IBM Navigator for i consists of the GUI managing node and a number of different endpoints. TLS encryption provides options to secure each of these endpoints.
Figure 1. Encrypting Each Endpoint for IBM Navigator
In this diagram, the IBM Navigator GUI interface is running on the IBM i node shown in the middle of the diagram. Users have the ability to configure TLS Encryption on the connections for both sides.
Users Browser Connection to the Navigator GUI Application
The Navigator application runs on an IBM i node in the ADMIN1 *IAS job. The ADMIN1 job is an IBM Liberty web application instance that ships with the IBM i operating system. ADMIN1 uses non TLS port 2002 with URL http://hostname:2002/Navigator by default.
It is recommended that you configure encryption for this ADMIN1 job. Configuring an *IAS server is easily accomplished by leveraging the TLS Security wizard that is included in the IBM Web Administration for i GUI interface. Details on how to access and use this wizard can be found at:
Note: The instructions reference the ADMIN2 server in where the Heritage Navigator for i runs on.
The new Navigator interface run-ins in the ADMIN1 server. Be sure to select ADMIN1 where instructed
to select a server. Once TLS has been configured for ADMIN1, the default TLS port will be 2003 with
URL https://hostname:2003/Navigator.
Connection from the Navigator to the IBM i endpoint node
IBM Navigator is designed to provide a single pane where you can monitor and managed many IBM i endpoint nodes. The IBM Navigator leverages the Java™ toolbox to establish the connection between the Navigator application and each endpoint. Each request is handled on the endpoint IBM i by the IBM i Host servers. The Host servers on each endpoint you want to enable with encryption must be configured with a Digital certificate, in order for an encrypted connection to be made between the Navigator application and the IBM i endpoint. Details on how to configure a digital certificate for the host servers can found at
Once the host servers are configured with a digital certificate, the connection between the
Navigator application and the endpoint can be established.
To Establish an encrypted connection, under the Serviceability menu click Connection
Properties.
Figure 2. Connection Properties
Click the TLS Connection tab.
The TLS Connection table shows the list of IBM i endpoint nodes that were previously established and their current encryption connection method. To enable encryption to an endpoint node, toggle the TLS Enablement switch to On. The Navigator application then attempts to establish an
encrypted connection. If the host servers are properly configured with a Digital Certificate, this
certificate is passed back to the Navigator application. The user needs to accept this certificate
and the Navigator Application saves this certificate into the Web Application Certificate store.
Figure 3. The user needs to accept this certificate
Click the Accept button. To save and enable this secure connection, click the Save button
at the end of the table on the Web Interface Trust Store page.
Figure 4. To save and enable this secure connection, click the Save button at
the end of the table on the Web Interface TrustStore page.
Once the certificate is accepted and stored in the Web Trust Store, this and all future
connections to this endpoint node are made by using an encrypted connection.
Figure 5. Secure connection being used
From the list view of the dashboard, you can see that the secure connection is used.
To manage the certificates in the Web TrustStore, click the IBM i Web Interface TrustStore tab before the list of IBM i endpoint nodes.
Figure 6. Connection Properties: TLS Connecton-Web Trust Store
tab
Manage the certificates with this interface. You can also renew the certificates once they are
expired.
Serviceability
The Serviceability section is denied for default access. Only user
profiles with *ALLOBJ special authority are able to see this section by default. Normal user
profiles need to be added to the QIBM_NAV_SERVICEABILITY function ID.