Configuring SSL for ADMIN wizard

The IBM® Web Administration for i interface provides the Configure SSL for ADMIN wizard to configure Secure Sockets Layer (SSL) for the ADMIN server. SSL has become an industry standard for enabling applications for secure communication sessions over an unprotected network, such as the Internet.

The ADMIN server runs all of the programs listed on the IBM i Tasks page (http://[your_isystem]:2001) including the Web Administration for i and the Digital Certificate Manager (DCM). By default, the ADMIN server listens on a non-SSL (non-secure) connection over port 2001. If you want to configure the ADMIN server to use secure communications over SSL, but lack experience with DCM and SSL, the wizard simplifies the process and removes the need to manually configure the ADMIN server configuration.

The Configure SSL for Admin wizard updates the ADMIN server configuration file to enable SSL on port 2010; optionally port 2001 may be left enabled for non-SSL traffic. The wizard uses the Digital Certificate Manager to issue a digital certificate, connects the certificate and the ADMIN server, and restarts the ADMIN server. The restart of the ADMIN server usually takes one minute or so. While the restart is being performed, the Web Administration for i interface is unavailable.

Secure Sockets Layer and digital certificates

SSL is actually two protocols. The protocols are the record protocol and the handshake protocol. The record protocol controls the flow of the data between the two endpoints of an SSL session.

The handshake protocol authenticates one or both endpoints of the SSL session and establishes a unique symmetric key used to generate keys to encrypt and decrypt data for that SSL session. SSL uses asymmetric cryptography, digital certificates, and SSL handshake flows, to authenticate one or both endpoints of an SSL session. Typically, SSL authenticates the server. Optionally, SSL authenticates the client; however, this wizard only authenticates the server, not the client. A digital certificate, issued by a Certificate Authority, can be assigned to each of the endpoints or to the applications using SSL on each endpoint of the connection.

A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction. IBM i provides extensive digital certificate support that allows you to use digital certificates as credentials in a number of security applications. In addition to using certificates to configure SSL, you can use them as credentials for client authentication in both SSL and virtual private network (VPN) transactions. Also, you can use digital certificates and their associated security keys to sign objects. Signing objects allows you to detect changes or possible tampering to object contents by verifying signatures on the objects to ensure their integrity.

Capitalizing on the IBM i support for certificates is easy when you use Digital Certificate Manager (DCM), a free feature, to centrally manage certificates for your applications. DCM allows you to manage certificates that you obtain from any Certificate Authority (CA). Also, you can use DCM to create and operate your own Local CA to issue private certificates to applications and users in your organization.

The digital certificate is comprised of a public key and some identifying information that a trusted Certificate Authority (CA) has digitally signed. Each public key has an associated private key. The private key is not stored with or as part of the certificate. In both server and client authentication, the endpoint which is being authenticated must prove that it has access to the private key associated with the public key contained within the digital certificate.

Prerequisites and assumptions

The Configure SSL for ADMIN wizard requires a user profile with *ALLOBJ and *SECADM special authorities and Digital Certificate Manager installed on your system.

Start the Configure SSL for Admin wizard

The Configure SSL for ADMIN wizard can be started from the Web Administration for i interface:
  1. Access the IBM Web Administration for i from your browser. For information about how to access the Web Administration for i interface, see Starting Web Administration for i.
  2. From the IBM Web Administration for i interface, select the ADMIN-Apache server.
  3. In the navigation pane, expand HTTP Tasks and Wizards , and select Configure SSL for ADMIN.
    Note: If Configure SSL for ADMIN is not displayed in the navigation pane, either the latest IBM HTTP Server for i (5770-DG1) PTF group has not been properly installed, or the ADMIN server has not been selected.

The Configure SSL for ADMIN welcome page displays. Click Next to begin the wizard. After the updates are made, the wizard restarts the ADMIN server. The ADMIN server can be accessed securely at (https://[your_isystem]:2010/HTTPAdmin).