# Setting up the SSL *SYSTEM Store on IBM i in Heritage DCM This process will guide you through initial setup with IBM's Digital Certificate Manager (DCM) and either creating the \*SYSTEM certificate store if it does not exist, or confirming you can access it if it already does exist. Doing this allows you to perform further SSL/TLS configuration and enables your IBM i system to interact as a client to other external servers requiring secure SSL/TLS connections as well as act as a server to offer your own secure SSL/TLS service. Most web services available today expect to use SSL/TLS. ## Accessing IBM Digital Certificate Manager To begin, verify that the IBM \*ADMIN HTTP server is running on your system with the following command: `WRKSBSJOB SBS(QHTTPSVR)` If you don't see several ADMIN jobs in the list, please run the following command to start it: `STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)` After you've ensured that the *ADMIN server is running, open a web browser and go to http://_YourIBMIPAddress_:2001 - you should see a login page as seen below: ![Navigator for i login page at port 2001](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_1.png "Navigator login page") Enter your IBM i username and password, and click "Log in". You should see a page split into two sections - a menu on the left, and a larger content area on the right that looks like the below image: ![Navigator for i welcome page showing the left-hand task menu](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_2.png "Navigator welcome page") Click the "IBM i Tasks Page" link which should update the right section to look similar to the below image. ![Navigator IBM i Tasks page with Digital Certificate Manager link](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_3.png "Navigator IBM i Tasks page") Depending on your IBM i operating system version and installed PTFs, you may not have "http" and "https" links and instead "Digital Certificate Manager" is a direct link. In this case, click "Digital Certificate Manager". Otherwise, if you do see "http" and "https" links as circled above, you should click one of the two links. **Note: Many customers do not have HTTPS properly set up for their \*ADMIN server which can cause issues when selecting "https", so we recommend selecting "http" unless you know your \*ADMIN server is configured correctly for HTTPS.** In either case, you will be redirected to a URL that looks similar to this: `http://YOUR_IBM_IP_ADDRESS:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0` and your web browser will prompt you to log in again. Enter your IBM i username and password and click Sign In. **Note: It is recommended to log into the Digital Certificate Manager on a profile with elevated authority such as a \*SECOFR profile.** ## Creating the *SYSTEM Certificate Store Once you're in Digital Certificate Manager, you should have a menu on the left side of the screen. ![Digital Certificate Manager showing certificate store type selection with *SYSTEM highlighted](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_4.png "Certificate store type selection") From the side menu, select the link to "Create New Certificate Store". This will take you to a page that asks you which type of certificate store you wish to create. ![Digital Certificate Manager - Create New Certificate Store showing certificate store type selection with *SYSTEM selected](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_5.png "Create New Certificate Store") Ensure \*SYSTEM is selected, and then select the "Continue" button. **Note: If \*SYSTEM does not appear as an option, this process has most likely already been completed on your IBM i. You should proceed to [Verify *SYSTEM Certificate Store Access](#verify-system-certificate-store-access)** You will then be asked if you wish to create a Certificate Authority (CA) certificate in the certificate store. ![Digital Certificate Manager asking whether to create a certificate in the new certificate store, with Yes selected](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_6.png "Create certificate in store") Select "Yes", and then press the "Continue" button. ![Digital Certificate Manager - Create New Certificate Store form with fields for certificate label, password, and certificate information](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_7.png "Create New Certificate Store form") Depending on your operating system version, the form you're presented may look very different from the above screenshot. Fill in all required fields. Record whatever you specify for the Certificate store password, and record it for future reference. This password is used to access the \*SYSTEM certificate store through DCM. It is very easy to both change and recover this password, so don't spend too much time worrying about the security of this password. After filling out the required fields, select the "Continue" button. You will then be presented with certificate request data. ![Digital Certificate Manager showing the generated certificate request data to be saved](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_8.png "Certificate request data") Copy and paste the certificate request data into a plain text document (like Notepad) and save it somewhere secure. You cannot retrieve this certificate request data again in the future if you lose it. You would instead need to perform some of these setup steps again if you need it in the future and do not have it. If you find yourself in that situation, please contact our support team. After you've saved the certificate request data, select the "OK" button. ## Verify *SYSTEM Certificate Store Access Selecting the "Select a Certificate Store" button at the top of the left sidebar will place you at the below screen. ![Digital Certificate Manager - Select a Certificate Store with *SYSTEM selected](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_9.png "Select a Certificate Store") Make sure \*SYSTEM is selected, and then select the "Continue" button. You will be prompted to enter the certificate store password. Enter the Certificate store password you specified when setting up the \*SYSTEM store. Enter the password you specified in Step 4, and select the Continue button. **Note: If you ever forget the password, you can simply select "Reset Password" - by design, you will be allowed to reset the password without knowing the previous password.** ![Digital Certificate Manager - Certificate Stores and Password screen with the certificate store password field highlighted](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_10.png "Certificate store password") If your page looks like below, you have successfully set up the SSL *SYSTEM store on your IBM i! ![Digital Certificate Manager - Current Certificate Store showing *SYSTEM successfully configured](https://isupport.katointegrations.com/rxs/setting_up_ssl_heritage/ssl_setup_11.png "Current Certificate Store")