Troubleshooting
Problem
Navigator for i does not come enabled for TLS by default. Navigator for i running on ADMIN1 can be enabled for TLS using these steps. Other servers can also use the wizard.
Environment
IBM i 7.3 and later
Navigator for i - ADMIN1 application server
Resolving The Problem
You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Serviceability > Connection Properties > Enabling TLS for Navigator for i (TLS Connection)
Enabling TLS for Navigator for i:
There are two main steps to configuring and using secure connections for IBM Navigator for i:
- TLS Wizard - Configure TLS to use a secure port to the Admin1 server
- Enabling secure connections - Turn on secure connections so all connections between your GUI node and any managed node (including the managed node) will use TLS.
Connection Properties topics:
- GUI Preferences
- TLS Override
- Localhost Override - Navigator for i in Cloud environment
- Thresholds
- Authentication: Access Authorization
- TLS Configuration (Host Servers)
- Cryptographic Services
TLS Wizard
Navigator for i can be configured to use TLS using the Network -> Web Administration -> Application Servers -> ADMIN1 -> Configure TLS wizard in Navigator for i. The Navigator for i application server Configure TLS wizard is now available with the IBM i HTTP group update approved in 2024. IBM recommends utilizing the Navigator for i wizard to Configure or Re-configure your ADMINx application servers for TLS. If Navigator for i is not available, another option is to execute the "Disable TLS" and "Configure TLS" wizards under Manage -> Application Servers -> ADMIN1 with the Heritage IBM Web Administration for i GUI using these steps.
Make sure you are running with the latest HTTP group PTF levels. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
Navigator for i:
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://hostName:2002/Navigator
- TLS URL is https://hostName:2003/Navigator
You can enable HTTPS by either using an existing certificate store or by using the Digital Certificate Manager *SYSTEM store.
Configure TLS to use a secure port
Before you launch TLS Wizard:
The selected certificate store is required to contain a valid certificate. Users can create CMS certificate stores and self-signed certificates in Digital Certificate Manager. Launch to DCM is available in Navigator at Bookmarks > DCM
Configuring the certificate store table ahead of time can save a lot of time when doing multiple TLS configurations, and can help users keep an inventory of the certificate stores on their IBM i. This can be found in Navigator at Network > Web Administration > Certificate Stores:
- The ports will be auto-defaulted in an upcoming release of Navigator. Until then, use these recommended port numbers:
Ports: Non TLSTLS ADMIN1 2002 2003 ADMIN2 2004 2005 ADMIN3 2006 2007 ADMIN5 2011 2012 Launch TLS Wizard
1. Click Network > Web Administration > Application Servers
2. Select Admin1 on Application Servers list, right-click and select Configure TLS Wizard
3. Set TLS protocol. Also select if the Non-TLS port should be disabled after the wizard. Click Next
4. Select your intended certificate store4A. Using the DCM *SYSTEM Store:
4B. Specify a path to the certificate store:
4C. Select using the certificate store table:Note: Certificate stores can be added to the table in Network > Web Administration > Certificate Stores . This process is meant to simplify the use of certificate stores other than the *SYSTEM store.
5. This will prompt the user to enter the certificate store password:
6. Select an existing certificate from the searchable drop-down list populated from the certificate store location provided. On this step Navigator will check that the certificate is valid for hostname verification. This step also informs the user of the certificate's expiry date. There are also warnings if the certificate is expired, or will expire in the next 2 weeks.
7. Select Default Ciphers and click Next
8. Step 7: Confirm the information and click Finish
- For Admin1, enter the following on your 5250 session:
- > ENDTCPSVR *IAS INSTANCE(ADMIN1)
- > WRKACTJOB - check and verify that ADMIN1 is ended before the next command
- > STRTCPSVR *IAS INSTANCE(ADMIN1)
- Once the server has been restarted, a user can connect to Navigator with the following URL (using port specified above in configuration):https://hostname:2003/Navigator
NOTE: To prevent a TLS warning regarding the certificate not being trusted in the browser, a certificate from a well-known Certificate Authority should be used.
Enabling Secure Connections
Turn on TLS Connections
Go to Servicability > Connection Properties and select the TLS Connection tab.
Test or set TLS Enablement.
Before non-secure ports are disabled, an administrator should turn on Global TLS by setting "Use TLS for All Users".
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
11 November 2025
UID
nas8N1021834