If you want to use a user ID and password for logging onto an external mail server, then you will probably need to use either TLS (Transport Layer Security) and/or SSL, (Secure Sockets Layer). TLS and SSL provides the means to encrypt the sensitive parts of the communication with the mail server to protect the data from being read by anyone else.
This section explains how to setup the IBM i Digital Certificate Manager (DCM) in order to be able to enable TLS and SSL for emailing via InterForm400 SMTP and SSL connection for the graphical designer.
Use of SSL signon with the designer
A digital certificate is also needed if you want to run the graphical designer with SSL. The initial setup of DCM is the same, if you want to use SSL, but you will also need to configure DCM as described here.
Setting up DCM
For SSL and TLS you need to install a Certificate Authority. This is done via Digital Certificate Manager, DCM. You access DCM via the IBM HTTP Administration web interface.
Digital Certificate Manager may not be installed on the IBM I. If not, then you first need to install it.
IBM HTTP server for i5/OS is also required.
You need to start up the IBM HTTP Administration web interface - if it is not already running. You can do that with the command:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
Now you can access the configuration by accessing this site via a web browswer:
Logon to the IBM I as a user with administration rights e.g. *IOSYSCFG
Now click the link named: i5/OS Tasks Page on the lower left:
On the next screen you click the ‘Digital Certificate Manager’:
Creating a System Certificate store
Inside the Digital Certificate Manager you need to create a System Certificate store - if it is has not already been created. To do that you click ‘Create New Certificate Store’:
Here you select ‘*SYSTEM’:
On the next screen make sure to select ‘No - Do not create a certificate in the certificate store’ like below:
On the next screen you are asked for a password:
Finally a confirmation screen is shown:
You should click the marked ‘Select a Certificate Store’ icon to work with the new store. Here you will be prompted for the store password.
Setting up the authority for the Certificate Store
The user profile, that is sending emails (or rather the user running the job) must be authorized and have both Read and Execute authority to the certificate store mentioned above. If the user does not have sufficient authority, then you will get this error message when trying to send out an email while using SSL or STARTTLS:
Additional Message Information
Message ID . . . . . . : SMP0101 Severity . . . . . . . : 00 Message type . . . . . : Diagnostic Date sent . . . . . . : 27/03/13 Time sent . . . . . . : 13:51:22
Message . . . . : Error D/6003 occured starting secure environment. Please check requirements in the InterForm manual if you want to be able to use SSL or STARTTLS security for the email gateway.
|
The solution is to either send out the emails while running the job as another user or to change the authority to each directory in the path for the certificate store - and the stream file containing the certificate store e.g. while using WRKLNK and option 9:
Work with Authority
Object . . . . . . . . . . . . : /qibm/UserData/ICSS/Cert/Server/DEFAULT. > Type . . . . . . . . . . . . . : STMF Owner . . . . . . . . . . . . : QSYS Primary group . . . . . . . . : *NONE Authorization list . . . . . . : *NONE
Type options, press Enter. 1=Add user 2=Change user authority 4=Remove user
Data --Object Authorities-- Opt User Authority Exist Mgt Alter Ref
*PUBLIC *RX QSYS *RW X X X X
|
CHGAUT OBJ('/qibm/UserData/ICSS') USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*ALL) SUBTREE(*ALL)
CHGAUT OBJ('/qibm/UserData/ICSS/Cert/Server/DEFAULT*') USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*ALL) SUBTREE(*ALL)
Above the *PUBLIC authority has been changed from *EXCLUDE to *RX making it possible for anyone to send out emails using SSL or STARTTLS.
