Configure SSL for ADMIN wizard

 

The IBM Web Administration for i5/OS interface provides the Configure SSL for ADMIN wizard to configure Secure Sockets Layer (SSL) for the ADMIN server. SSL has become an industry standard for enabling applications for secure communication sessions over an unprotected network, such as the Internet.

Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . IBM recommends that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See IBM Service for more information.

The ADMIN server runs all of the programs listed on the Web Administration Tasks page (http://[your_i5system]:2001) including the IBM Web Administration for i5/OS and the Digital Certificate Manager (DCM). By default, the ADMIN server listens on a non-SSL (non-secure) connection over port 2001. If you want to configure the ADMIN server to use secure communications over SSL, but lack experience with DCM and SSL, the wizard simplifies the process and removes the need to manually configure the ADMIN server configuration. For information on the manual configuration of SSL for the ADMIN server, see Set up SSL for the administration (ADMIN) server for HTTP Server.

The Configure SSL for Admin wizard updates the ADMIN server configuration file to enable SSL on port 2010; optionally port 2001 may be left enabled for non-SSL traffic. The wizard uses the Digital Certificate Manager to issue a digital certificate, connects the certificate and the ADMIN server, and restarts the ADMIN server. The restart of the ADMIN server usually takes one minute or so. While the restart is being performed, the IBM Web Administration for i5/OS interface is unavailable.

 

Secure Sockets Layer and digital certificates

SSL is actually two protocols. The protocols are the record protocol and the handshake protocol. The record protocol controls the flow of the data between the two endpoints of an SSL session.

The handshake protocol authenticates one or both endpoints of the SSL session and establishes a unique symmetric key used to generate keys to encrypt and decrypt data for that SSL session. SSL uses asymmetric cryptography, digital certificates, and SSL handshake flows, to authenticate one or both endpoints of an SSL session. Typically, SSL authenticates the server. Optionally, SSL authenticates the client; however, this wizard only authenticates the server, not the client. A digital certificate, issued by a Certificate Authority, can be assigned to each of the endpoints or to the applications using SSL on each endpoint of the connection.

A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction. iSeries provides extensive digital certificate support that allows you to use digital certificates as credentials in a number of security applications. In addition to using certificates to configure SSL, you can use them as credentials for client authentication in both SSL and virtual private network (VPN) transactions. Also, you can use digital certificates and their associated security keys to sign objects. Signing objects allows you to detect changes or possible tampering to object contents by verifying signatures on the objects to ensure their integrity.

Capitalizing on the iSeries support for certificates is easy when you use Digital Certificate Manager (DCM), a free feature, to centrally manage certificates for your applications. DCM allows you to manage certificates that you obtain from any Certificate Authority (CA). Also, you can use DCM to create and operate your own Local CA to issue private certificates to applications and users in your organization.

The digital certificate is comprised of a public key and some identifying information that a trusted Certificate Authority (CA) has digitally signed. Each public key has an associated private key. The private key is not stored with or as part of the certificate. In both server and client authentication, the endpoint which is being authenticated must prove that it has access to the private key associated with the public key contained within the digital certificate.

 

Prerequisites and assumptions

Support for the Configure SSL for ADMIN wizard was added in the PTF Group SF99114 Level 6. This level or higher is required to use this function.

The Configure SSL for ADMIN wizard requires a user profile with *ALLOBJ and *SECADM special authorities and Digital Certificate Manager (5722-SS1 Option 34).

 

Start the Configure SSL for Admin wizard

The Configure SSL for ADMIN wizard can be started from the Web Administration for i5/OS interface:

  1. In iSeries Navigator, expand your_system_i –> Network –> Servers, and select TCP/IP.

  2. Right-click HTTP Administration, and select Start.

  3. Start a Web browser.

  4. Type http://[your_system_i]:2001 in the URL field to start the i5/OS Tasks Web page, where [your_system_i] is the name of your IBM i5/OS system. Example: http://mysystemi.acme.com:2001

  5. Click IBM Web Administration for i5/OS.

  6. From the IBM Web Administration for i5/OS interface, select the ADMIN-Apache server.

  7. In the navigation pane, expand HTTP Tasks and Wizards , and select Configure SSL for ADMIN.

    If Configure SSL for ADMIN is not displayed in the navigation pane, either the DG1-5722 PTF group has not been properly installed, or the ADMIN server has not been selected.

The Configure SSL for ADMIN welcome page displays. Click Next to begin the wizard. After the updates are made, the wizard restarts the ADMIN server. The ADMIN server can be accessed securely at https://[your_i5system]:2010). For more information, see these related topics:

 

Parent topic:

Web tasks