IBM Support

Enabling TLS for IBM Navigator for i

Troubleshooting


Problem

 Navigator for i does not come enabled for TLS by default. Both Heritage Navigator for i and Navigator for i can be enabled for TLS using the same steps. 

Environment

IBM i 7.3 and later
Navigator for i - ADMIN1 application server
IBM i 7.1 and IBM i 7.2
Heritage Navigator for i - ADMIN2 application server

Resolving The Problem

The 7.4 and 7.3 HTTP PTF group that was released in September of 2021 has introduced a new version of Navigator for i. This version can also be configured to use TLS.
HTTP PTF Group levels introducing New Navigator:
7.5 base release, get updates with HTTP group
7.4 HTTP Group - SF99662 level 14
7.3 HTTP Group - SF99722 level 33 
(Not Available on 7.2) 
Heritage Navigator for i:
- Heritage Navigator for i is no longer suggested to be used for security vulnerabilities. Please refer to the security bulletin for further details: https://www.ibm.com/support/pages/node/6539162
- Runs on Admin2 HTTP server job using ports 2004(Non secure) and 2005 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2004/ibm/console/logon.jsp 
- TLS URL will be https://systemname:2005/ibm/console/logon.jsp 
Navigator for i (Introduced Sept 2021):
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2002/Navigator
- TLS URL will be https://systemname:2003/Navigator
NOTE: Install the latest HTTP Group PTF to ensure all options for Admin1 are available on Web Admin. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
 
You can enable HTTPS by either using the default Java keystore used within IBM Navigator for i or by using Digital Certificate Manager.

Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):    
  •         Enable HTTPS using the default Java keystore

    NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.

    1. Open a web browser and go to the following URL (login with your IBM i user profile):
    http://hostname:2001/HTTPAdmin


    2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list

    3. Click 'Configure TLS'

    4. Click Next on Step 1:

    image-20220620132206-1

    5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
    image-20220620132445-2

    6. Configure 'inav_key.jks' as the keystore on Step 3:
    image-20220620132649-3

    7. This will prompt to create the new keystore and set the password:
    image-20220620133721-5
    8. Select 'Default Ciphers' and click 'Next' on Step 8:
    image-20220620134118-7

    9. Select the restart server style you like on Step 9:
    image-20220620134040-6

    10. Confirm the information and click Finish on the last step:
    image-20220620134306-10

    Once the server has been restarted and user can connect via the following URL (using port specified above in configuration)
    New Navigator:
    https://hostname:2003/Navigator
    Heritage Navigator:
    https://hostname:2005/ibm/console/logon.jsp

  • Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore
    • Issue a new self-signed certificate



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin


      2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12


      8. Select 'Issue a new self-signed certificate' and click 'Next'
      image-20220620134726-14

      9. Select ' Default ciphers' and click 'Next'
      image-20220620134903-16

      10. Select your restart option and click Next:
      image-20220620135059-17
      11. You will be presented a summary screen of your choices. Click Finish.  The server will be restarted and user should connect via the following URL.
      Heritage Navigator for i:
      https://hostname:2005/ibm/console/logon.jsp
      Navigator for i:
      https://hostname:2003/Navigator




    • Select an existing certificate from the *SYSTEM keystore



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin


      2. Click Manage -> Application Servers-> select 'Admin1' (Navigator for i) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12

      8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'

      image-20220620135754-18

      9. Select 'No trust certificate to import' on Step 7 -> click 'Next'

      image-20220620135932-19

      10. Select 'Default ciphers' on Step 8 and click Next:
       
      image-20220620140029-21
      11. Select your restart option and click Next:
      image-20220620135059-17
      12. You will be presented with a summary of your choices.  Confirm the information and click Finish on the last step
      The server will be restarted and user should connect via the following URL.
      Heritage Navigator:
      https://hostname:2005/ibm/console/logon.jsp
      New Navigator:
      https://hostname:2003/Navigator

    NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
16 September 2023

UID

nas8N1021834

Page Feedback