How to Enable Transport Layer Security (TLS) for the IBM Web Administration Server (HTTPAdmin)

NOTE: Prior to configuring TLS for the IBM Web Administration for i Server, the Digital Certificate Manager (DCM) environment will first need to be configured. You should have both a *SYSTEM store and a Local Certificate Authority store with a valid Certificate Authority (CA) certificate already created. If one or more of these objects do not exist, use the following instructions to create them first:

https://www.ibm.com/docs/en/i/7.5?topic=dcm-setting-up-certificates-first-time

In addition, IBM recommends you clean up any existing IBM Web Administration TLS configurations that may exist.  These steps are discussed here: How To Disable TLS for the ADMIN HTTP Server and ADMIN1 and ADMIN3 Application Servers

1. Open a Web browser and type in the following URL:
http://<Server Host Name or IP Address>:2001/HTTPAdmin

2. Select Manage -> HTTP Servers, and then select the ADMIN - Apache server from the Server drop-down list as shown in the screenshot below:



3. Select Configure TLS for ADMIN on the left-hand, vertical menu under HTTP Tasks and Wizards.



4. Click Next to continue.

5. Select Yes or No on whether you would like to disable or enable the 2001 port and click Next to continue.  We recommend you select "Yes, disable port 2001 while configuring TLS for port 2010" as shown below:



6. Enter the *SYSTEM Certificate Store Password and click Next.

Note: The password can be reset in the Digital Certificate Manager application by clicking on Select a Certificate Store, selecting *SYSTEM, clicking on Continue, and clicking on Reset Password.



7. Specify the digital certificate you would like to use to secure the ADMIN HTTP Server.  Select "Issue a new certificate by local CA" to create a new certificate signed by the IBM i Local CA certificate.  Or you can select "Select existing certificate from system certificate store" and select an existing server certificate in the *SYSTEM certificate store.  Click Next to continue.



8. Specify individual trusted CAs or Trust all CAs in the *SYSTEM store.  IBM recommends selecting "Trust all CAs in the *SYSTEM store".  Click Next to continue.



9. You should now be at a Summary screen. Review the configuration details and click Finish to complete the configuration.



10.  The ADMIN server will then be automatically restarted to disable port 2001 and enable 2010 for HTTPS.  On a 5250 emulation session, execute the WRKACTJOB SBS(QHTTPSVR) command and wait for the ADMIN jobs to stop utilizing CPU before attempting to access the HTTP Admin web applications. 

Once the ADMIN jobs have stopped utilizing CPU, you should now be able to access the HTTP Admin web applications using HTTPS over port 2010.

https://server:2010/HTTPAdmin


11.  To enable TLS communications for IBM Navigator for i on port 2003 and DCM on port 2007, complete the following instructions for the ADMIN1 and ADMIN3 application servers: