Note: These instructions assume ONLY the ACS Windows Application Package is installed.
1) On the Windows system, run "cwbcossl.exe".
2) In the box to the right of the "Start CA download from..." button, type in the name or IP address of the IBM i. Then hit the "Start CA download from..." button.
3) Answer Yes to "Are you sure you want to trust all certificates issued by this Certificate Authority?"
4) Enter the password to allow the cwbcossl tool to store the certificate into the key database.
The default password is "ca400".
5) Exit and restart the cwbcossl tool so that it picks up the configuration changes.
6) Test SSL connectivity with the "SSL" button under Verify Connections.
7) Assuming the test was successful, change the IBM i connection object to default to SSL connectivity. To do so, open an Administrator-level CMD prompt and execute :
C:> cwbcfg /host <the name or IP address of the IBM i used in step 2> /ssl 1 /r
Finally, configure your data connection to the IBM i. For most data provider connections (OLE DB, ODBC, .Net) you should now see traffic utilizing the SSL database host server port 9471.
Alternate option which assumes both the ACS Windows Application Package AND the java base ACS package are installed:
If you have already configured SSL with 5250 or some other function in the ACS base (java) package, administrators can go to the "Tools" drop down menu and select "Key Management". The following window will show Trusted Certificates.
Highlight the desired trusted certificate and click on the "Push to Windows..." button.
This will make the certificate available for Windows-native functions such as ODBC.
Related Information
Distributing IBM i Access for Windows SSL certificates to multiple PCs https://www.ibm.com/support/pages/node/685369 Problem This document will discuss what IBM i Access for Windows product files that need to be distributed in order to copy SSL certificates from one PC to another. Environment IBM i OS; IBM i Access for Windows Resolving The Problem NOTE: The following instructions are provided AS IS. This process is not covered under your IBM SWMA contract. There is currently no supported method of pushing iSeries Access for Windows SSL certificates to multiple PCs. The steps below have been known to work. Any problems with SSL certificates on PCs that have had their certificate files copied will require the certificates be deleted and re-downloaded from the IBM i server manually. If all PCs needing SSL connectivity are at the same version and service pack level of IBM i Access, the easiest way to distribute the certificates would be to simply copy the three files that hold the SSL certificate and configuration from a PC with a working SSL configuration to everyone else. These three files are: CWBSSLDF.KDB CWBSSLDF.STH CWBSSLJAVACA.JCK Depending on the IBM i Access for Windows version and release and Windows OS version, the above files may exist in different directories. Two primary directories to check for recent product versions are: C:Documents and SettingsAll UsersDocumentsIBMClient Access C:UsersPublicDocumentsIBMClient Access To verify the directory on any PC, open the IBM Key Management (Start -> Programs -> IBM i Access for Windows) tool that is installed with the SSL component of the IBM i Access for Windows product. Then, select Key Database File and Open. Specify the file name, CWBSSLDF.KDB, and the Windows file system path and click OK. Enter the default password of "ca400" and press OK. The IBM Key Management tool should then successfully open the key database file.