Configure IBM® HTTP Server to use the encrypted
connection protocol on IBM i.
About this task
To support encrypted connections, create a self-signed certificate and then configure IBM HTTP Server for encrypted connection traffic. If you use this
certificate in production, users might receiver warning messages from their browsers. In a typical
production deployment, you would use a certificate from a trusted certificate authority. To
configure IBM HTTP Server for encrypted connections, complete
the following main procedures:
- Configure IBM HTTP Server for encrypted connections using the IBM Web Administration for IBM i.
- Associate the system certificate with HTTP Server on Digital Certificate Manager.
- Restart IBM HTTP Server to apply the changes.
Procedure
- Configure HTTP Server for encrypted connections using the IBM Web Administration for IBM i as follows:
- Open a browser to the URL
http://<system_hostname>:2001/HTTPAdmin.
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select your HTTP Server from the Server list, for example:
myHttpProfile.
- Select Global configuration from the Server area
list.
- Expand Server Properties.
- Click Virtual Hosts.
- Click the Name-based tab in the form.
- Click Add under the Named virtual hosts table.
- Select or enter an IP address in the IP address column for example
10.1.2.3
Note: The IP address 10.1.2.3 used in this
scenario is associated with IBM i system host name
<system_hostname> and registered by a Domain Name Server (DNS). You will need to
choose a different IP address and hostname. The IBM Web
Administration for i interface provides the IP addresses used by your IBM i server in the IP Address list; however, you will need to provide the
hostname associated with the address you choose.
- Enter a port number in the Port column, such as:
443.
Note: Specify a port number other than the one currently being used for
your HTTP Server to maintain an encrypted connection and non-encrypted connection Web
site.
- Click Add under the Virtual host containers table
in the Named host column.
Note: This is a table within the Named
virtual hosts table in the Named host column.
- Enter the fully qualified server hostname for the virtual host in the Server name column, such
as: <system_hostname>
Note: Make sure the server hostname you enter is
fully qualified and associated with the IP address you selected.
- Enter a document root for the virtual host index file or welcome file in the Document root
column, such as: /www/myHttpProfile
Note: You are specifying a document root
that will be created later in this procedure. Remember the document root you have entered; you will
be asked to enter the document root again when creating a new directory.
- Click Continue and then click OK.
- Set up Listen directive for virtual host as follows:
- Expand Server Properties.
- Click General Server Configuration.
- Click the General Settings tab in the form.
- Click Add under the Server IP addresses and ports
to listen on table.
- Select the IP address you entered for the virtual host in the IP address column, such as:
10.1.2.3.
- Enter the port number you entered for the virtual host in the Port column, such as:
443
- Click Continue and then click OK.
- Enable an encrypted connection for the virtual host as follows:
- Select the virtual host from the Server area list, such as:
Virtual Host *:443
- Expand Server Properties.
- Click Security.
- Click the SSL with Certificate Authentication tab in the form.
- Select Enable SSL under SSL.
- Select QIBM_HTTP_SERVER_[server_name] from the Server
certificate application name list, for example:
QIBM_HTTP_SERVER_myHttpProfile
Note: Remember the name of the server
certificate. You will need to select it again in the Digital Certificate Manager.
- Select Do not request client certificate for connection under
Client certificates when establishing the connection.
- Click OK. The HTTPS_PORT field provides a specific
environment variable value that is passed to CGI programs. This field is not used in this
scenario.
- Associate system certificate with HTTP Server on Digital
Certificate Manager as follows:
- Open a browser to the URL http://<system_hostname>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0.
- Create or renew the local CA. If there is
no local CA, create it first, refer to Setting up certificates for the first time for
details.
Note: After creating a private local CA, the
Create
a Certificate Authority (CA) task no longer appears in
the navigation panel. To renew an expired local CA, perform later
in this procedure.
- Select the Local CA and enter a password.
- Select .
- Renew the CA cert and extend the expire period.
After Local CA is valid, create a new certificate and
then assign it to the IBM HTTP
Server
- Create a new certificate in the *System keystore as
follows:
- Select a keystore *system.
- Enter the password for *system keystore.
- Select Create certificate.
- Select Server or Client certificate.
- Select the local CA as the current CA who will use its CA cert
to sign the new certificate.
- Input the essential information for the new certificate.
- Click Continue.
- Select Applications for the newly created
certificate, such as QIBM_HTTP_SERVER_myHttpProfile,
and then click Continue to finish.
- If the local CA is valid and a certificate signed by
the Local CA already exists, you can update the certificate assigned
to the application by selecting >.
- Restart IBM HTTP
Server to apply the changes.
Results
To test the new configuration: open a web browser and ensure
that you can successfully reach https://<server_name>.
You might be prompted to accept the self-signed certificate on your
browser. IBM Connections users
can access applications through the SSL protocol.Parent topic: Configuring IBM HTTP Server on IBM i