Appendix C. Enabling SSL for the ADMIN server instance

Figure 304. IBM HTTP Server for AS/400 main page



3. Click Configuration and Administration in the left pane of the window to

open the HTTP Server configuration and administration tasks.

4. Click the Configurations tab and select ADMIN from the Configuration for

server list. You see the display shown in Figure 305.



416



iSeries Wired Network Security



Figure 305. HTTP Server (powered by Apache) ADMIN configuration



5. Click ADMIN global settings in the navigation pane.

6. Scroll down the right pane until you see the Configuration Files section, as

shown in Figure 306 on page 418.



Appendix C. Enabling SSL for the ADMIN server instance



417



Figure 306. Configuration Files section



7. Click Edit Configuration File to open the ADMIN server configuration file.

8. When the configuration file has opened, scroll down to the bottom and

copy the following text into the clipboard:

#-----------------------------------------------------# The following directives should be added to

# /QIBM/UserData/HTTPA/admin/conf/admin-cust.conf

# and uncommented in order to enable SSL for ADMIN.

#-----------------------------------------------------# LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM

# Listen 2001

# Listen 2010

# SetEnv HTTPS_PORT 2010

#

#

SSLEnable

#

SSLAppName QIBM_HTTP_SERVER_ADMIN

#



9. Click Cancel to exit from the IBM-supplied configuration file.

10.Scroll down the navigation pane.



418



iSeries Wired Network Security



Figure 307. ADMIN server navigation pane



11.Click Include /QIBM/UserData/HTTPA/admin/conf/admin-cust.conf in

the navigation pane, as shown in Figure 307. The options in the right pane

change and list the available options for the ADMIN server user

configuration file.

12.Scroll down on the right pane until you see the Configuration Files section

and click Edit Configuration File. You see the display shown in

Figure 308 on page 420.



Appendix C. Enabling SSL for the ADMIN server instance



419



Figure 308. Editing the ADMIN server user configuration file



13.Paste the directives from the clipboard into the configuration file.

14.Remove the leading # character from the lines containing directives as

shown in Figure 309.



420



iSeries Wired Network Security



Figure 309. Editing the ADMIN server user configuration file with added directives



Note that the comment section at the beginning still contains the leading #

character.

15.Click Apply to save your changes.

The application name QIBM_HTTP_SERVER_ADMIN also has to be

registered in the Digital Certificate Manager (DCM) in order to assign a

certificate to the ADMIN server instance. If you were not running the original

server’s ADMIN instance with SSL in a release prior to V5R1, you have to

enter the following command on a command line to register the application

name in DCM:

call qhttpsvr/qzhapreg parm('RegisterAppName' 'QIBM_HTTP_SERVER_ADMIN')



Note that it will not cause any error when running the command even if the

application name is already registered in DCM.



Appendix C. Enabling SSL for the ADMIN server instance



421



Important



Do not restart the ADMIN server yet, unless you had enabled SSL for the

ADMIN server instance in a previous release. The server certificate must be

assigned first; otherwise, the server will fail during restart.



C.2 Assigning a server certificate to the ADMIN server

Every SSL-enabled server application needs to have a digital server

certificate assigned to it. To assign a server certificate to the ADMIN HTTP

server, perform the following steps:

1. From the AS/400 Tasks page, click Digital Certificate Manager.

2. Click Select a Certificate Store in the navigation pane.



Figure 310. Digital Certificate Manager - Select a Certificate Store window



3. Select the *SYSTEM certificate store as shown in Figure 310 and click

Continue.

4. Enter the password for the *SYSTEM certificate store and click Continue.



422



iSeries Wired Network Security



5. Click Fast Path and then Work with server applications in the

navigation pane.



Figure 311. Digital Certificate Manager - Work with server application window



6. Select the QIBM_HTTP_SERVER_ADMIN application as shown in

Figure 311 and click Work with Application.

Note that there is probably already a server certificate assigned to the

ADMIN server instance, if you enabled SSL for this server in a previous

release. See Figure 312 on page 424.



Appendix C. Enabling SSL for the ADMIN server instance



423



Figure 312. Digital Certificate Manager - Application Information window



7. From the Application Information window shown in Figure 312, click

Update Certificate Assignment.



424



iSeries Wired Network Security



Figure 313. Digital Certificate Manager - Update Certificate Assignment window



8. Select the server certificate you want to assign to the ADMIN server

instance as shown in Figure 313 and click Assign New Certificate. A

completion message confirms that the certificate was assigned

successfully.

For more information on assigning certificates to an application, refer to the

document Digital certificate management found in the iSeries Information

Center by clicking Security->Digital certificate management.



C.3 Activating the configuration changes

After the ADMIN server instance is configured for SSL and a server certificate

is assigned, the ADMIN server needs to be stopped and started. Restarting

the server instance will not activate the changes.

You can stop and start the server through the command line interface using

the following commands:

ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)



Appendix C. Enabling SSL for the ADMIN server instance



425



C.4 Deactivating SSL for the ADMIN server without using the GUI

Usually the Web-based configuration interface, started through the AS/400

Tasks page, is used to configure HTTP server instances. This configuration

interface is controlled by the HTTP ADMIN server instance. In some cases

where, for example, the server certificate used by the ADMIN server has

expired or the certificate store was deleted, the ADMIN server will fail to start

with SSL initialization errors. In this case, the configuration interface via the

AS/400 Tasks page will not work and you have to manually disable SSL

support for the ADMIN server to recover from this error.

The following steps explain how to deactivate SSL support without the

configuration interface:

1. Sign on to the iSeries or AS/400 system with a user profile having enough

authority to edit the server configuration files; preferably with *ALLOBJ

special authority.

2. On the command line, enter the following command to edit the user part of

the ADMIN server configuration:

EDTF STMF('/QIBM/UserData/HTTPA/admin/conf/admin-cust.conf')



Figure 314 shows the SSL part of the configuration.



426



iSeries Wired Network Security