Question & Answer
Question
How to set up TLS for a HTTP Apache server
Answer
The HTTP Admin offers an SSL wizard to configure SSL/TLS for the Apache server which can access Digital Certificate Manager (DCM) to create a new Local signed certificate or select an existing certificate already in the store. DCM needs to be configured with a *SYSTEM store and Local CA store if the certificate is going to be a Local signed certificate. For more information about DCM including requesting a certificate from an Internet CA see the following:
1. The first step is to access the IBM Web Administration for i GUI page by opening a browser and using one of the following URLs (replace systemName with the IBM i IP address or system name):
http://systemName:2001/HTTPAdmin
:2010/HTTPAdmin
2. Click Next on the first screen
3. Change the port that you want TLS connections for along with checking the radio button for No, leave non-SSL port enabled while still configuring SSL port and click next.
4. Type in the password for the *SYSTEM store and click next (NOTE: If you do not know the password you can reset it by accessing DCM to reset. Go to http://systemName:2006/dcm or https://systemName:2007/dcm and click 'Open Certificate Store' on the left and choose *SYSTEM then click the 'Reset Password'):
5. Select to either create a new Local CA signed certificate or select an existing certificate and click next.
A. Local CA
Type in the password for the Local Certificate Authority store and click next. If you do not know the password you can reset it by accessing DCM to reset. Go to http://systemName:2006/dcm or https://systemName:2007/dcm and click 'Open Certificate Store' on the left and choose 'Local CA' then click 'Reset Password'.
Continue to Step 6
B. Existing certificate
Select the certificate from the drop down box and click next.
Select 'Trust all CAs in the *SYSTEM store' and click next
6. Select the option to restart later or after the wizard completes and click next.
7. The next screen is a summary, click finish.
or
https://systemNameLog in with a profile that has *SECOFR authority. Select the server you want to configure from the "Server" drop down box and click on the "Configure TLS" on the left panel.
2. Click Next on the first screen
3. Change the port that you want TLS connections for along with checking the radio button for No, leave non-SSL port enabled while still configuring SSL port and click next.
4. Type in the password for the *SYSTEM store and click next (NOTE: If you do not know the password you can reset it by accessing DCM to reset. Go to http://systemName:2006/dcm or https://systemName:2007/dcm and click 'Open Certificate Store' on the left and choose *SYSTEM then click the 'Reset Password'):
5. Select to either create a new Local CA signed certificate or select an existing certificate and click next.
A. Local CA
Type in the password for the Local Certificate Authority store and click next. If you do not know the password you can reset it by accessing DCM to reset. Go to http://systemName:2006/dcm or https://systemName:2007/dcm and click 'Open Certificate Store' on the left and choose 'Local CA' then click 'Reset Password'.
Continue to Step 6
B. Existing certificate
Select the certificate from the drop down box and click next.
Select 'Trust all CAs in the *SYSTEM store' and click next
6. Select the option to restart later or after the wizard completes and click next.
7. The next screen is a summary, click finish.
8. After restarting the server, verify that both the non-secured port and the secured port are working. If they are both working but you do not wish to leave the non-secure port active, you can either delete/comment out the Listen directive for the non-secured port or follow technote 686719 (https://www.ibm.com/support/pages/node/686719) to rewrite non-secured port to the secured port
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"},{"code":"a8m0z0000000CGqAAM","label":"IBM i HTTP Server"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 June 2024
UID
nas8N1022003