JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP Server

This scenario discusses how to enable SSL protection for an IBM® HTTP Server for i Web server.

Scenario

The JKL Toy company (a fictitious company) wants to enable Secure Sockets Layer (SSL) protection for a specific directory on their HTTP Server. The secured directory will contain confidential corporate earnings information that only a select group of employees and business associates will be able to access. The JKL Web administrator has decided not to create and deploy user certificates to client browsers, but rather use SSL so that all data exchanged with the browser is encrypted. The JKL Web administrator will use a server certificate, basic password protection (based upon existing IBM i user accounts), and standard SSL encryption to provide access to the secured information.

Note: Although JKL chooses not to implement digital certificates, they must still register their HTTP Server with the IBM i Digital Certificate Manager.

Prerequisites

It is assumed you have read Scenarios: HTTP Server.
It is assumed you have read and completed JKL Toy Company creates an HTTP Server or you have an existing HTTP Server configuration.
It is assumed that a certificate authority (and certificate store) is already established for the Digital Certificate Manager.
It is assumed you are familiar with Domain Name Servers (DNS).

Start the IBM Web Administration for i interface

Access the IBM Web Administration for i from your browser. For information about how to access the Web Administration for i interface, see Starting Web Administration for i.

Set up a name-based virtual host

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server from the Server list.
Example: JKLTEST
Select Global configuration from the Server area list.
Expand Server Properties.
Click Virtual Hosts.
Click the Name-based tab in the form.
Click Add under the Named virtual hosts table.
Select or enter an IP address in the IP address column.
Example: 9.5.61.228
Note: The IP address 9.5.61.288 used in this scenario is associated with JKL Toy Company's IBM i hostname JKLEARNINGS and registered by a Domain Name Server (DNS). You will need to choose a different IP address and hostname. The IBM Web Administration for i interface provides the IP addresses used by your IBM i server in the IP Address list; however, you will need to provide the hostname associated with the address you choose.
Enter a port number in the Port column.
Example: 443

Note: Specify a port number other than the one currently being used for your HTTP Server to maintain an SSL and non-SSL Web site.
Click Add under the Virtual host containers table in the Named host column.
Note: This is a table within the Named virtual hosts table in the Named host column.
Enter the fully qualified server hostname for the virtual host in the Server name column.
Example: www.JKLEARNINGS.org

Note: Make sure the server hostname you enter is fully qualified and associated with the IP address you selected.
Enter a document root for the virtual host index file or welcome file in the Document root column.
Example: /www/jkltest/earnings/

Note: You are specifying a document root that will be created below. Remember the document root you have entered; you will be asked to enter the document root again when creating a new directory.
Click Continue.
Click OK.

Set up Listen directive for virtual host

Expand Server Properties.
Click General Server Configuration.
Click the General Settings tab in the form.
Click Add under the Server IP addresses and ports to listen on table.
Select the IP address you entered for the virtual host in the IP address column.
Example: 9.5.61.288
Enter the port number you entered for the virtual host in the Port column.
Example: 443
Click Continue.
Click OK.

Set up the virtual host directories

Select the virtual host from the Server area list.
Expand HTTP Tasks and Wizards.
Click Add a Directory to the Web.
Click Next.
Select Static web pages and files.
Click Next.
Enter a directory name for the virtual host in the Name field.
Example: /www/jkltest/earnings/
Click Next.
Enter an alias for the virtual host in the Alias field.
Example: /earnings/
Click Next.
Click Finish.

The document root and directory for the virtual host has been created.

Set up password protection via authentication

Select the directory under the virtual host from the Sever area list.
Example: Directory /www/jkltest/earnings
Expand Server Properties.
Click Security.
Click the Authentication tab in the form.
Select IBM i user profiles under User authentication method.
Enter Projected Earnings in the Authentication name or realm field.
Specify the user profile in the field IBM i user profile to process requests under Related information.
Click Apply.
Click the Control Access tab in the form.
Select Control access based on specific authorization of Control access field.
Click Add Authorization button under the Authorization for control access table.
Select Require valid user from the new row Authorization or Container list.
Click OK.

Enable SSL for the virtual host

Select the virtual host from the Sever area list.
Example: Virtual Host *:443
Expand Server Properties.
Click Security.
Click the SSL with Certificate Authentication tab in the form.
Select Enable SSL under SSL.
Select QIBM_HTTP_SERVER_[server_name] from the Server certificate application name list.
Example: QIBM_HTTP_SERVER_JKLTEST

Note: Remember the name of the server certificate. You will need to select it again in the Digital Certificate Manager.
Select Do not request client certificate for connection under Client certificates when establishing the connection.
Click OK.

The HTTPS_PORT provides a specific environment variable value that is passed to CGI programs . This field is not used in this scenario.

Associate system certificate with HTTP Server

The application name (created during the SSL process) is assigned a system certificate via the Digital Certificate Manager (DCM). During the process of enabling SSL for a virtual host, an IBM i server certificate must be assigned to the application name used when configuring SSL. This task is accomplished via the Digital Certificate Manager interface (accessed from the IBM i Tasks screen). See IBM i Digital Certificate Manager for more information.

Note: The following steps will require a user profile with higher levels of authority than those documented for the Webmaster profile. Web browsers will need to be restarted using the higher authority profile to authenticate.

Click the Related Links tab.
Click Digital Certificate Manager.
Click Select a Certificate Store.
Select *SYSTEM.
Click Continue.
Enter a password in the Certificate store password field.
Click Continue.
Click Manage Applications.
Select Update certificate assignment.
Click Continue.
Select Server.
Click Continue.
Select the appropriate application name.
Note: Select the application name created while enabling SSL for the virtual host directory.
Example: QIBM_HTTP_SERVER_JKLTEST
Click Update Certificate Assignment.
Select the appropriate certificate.
Click Assign New Certificate. This assigns the certificate to the application name selected in the previous step.

Restart your HTTP Server

Select one of the following methods below:

Manage one server

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server from the Server list.
Click the Stop icon if the server is running.
Click the Start icon.

Manage all servers

Click the Manage tab.
Click the HTTP Servers subtab.
Select All Servers from the Server list.
Click the All HTTP Servers tab.
Select your HTTP Server name in the table.
Example: JKLTEST
Click Stop if the server is running.
Click Start.

Note: If your HTTP Server does not start, see Troubleshooting.

Test your HTTP Server

Start a new Web browser.
Enter https://[virtual_hostname_name]:[port] in the location or URL field.
Example: https://www.JKLEARNINGS.org:443

You will be challenged for a user name and password. After entering an appropriate IBM i user name and password, you will see a sample homepage (created by the Serve New Directory wizard) with the browser's security padlock icon enabled. The padlock indicates that SSL is enabled.

View your HTTP Server configuration

Your configuration will look similar if you used the given example in this and previous examples.

Click the Manage tab.
Click the HTTP Servers subtab.
Select your HTTP Server from the Server list.
Example: JKLTEST
Expand Tools.
Click Display Configuration File.

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Listen *:1975
Listen 9.5.61.228:443
DocumentRoot /www/jkltest/htdocs
TraceEnable Off
Options -FollowSymLinks
AccessFileName .htaccess
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
LogMaint logs/access_log 7 0
LogMaint logs/error_log 7 0
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
DirectoryIndex index.html
<Directory />
	Require all denied
</Directory>
<Directory /www/jkltest/htdocs>
	Require all granted
</Directory>
<VirtualHost 9.5.61.228:443>
	ServerName www.JKLEARNINGS.org
	DocumentRoot /www/jkltest/earnings/
	SSLEnable
	SSLAppName QIBM_HTTP_SERVER_JKLTEST
	SSLClientAuth None
	<Directory /www/jkltest/earnings>
		Require valid-user
		PasswdFile %%SYSTEM%%
		UserID %%SERVER%%
		AuthType Basic
		AuthName "Projected Earnings"
	</Directory>
	Alias /earnings/ /www/jkltest/earnings/
</VirtualHost>