Please enable JavaScript to view this site.

Navigation: Frequenty Asked Questions > Configuring SSL on IBM i

Granting Users Permission to run SSL applications

Scroll Prev Top Next More

In order to give your users proper permissions to run apps that use HTTPAPI/SSL you should give them access to the *SYSTEM certificate store.

1.Open iSeries Navigator (or, Operations Navigator)

2.Click your iSeries connection, then "Users and Groups"          

3.To grant access to a group profile, click "Groups" - To grant access to an individual user, click "All Users"                                                                      

4.Choose the user profile that you'd like to grant access to, right click on it, and choose "Properties"                                                                        

5.Click the "Capabilities" button.                                                                        

6.Select the "Applications" tab                                                                        

7.Pull down the "Access for" list box, and select "host applications"                                                                        

8.Expand the "Digital Certificate Manager" and check the box next to the "*SYSTEM certificate store"

Note: Some people have reported that this procedure doesn't work. If it fails for you, see the Alternative Solution below.

Alternative Solution

Some have reported that the preceding instructions don't work, because the user doesn't have access to the underlying files in the IFS. To solve that problem, grant authority as follows.      

In this example, we're giving a user named USERA access to the files. Change USERA to the required USERID when you do it.                                                                      

CHGAUT OBJ('/') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM/UserData') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM/UserData/ICSS') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM/UserData/ICSS/CERT') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM/UserData/ICSS/CERT/SERVER') USER(USERA ) DTAAUT(*RX)

CHGAUT OBJ('/QIBM/UserData/ICSS/CERT/SERVER/DEFAULT.KDB') USER(USERA ) DTAAUT(*R)

CHGAUT OBJ('/QIBM/UserData/ICSS/CERT/SERVER/DEFAULT.RDB') USER(USERA ) DTAAUT(*R)                                                          

Notes:

If you wish to give all users access to run SSL programs, then you should change USER(USERA ) to USER(*PUBLIC).  You can also use an Authorisation List (AUTL) if you like by specifying AUTL(your-autl) instead of USER(your-user)                                                                                                      

Adopted authority does not work in the IFS.  Please grant permissions by the actual USERID, not the adopted one.