Setting up TLS Encryption

Encrypting Each Endpoint for IBM Navigator

IBM Navigator for i consists of the GUI managing node and a number of different endpoints. TLS encryption provides options to secure each of these endpoints.

In this diagram, the IBM Navigator GUI interface is running on the IBM i node shown in the middle of the diagram. Users have the ability to configure TLS Encryption on the connections for both sides.

Users Browser Connection to the Navigator GUI Application

The Navigator application runs on an IBM i node in the ADMIN1 *IAS job. The ADMIN1 job is an IBM Liberty web application instance that ships with the IBM i operating system. ADMIN1 uses non TLS port 2002 with URL http://hostname:2002/Navigator by default.

It is recommended that you configure encryption for this ADMIN1 job. Configuring an *IAS server is easily accomplished by leveraging the TLS Security wizard that is included in the IBM Web Administration for i GUI interface. Details on how to access and use this wizard can be found at:

Enabling SSL/TLS for IBM Navigator for i

Connection from the Navigator to the IBM i endpoint node

IBM Navigator is designed to provide a single pane where you can monitor and managed many IBM i endpoint nodes. The IBM Navigator leverages the Java™ toolbox to establish the connection between the Navigator application and each endpoint. Each request is handled on the endpoint IBM i by the IBM i Host servers. The Host servers on each endpoint you want to enable with encryption must be configured with a Digital certificate, in order for an encrypted connection to be made between the Navigator application and the IBM i endpoint. Details on how to configure a digital certificate for the host servers can found at

Enable Encryption for IBM i Host Server

Once the host servers are configured with a digital certificate, the connection between the Navigator application and the endpoint can be established.

To Establish an encrypted connection, under the Serviceability menu click Connection Properties.

Click the TLS Connection tab.

The TLS Connection table shows the list of IBM i endpoint nodes that were previously established and their current encryption connection method. To enable encryption to an endpoint node, toggle the TLS Enablement switch to On. The Navigator application then attempts to establish an encrypted connection. If the host servers are properly configured with a Digital Certificate, this certificate is passed back to the Navigator application. The user needs to accept this certificate and the Navigator Application saves this certificate into the Web Application Certificate store.

Click the Accept button. To save and enable this secure connection, click the Save button at the end of the table on the Web Interface Trust Store page.

Once the certificate is accepted and stored in the Web Trust Store, this and all future connections to this endpoint node are made by using an encrypted connection.

From the list view of the dashboard, you can see that the secure connection is used.

To manage the certificates in the Web TrustStore, click the IBM i Web Interface TrustStore tab before the list of IBM i endpoint nodes.

Manage the certificates with this interface. You can also renew the certificates once they are expired.

Serviceability

The Serviceability section is denied for default access. Only user profiles with *ALLOBJ special authority are able to see this section by default. Normal user profiles need to be added to the QIBM_NAV_SERVICEABILITY function ID.

For more information, see Function Usage IDs