How to enable an IBM Integrated Web Services (IWS) Server for Secure Socket Layer (SSL) / Transport Layer Security (TLS)

Troubleshooting

Problem

This document describes the process of enabling an IBM Integrated Web Services (IWS) Server to accept communications over Secure Sockets Layer (SSL) / Transport Layer Security (TLS).

Environment

IBM i OS

Resolving The Problem

1)	Open a web browser and go to the URL, http://[server]:2001/HTTPAdmin, to display the IBM Web Administration for i console web application. If you are not prompted for a userID and password, execute the following CL command to ensure the ADMIN server is started: *STRTCPSVR HTTP HTTPSVR(ADMIN)* If you continue to experience issues accessing the IBM Web Administration for i console, please open a Service Request (PMR) with IBM here or call 1-800-IBM-SERV.
2)	When prompted, sign in with a user profile containing SECADM and ALLOBJ explicit special authorities.
3)	Click on Manage -> HTTP Servers on the main IBM Web Administration for i console page.
4)	Select your Server name from the drop-down list.
5)	Click on Configure SSL under the HTTP Tasks and Wizards section on the left-hand menu.
6)	On Welcome - Step 1 of 7, click the Next button to begin the SSL configuration process.
7)	On Specify Port Information - Step 2 of 7, specify the SSL port you would like to use for the HTTP Server. The port number specified cannot currently be in use. Next, specify whether you would like to disable/enable the non-SSL port. IBM recommends you select Yes, disable non-SSL port while configuring SSL port. This option will disable the non-SSL port and enable only the SSL port during the configuration wizard . Click the Next button to continue once you have completed this configuration.
8)	On Specify System Certificate Store Password - Step 3 of 7, specify the password to the Digital Certificate Manager (DCM) SYSTEM certificate store. If you cannot remember this password, you will need to reset the password in the DCM application under "Select a certificate store" -> SYSTEM -> Reset Password. Click the Next button to continue once you have specified the correct password.
9)	On Specify Digital Certificate - Step 4 of 7, select the desired option to either issue a new certificate from the Local CA or select an existing server certificate in the DCM SYSTEM certificate store. IBM recommends selecting the option Issue a new certificate by local CA to create a new certificate for your server.* Issue a new certificate by local CA example: Select existing certificate from system certificate store example: Click the Next button to continue once you have completed this configuration.
10)	Depending on your previous selection in step 9, you will have the following options. Issue a new certificate by local CA: If this option was previously selected, you will now be asked to "Specify Local Certificate Authority Password". Enter the password to the Digital Certificate Manager (DCM) Local Certificate Authority certificate store. If you cannot remember this password, you will need to reset the password in the DCM application under "Select a certificate store" -> Local Certificate Authority -> Reset Password. Select existing certificate from system certificate store: If this option was previously selected, you will now be asked to "Choose Trusted CAs". Here you can either choose specific CAs to trust by selecting them and adding them to the "Trusted CAs" box or you can select the option to "Trust all CAs in the SYSTEM store". IBM Recommends you select the "Trust all CAs in the SYSTEM store".** Trust all CAs in the SYSTEM store example: Specify trusted CAs example: Click the Next* button to continue once you have completed this configuration.
11)	On Restart the server now? - Step 6 of 7, select whether you would like to restart the server later or immediately after the wizard. IBM Recommends you select the "Restart the server immediately after the wizard" option. This will restart the server immediately after the configuration completes to implement the new SSL configuration. Click the Next button to continue once you have selected your desired option.
12)	On Summary - Step 7 of 7, a summary of the proposed SSL configuration is displayed. Review these configuration items to ensure they are correct. Click the Back button if changes are needed. Click the Finish button to complete the configuration when you are ready.
13)	Congratulations! You have successfully configured your IBM Integrated Web Services (IWS) Server for SSL/TLS communications. If you selected the "Restart the server immediately after the wizard" option during the configuration wizard, your IWS server will restart shortly after the configuration wizard completes. You can refresh the status of the server by clicking on the button and wait for the server to show a status of "Running" again. If you selected the "Restart the server later by yourself" option during the configuration wizard, you will need to restart the IWS server for the new SSL configuration to take affect. *ENDTCPSVR HTTP HTTPSVR(IWSserver) STRTCPSVR HTTP HTTPSVR(IWSserver***)
14)	After the SSL configuration wizard has completed and the IWS server has been restarted, you can now access your IWS applications using the HTTPS protocol and SSL port specified during the configuration wizard. Examples: https://as400.ibm.com:443/web/services/SOAPWebServiceService/SOAPWebService https://as400.ibm.com:443/web/services/RESTWebService

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGbAAM","label":"General Information"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Historical Number

599508804

Was this topic helpful?

Document Information

Modified date:
15 August 2022

UID

nas8N1011532

Tips