction-for example, a transaction performed on the Internet-when you transfer sensitive personal information or close a purchase by submitting an electronic payment using your credit card. On the IBM i, the DCM browser-based user interface is provided to enable users to create, import, and configure certificates for a variety of purposes and to perform many other certificate-related tasks.
Digital certificates are integral to the process of SSL (aka Transport Layer Security-TLS) performing authentication services and encrypting transaction data as part of IP-based protocols such as HTTP, FTP, and Telnet. Digital certificates also provide the encryption backbone for communication protocols such as Virtual Private Network (VPN) and, for example, object signing, which allows you to verify both the integrity of an object’s contents and its source of origin, regardless of whether the object is in transit across the Internet or stored on a remote system.
In regard to certificate expiration, because it often takes some time to complete a certificate-renewal process involving an external certificate issuer, being unaware of an expiring server certificate on your company’s website could impede your website from performing secure transactions until the certificate has been renewed. Fortunately, the Retrieve Certificate Information API offers help. Let’s take a closer look at the API, then move into a discussion of the certificate-management commands I created that use the API.