21
Thu, Nov
1 New Articles

Locking Up the AS/400 HTTP server

Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Setting up an HTTP server to use Secure Sockets Layer (SSL) tends to be a bit complex, primarily because of the involvement of a third party that provides the digital certificate that makes the whole process work. Digital Certificate Manager (DCM) on the AS/400 does exactly what its name implies: It manages the digital certificates you choose to install and use on your AS/400 for use in SSL or other applications. Early in its life, DCM on the AS/400 picked up a reputation for being a bit difficult to operate, but, like a fine wine, DCM has improved with age.

Much of the information about DCM and about getting SSL up and running is located in the AS/400 Information Center, available on either a CD-ROM or the Internet (http://publib.boulder.ibm.com/html/as400/infocenter.htm). The HTTP Server for AS/400 Webmaster’s Guide V4R4 also contains a chapter on DCM, but the Information Center articles contain some very useful step-by-step setup instructions.

The article presents step-by-step instructions for configuring your HTTP server to use SSL in V4R4. The following example secures the *ADMIN HTTP server instance; securing other instances is fairly straightforward once the first is done.

Step 1: Start the *ADMIN Server Instance

DCM is configured by using the administrative instance of the HTTP server. The server can be started with the following command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

The instance uses port 2001 instead of port 80, the HTTP default. You can access the AS/400 Tasks page from your browser by appending :2001 to the server name or address (i.e., http://myas400:2001). The browser will prompt for a valid AS/400 user name and password. The user ID for these tasks must have *SECADM and *ALLOBJ authority.

The initial page, AS/400 Tasks, presents two options: IBM HTTP Server for AS/400 and Digital Certificate Manager. Selecting the DCM link displays the DCM home page (Figure 1). The left side of the DCM home page contains a menu. If an item on the menu can be expanded to provide more options, there will be a drop-down arrow ( ) to the left of that item.


Step 2: Create a Certificate Authority

The first configuration task is to create a certificate authority (CA). Although a local authority is not required if you will be acquiring a certificate from a well-known CA, the creation task creates several files in the AS/400 Integrated File System (AS/400 IFS) that make up a certificate store, the place where the system stores and manages certificates. Certificate stores were known in previous releases of OS/400 as key ring files.

The create CA task also walks you through all the steps required to get at least one application completely configured, which is a useful way to get started.

Expand the Certificate Authority (CA) menu item and select Create a Certificate Authority to create the form shown in Figure 2. Fill out the required fields and click on the OK button. The Key size field should be left at its default unless you have a reason to change it; the contents of the rest of the required fields are self-explanatory.

Each certificate store requires a password when it is created. Remember it! If the password is misplaced, it will be impossible to conduct maintenance tasks on the certificate store, such as adding a new certificate or renewing one that expired. If the password is misplaced, however, all is not lost. The IBM AS/400 Support Line Technical Document
“R440 DCM and SSL Basics” (document number 17261258) details which AS/400 IFS files you can delete to clean up and start over. Of course, you will lose any certificate information you previously stored and configured.

A confirmation page indicating that the CA was created will be displayed. Be patient; this step may take a minute or so to complete, and part of what is happening is the creation of the *SYSTEM certificate store. There is a link on the page to download the CA certificate to your browser. You do not need to select the link now; there will be opportunities later. Simply click OK to continue.

Next, the CA Policy Data page is displayed. You should change the default setting for Allow creation of user certificates from No to Yes. The balance of the field defaults is fine, so click OK.

Step 3: Associate an Application with the CA

DCM now allows the association of one or more applications with the newly created CA. Applications need to “trust” a CA and to be associated with a system certificate, which is accomplished later. Figure 3 is an example of the page that has the default applications displayed. The applications listed will be those installed on your system that support SSL encryption. A typical list will include the Client Access servers and Telnet, among other applications. The process for enabling SSL for each of those applications varies somewhat, so you will need to look at the appropriate documentation.

Check the box next to QIBM_HTTP_SERVER_ADMIN and click OK. A page is displayed that indicates the application will now trust the CA. Click OK.

Step 4: Create a System Certificate

The form in Figure 4 is now shown. Complete the form, but pay special attention to the Server name value. This value is compared with the name or address used to access the server, and, if it is not the same as what a user is using, the browser will display a message indicating there may be a problem with the certificate. Click OK once you’ve filled out at least the required fields.

Step 5: Associate an Application with the Certificate

A list of applications similar to the one you saw previously is displayed to allow the association of the newly created certificate with the application. Again, check the box next to QIBM_HTTP_SERVER_ADMIN and click OK. A status page indicating the association was successful is displayed. Click Done.


At this point, the CA and one system certificate have been created and associated with the ADMIN instance of the HTTP server. Just a couple of tasks remain, and you should be ready to go.

Step 6: Assign a Default Key to the Certificate Store

A default key must be associated with the *SYSTEM certificate store after it is first created. Expand the System Certificates menu option on the left side of the DCM page. Enter the certificate store password (did you remember it?) and click OK. Select Work with certificates from the menu. Choose the *DFTSVR certificate if it isn’t already selected and click Set default. The page will update, indicating the default key has been set.

Step 7: Set the HTTP Configuration to Use SSL

Go back to the AS/400 Tasks page and select the IBM HTTP Server for AS/400 link. Select Configuration and Administration from the menu on the left. Expand the Configurations option in the menu. Use the drop-down list to select the ADMIN configuration and select Security configuration. The form shown in Figure 5 is displayed. Make sure Allow SSL connections is checked. For the sake of demonstration, leave the SSL port setting default, 443. (Port 443 is the well-known port for SSL connections, just as port 80 is the default for nonsecure connections.) Remember that only one active server instance can use a port at any given time; you ultimately will want to change this setting so your production application can use port 443.

You could uncheck Allow HTTP connections, which prevents any unsecured connections to server instances that use this configuration. When set this way, all browser communications with the server instance will be encrypted and any attempt to connect without SSL will be rejected. A site with extreme security requirements might use this option.

Now stop and start the *ADMIN HTTP server instance. Your AS/400 should now be ready for secure communications.

Will the Lock Close?

To see if everything is working properly, try to access the AS/400 Tasks page by using the URL you used to get into the HTTP configuration manager, but, this time, enter https: in the browser URL area instead of http: (i.e., https://myas400). Do not append a port number, since you’ve chosen port 443, the default secure port.

If all is well, the browser should display a message indicating that the certificate the server is using is not from an authority it knows. Accept the certificate in whatever manner the browser requires, and the next thing you should see is the AS/400 Tasks page with the padlock or key closed. Congratulations! You are now communicating securely.

What’s Next?

Other HTTP server configurations can be configured to use SSL with the same procedure outlined in step 7. Remember the issue with port 443, though. After you click Apply on the form, an application ID is displayed. This application ID will now appear in DCM, where you can associate it with a CA and a server certificate.

If you don’t need a certificate from a well-known authority, simply return to DCM, expand the System certificates menu option, and select Work with secure applications. Select the application ID you saw in the HTTP Server configuration and click Work with certificate authority. Select *CERTAUTH(1), which is your internal CA, and click Trust.

Return to the Work with secure applications page, select the application ID again, and click Work with system certificate. Select the appropriate certificate and click Assign new certificate. The server instance is now ready to go once it has been stopped and restarted.


Once SSL is set up and running, very little maintenance is required other than an occasional renewal of the certificate. Certificates are issued for a specific period of time and do expire. (Remember to pay your bill.)

With the experience you’ve acquired setting up SSL in the HTTP Server, it should be relatively easy to set up other supported AS/400 applications. The key (pun intended) to it all is DCM and the digital certificate.

REFERENCES AND RELATED MATERIALS

• HTTP Server for AS/400 Webmaster’s Guide V4R4 (GC41-5434-04, CD-ROM QB3AEO04)

• IBM AS/400 Information Center Web: publib.boulder.ibm.com/html/as400/infocenter.htm
• IBM AS/400 Support Line Technical Document “R440 DCM and SSL Basics”: as400service.ibm.com (Select Search All AS/400 Databases and search for 17261258.)

Locking_Up_the_AS-_400_HTTP_server04-00.png 398x452

Figure 1: DCM contains a menu on the left side of each page.


Locking_Up_the_AS-_400_HTTP_server05-00.png 400x454

Figure 2: Creating a certificate authority requires just a few fields.


Locking_Up_the_AS-_400_HTTP_server06-00.png 397x452

Figure 3: Applications are associated with CAs and certificates using an application ID.


Locking_Up_the_AS-_400_HTTP_server07-00.png 398x452

Figure 4: The server certificate is issued for a specific server name.


Locking_Up_the_AS-_400_HTTP_server08-00.png 404x458

Figure 5: An HTTP server configuration can accept both secure and unsecure connections.


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: