IBM Support

Enable Apache HTTP for SSL

Troubleshooting


Problem

This document shows how to enable an Apache HTTP server to use SSL on port 443 and non-SSL on port 80.

Resolving The Problem

To enable port 443 to use SSL while port 80 is non-SSL, do the following (to have a potentially associated WebSphere Application Server accept port 443 read Rochester Support Center document N1013078, How to Enable Websphere Application Server to Accept SSL Connections from HTTP: ).

Step 1: In the HTTP Admin in the IBM Web Administration for i5/OS, go to your instance. The one in the following example is called MWSSL. After connecting the browser to port 2001 and logging on, select the HTTP servers tab, and then select the Server in question in the pull-down.

Web Administration, Manage TAB. In the left pane are the available options. In the right pane the configuration is displayed because it was selected in the left pane for the server name in the pulldown which is at the top of the panes.

Step 2: In the left pane, go to Server Properties > General Server Configuration.

Same as above but General server configuration under Server properties was selected in the left pane. This shows the Tabs General settings, Welcome pages, Configuration includes, Advanced., and fields for entering parameter values.

Step 3: In the right pane, click the Add button under Server and IP addresses and ports to listen on. Then add port 443 under port 80. Leave the FRCA column disabled because FRCA does not work with SSL.

This shows a new field popup after clicking the ADD button in the right pane.
Step 4: Click Continue.

Step 5: Click Apply.

Step 6: The next steps will create the Virtual Host for port 443 so that port 443 will be SSL-enabled and leave port 80 as non-SSL. In the left pane, go to Server Properties > Virtual Hosts.

This picture shows the right pane "Virtual hosts" after selecting Virtual hosts under Server properies in the left pane.

Step 7: Click on the IP-based tab.

This shows the picture that is displayed after clicking the TAB "IP-based" in the right pane. It displays an example for adding IP address and Hostname to a virtual host container and the ADD button.

Step 8: Click on the Add button in the right pane under Virtual host containers. In the drop-down box under IP address or Hostname, click All IP addresses; this creates an asterisk (*) in the left box. For the Port, type 443 for the SSL port.

This picture shows the values for ip address and port after selecting "All ip addresses" and port 443 in the drop down box.

Step 9: Click Continue.

Step 10: Click Apply.

Step 11: The next steps will enable the Virtual Host container to be SSL-enabled. In the upper right of the browser in the Server Area box, click the drop-down arrow and select Virtual Host *:443.

This is a partial display of the Web Administration showing the lstatus, Server pulldown, and Server area pulldown. In this server area drop down you can now select the Virtusl Host you just created.

Step 12: In the left pane, click Security; in the right pane, click the SSL with Certificate Authentication tab.

This is the full picture again of the Web Administration showing the Security in the right pane after selecting it in the left pane. There are the following TABs: Authentication,Control access, SSL proxy, SSL proxy advanced, etc.

Step 13: In the right pane, select Enabled for the SSL drop-down.

This is the new field that pops up after selecting SSL with Cerificate authentication. The new field is a drop down box  to enable SSL and fields to enter the SSL application name.

Step 14: Next to Server certificate application name, click the drop-down arrow and select the appropriate name. By default, it is QIBM_HTTP_SERVER_"Instance Name"; for this example, it is QIBM_HTTP_SERVER_MWSSL.

Same as above but with SSL application name entered.

Step 15: Slide down in this same screen to the HTTPS_PORT environment variable and type 443 for your SSL port.

Same as above after sliding down showing additional options for Client certificates and the SSL Port environment variable.

Step 16: Click Apply.

Step 17: Go to Digital Certificate Manager (http://systemname:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0) and sign on the *SYSTEM Store.

Step 18: Click Work with server applications under Fast Path on the left menu. You will see your application ID; it is the same name as your SSLAppName from the HTTP configuration. In this sample it is QIBM_HTTP_SERVER_MWSSL.

Digital Certificate Manager, left pane shows available options, right pane shows all server applications that was selected in the left pane. The application name that was created in the previous steps is shwon at the bottom of the list.

Step 19: Select the button beside your Application, and then click the Work With Application button.

Step 20: Click the Update Certificate Assignment button.

This is a partial display of the selected Update certificate Assignoment option , showing CRL checking and the "Certificate assigned" with None assigned at the moment, and the button "Update Certificate Assih=gnment" at the bottom.

Step 21: Select the certificate that you want to assign to the application.

This is a partial display showing an example of a certificate to be assigned to the application ID you created in the previous steps. The APP ID shows at the top of the right pane.

Step 22: Click the Assign New Certificate button.

Step 23: Go back into IBM Web Administration for i5/OS and end and restart the instance.

Web Administration. Left pane display the avaiilable options, right pane shows "Display configuration file". On top of that the picture shows the server status with buttons to start, restart, stop, and refresh, then Server pull down with your server name.

Note: The internet Web links referred to below are not actual links; they are only examples shown in the screen above.

Step 24: After the instance is active, you can access port 80 using non-SSL. In this sample, the URL is http://rchask60/. Then you can also access port 443; by default, you do not need to specify port 443 because it is the well-known port for HTTP SSL: https://rchask60/.

If you use a port other than 443 for SSL, then you must specify it in the browser. For example, if you use port 449, then specify https://rchask60:449/.

Internal Use Only

HTTP SERVER FOR I5/OS (5761DG100)

[{"Product":{"code":"SGYQGH","label":"IBM i"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0;7.1;6.1.1;6.1.0;6.1;5.4.5;5.4.0;5.3.5;5.3.0","Edition":""},{"Product":{"code":"SSC52E","label":"IBM i 7.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSC3X7","label":"IBM i 6.1"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Historical Number

480168544

Document Information

Modified date:
17 June 2018

UID

nas8N1018776