Before you can configure SSL, you need to make sure that the Cryptographic Service Provider product is installed. This is a no-charge IBM product.
Next, you must start the *ADMIN server using the command
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
The *ADMIN server provides a number of browser-based HTTP configuration tools served from port 2001. To access these tools, go to:
If you are on a version of IBM i before 6.1, you will use the Digital Certificate Manager option.
If you are running 6.1 or above, DCM is found under the Internet Configurations option in the i5/OS Management section.
You will now enter the DCM
You will have to decide on one of a few options:
- Buy a certificate from a vendor like VeriSign or Thawte – this is appropriate for public Internet applications.
- Create your own certificate – this may be appropriate if your users are predominantly internal. By default, browsers will not recognize you as a trusted certificate authority. You have several options for addressing this:
- Instruct users to ignore the browser’s warning message
- Install a local certificate authority (CA) certificate on the end-user’s PC
Ordering a certificate from a trusted vendor like VeriSign or Thawte
The first step is to create a Certificate Signing Request (CSR). The certificate vendor will need this in order to create your certificate.
- Once inside DCM, click Select Certificate Store. You are looking for the *SYSTEM certificate store.
- If it is not available, click Create New Certificate Store and create the *SYSTEM store. You’ll be prompted to create password for it.
- If the *SYSTEM store already exists, select it, and enter the password. There is a password reset option, if you do not know/remember the password.
- Click Create certificate.
- Select Server or Client Certificate.
- Select “VeriSign or other Internet Certificate Authority”
- This will bring up the CSR form. The important fields are:
- Key size: Some certificate vendors can only handle a key size of 1024 bits, this is the recommended setting.
- Common Name: Here, you must give the exact host/domain name that users will type into browser address bar to access the site. The browser will give an error/warning message if the host/domain name used to access the site does not match exactly to the certificate Common Name. For example: www.mydomain.com
- After completing the CSR form, the CSR text will display on screen. Copy and paste the text to a text file on your PC. It’s important to do this before leaving the page, as there is no way to view the CSR text again. When ordering your certificate, the vendor will ask for the CSR – this is typically copied/pasted into a web form, or uploaded as a text file.
When you receive the certificate, create or place a certificate text file on the iSeries IFS in some temporary location.
Then select Manage Certificates, Import Certificate. Select Server or Client Certificate and specify the IFS file name for Import File. You will then have to choose the vendor/certificate issuer.
If the vendor/certificate issuer does not exist, you can import a CA certificate of the issuer using a similar process.
Creating your own certificates through your own CA
(not recommended for public Internet Access)
Once inside DCM, click Select Certificate Store. You are looking for the *SYSTEM certificate store. If it is not available proceed to Create a CA (Certificate Authority).
- Choose password (it is very important to remember this, as there may not be an easy way to reset this)
- Enter CA information – this should be readable information; it will display if the certificate is viewed by the user
- The create CA process will proceed to create a *SYSTEM certificate store if it does not exist
- Then, a Web Server Certificate will be created
- When creating the Web Server Certificate, the most important piece of information is the COMMON Name. This is the exact IP address or host name of the server for which SSL is being configured.
- The process will then proceed to choosing an application. You should stop here, since the application has not been created yet.
Installing a local CA certificate on the end-user PC:
This applies only if using a certificate issued from a local CA.
Click Install Local CA Certificate on Your PC. Select Copy and Paste CA Certificate.
Then, paste the data into a text file with a .cer extension.
Send this file to your users. Each user must open the file, install the certificate, and choose the appropriate store
Creating an Application
Regardless of what type of certificate you are using, you’ll need to create an ‘Application’ in the DCM. The application is simply an identifier that a certificate is associated with. The HTTP server will reference the application id, which in turn references the certificate.
To create an application, select Manage Applications, then Add Application, then select Server Application.
- Enter Application Id – this piece is referred to in your httpd.conf configuration file
- Enter Application Description
- Leave all other fields as their default values
Next, you must assign the certificate to the application. Select Manage Certificates, and then Assign Certificates. Select the certificate your created and click Assign to Applications.
Configuring the HTTP Server
Finally, you must uncomment the following lines from your httpd.conf file located in /www/profoundui/conf/ and enter your application id on the SSLAppName line:
You will most likely want to Change the port to 443 as well. This is the standard port used for SSL. You can do so on the Listen directive in http.conf.
If you wish to keep your existing non-SSL port working as it was before, but add SSL support on a second port, you can do so with a VirtualHost directive. For example to keep 8080 as non-SSL, but add port 8081 was SSL within the same HTTP server instance, you could do the following:
As with any change to httpd.conf, you will need to restart the PROFOUNDUI web server.
You may also wish to disable certain components of Profound UI so that they aren't available in your SSL instance. More information on that can be found under Allowing External Access
Have Profound Logic enable SSL for you
A Profound Logic team member can configure SSL for your applications for a fee. If you are interested in this service, please contact us here for more information.