Troubleshooting
Problem
Navigator for i does not come enabled for TLS by default. Navigator for i running on ADMIN1 can be enabled for TLS using these steps. Other ADMIN servers can also use these steps
Environment
IBM i 7.3 and later
Navigator for i - ADMIN1 application server
Resolving The Problem
You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Enabling TLS for Navigator for i
The 7.4 and 7.3 HTTP PTF group that was released in September of 2021 has introduced a new version of Navigator for i. This version can also be configured to use TLS.
HTTP PTF Group levels for Navigator:
7.5 base release, get updates with HTTP group
7.4 HTTP Group - SF99662 level 14
7.3 HTTP Group - SF99722 level 33
Navigator for i:
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2002/Navigator
- TLS URL is https://systemname:2003/Navigator
NOTE: Install the latest HTTP Group PTF to ensure all options for Admin1 are available on Web Admin. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
You can enable HTTPS by either using the default Java keystore used within IBM Navigator for i or by using Digital Certificate Manager.
Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):
Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):
- Enable HTTPS using the default Java keystore
NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Configure 'inav_key.jks' as the keystore on Step 3:
7. This will prompt to create the new keystore and set the password:8. Select 'Default Ciphers' and click 'Next' on Step 8:
9. Select the restart server style you like on Step 9:
10. Confirm the information and click Finish on the last step:
Once the server has been restarted and user can connect via the following URL (using port specified above in configuration)New Navigator:https://hostname:2003/NavigatorHeritage Navigator:https://hostname:2005/ibm/console/logon.jsp
- Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore
- Issue a new self-signed certificate
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
7. Specify the password of the *SYSTEM store:
8. Select 'Issue a new self-signed certificate' and click 'Next'
9. Select ' Default ciphers' and click 'Next'
10. Select your restart option and click Next:
11. You will be presented a summary screen of your choices. Click Finish. The server will be restarted and user should connect via the following URL.Heritage Navigator for i:https://hostname:2005/ibm/console/logon.jspNavigator for i:https://hostname:2003/Navigator - Select an existing certificate from the *SYSTEM keystore
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (Navigator for i) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
7. Specify the password of the *SYSTEM store:
8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'
9. Select 'No trust certificate to import' on Step 7 -> click 'Next'
10. Select 'Default ciphers' on Step 8 and click Next:
11. Select your restart option and click Next:
12. You will be presented with a summary of your choices. Confirm the information and click Finish on the last stepThe server will be restarted and user should connect via the following URL.Heritage Navigator:https://hostname:2005/ibm/console/logon.jspNew Navigator:https://hostname:2003/Navigator
NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used - Issue a new self-signed certificate
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 August 2024
UID
ibm17166029