Configuring IBM HTTP Server for encrypted connections on IBM i

Configure IBM® HTTP Server to use the encrypted connection protocol on IBM i.

About this task

To support encrypted connections, create a self-signed certificate and then configure IBM HTTP Server for encrypted connection traffic. If you use this certificate in production, users might receiver warning messages from their browsers. In a typical production deployment, you would use a certificate from a trusted certificate authority.

To configure IBM HTTP Server for encrypted connections, complete the following main procedures:

Configure IBM HTTP Server for encrypted connections using the IBM Web Administration for IBM i.
Associate the system certificate with HTTP Server on Digital Certificate Manager.
Restart IBM HTTP Server to apply the changes.

Procedure

Configure HTTP Server for encrypted connections using the IBM Web Administration for IBM i as follows:
1. Open a browser to the URL http://<system_hostname>:2001/HTTPAdmin.
  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server from the Server list, for example: myHttpProfile.
  4. Select Global configuration from the Server area list.
  5. Expand Server Properties.
  6. Click Virtual Hosts.
  7. Click the Name-based tab in the form.
  8. Click Add under the Named virtual hosts table.
  9. Select or enter an IP address in the IP address column for example 10.1.2.3
    Note: The IP address 10.1.2.3 used in this scenario is associated with IBM i system host name <system_hostname> and registered by a Domain Name Server (DNS). You will need to choose a different IP address and hostname. The IBM Web Administration for i interface provides the IP addresses used by your IBM i server in the IP Address list; however, you will need to provide the hostname associated with the address you choose.
  10. Enter a port number in the Port column, such as: 443.
    Note: Specify a port number other than the one currently being used for your HTTP Server to maintain an encrypted connection and non-encrypted connection Web site.
  11. Click Add under the Virtual host containers table in the Named host column.
    Note: This is a table within the Named virtual hosts table in the Named host column.
  12. Enter the fully qualified server hostname for the virtual host in the Server name column, such as: <system_hostname>
    Note: Make sure the server hostname you enter is fully qualified and associated with the IP address you selected.
  13. Enter a document root for the virtual host index file or welcome file in the Document root column, such as: /www/myHttpProfile
    Note: You are specifying a document root that will be created later in this procedure. Remember the document root you have entered; you will be asked to enter the document root again when creating a new directory.
  14. Click Continue and then click OK.
2. Set up Listen directive for virtual host as follows:
  1. Expand Server Properties.
  2. Click General Server Configuration.
  3. Click the General Settings tab in the form.
  4. Click Add under the Server IP addresses and ports to listen on table.
  5. Select the IP address you entered for the virtual host in the IP address column, such as: 10.1.2.3.
  6. Enter the port number you entered for the virtual host in the Port column, such as: 443
  7. Click Continue and then click OK.
3. Enable an encrypted connection for the virtual host as follows:
  1. Select the virtual host from the Server area list, such as: Virtual Host *:443
  2. Expand Server Properties.
  3. Click Security.
  4. Click the SSL with Certificate Authentication tab in the form.
  5. Select Enable SSL under SSL.
  6. Select QIBM_HTTP_SERVER_[server_name] from the Server certificate application name list, for example: QIBM_HTTP_SERVER_myHttpProfile
    Note: Remember the name of the server certificate. You will need to select it again in the Digital Certificate Manager.
  7. Select Do not request client certificate for connection under Client certificates when establishing the connection.
  8. Click OK. The HTTPS_PORT field provides a specific environment variable value that is passed to CGI programs. This field is not used in this scenario.
Associate system certificate with HTTP Server on Digital Certificate Manager as follows:
1. Open a browser to the URL http://<system_hostname>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0.
2. Create or renew the local CA. If there is no local CA, create it first, refer to Setting up certificates for the first time for details.
  Note: After creating a private local CA, the Create a Certificate Authority (CA) task no longer appears in the navigation panel. To renew an expired local CA, perform later in this procedure.
  1. Select the Local CA and enter a password.
  2. Select Manage local CA > Renew.
  3. Renew the CA cert and extend the expire period.
  After Local CA is valid, create a new certificate and then assign it to the IBM HTTP Server
3. Create a new certificate in the *System keystore as follows:
  1. Select a keystore *system.
  2. Enter the password for *system keystore.
  3. Select Create certificate.
  4. Select Server or Client certificate.
  5. Select the local CA as the current CA who will use its CA cert to sign the new certificate.
  6. Input the essential information for the new certificate.
  7. Click Continue.
  8. Select Applications for the newly created certificate, such as QIBM_HTTP_SERVER_myHttpProfile, and then click Continue to finish.
4. If the local CA is valid and a certificate signed by the Local CA already exists, you can update the certificate assigned to the application by selecting Manage Applications > Update certificate assignment>.
Restart IBM HTTP Server to apply the changes.

Results

To test the new configuration: open a web browser and ensure that you can successfully reach https://<server_name>. You might be prompted to accept the self-signed certificate on your browser. IBM Connections users can access applications through the SSL protocol.

Parent topic: Configuring IBM HTTP Server on IBM i