IBM Support

Enabling TLS for IBM Navigator for i using WebAdmin

Troubleshooting


Problem

 Navigator for i does not come enabled for TLS by default. Navigator for i running on ADMIN1 can be enabled for TLS using these steps. Other ADMIN servers can also use these steps.
 

Environment

IBM i 7.3 and later
Navigator for i - ADMIN1 application server

Resolving The Problem

You are in: IBM i Technology Updates  > Navigator for i > Documentation on Functional Areas > Enabling TLS for Navigator for i
 
Ensure you have the latest HTTP PTF Group levels for Navigator:
NOTE: Install the latest HTTP Group PTF to ensure all options for Admin1 are available on Web Admin. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
 
Navigator for i:
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2002/Navigator
- TLS URL is https://systemname:2003/Navigator
 
These instructions use the HTTPAdmin (Web Admin GUI) to configure TLS for the ADMIN1 application server.  These TLS configuration steps can also be performed in IBM Navigator using the Web Administration functions to enable TLS.  IBM recommends utilizing the Navigator for i wizard to Configure or Re-configure your ADMINx application servers for TLS. If Navigator for i is not available, another option is to execute the "Disable TLS" and "Configure TLS" wizards under Manage -> Application Servers -> ADMIN1 with the Heritage IBM Web Administration for i GUI using the instructions below.
 
You can enable HTTPS by either using the default Java keystore used within IBM Navigator for i or by using Digital Certificate Manager.
 
NOTE:  If you choose to use the Digital Certificate Manager *SYSTEM as your application server certificate store, you will need to update your ADMINx application server configuration with the new *SYSTEM certificate store password each time it is changed in order for TLS/HTTPS to continue to function with the ADMINx application server.

Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):

  •         Enable HTTPS using the default Java keystore

    NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.

    1. Open a web browser and go to the following URL (login with your IBM i user profile):
    http://hostname:2001/HTTPAdmin

     


    2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list

    3. Click 'Configure TLS'

    4. Click Next on Step 1:

    image-20220620132206-1

    5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
    image-20220620132445-2

    6. Configure 'inav_key.jks' as the keystore on Step 3:
    image-20220620132649-3

    7. This will prompt to create the new keystore and set the password:
    image-20220620133721-5
     
    8. Select 'Default Ciphers' and click 'Next' on Step 8:
    image-20220620134118-7

    9. Select the restart server style you like on Step 9:
    image-20220620134040-6

    10. Confirm the information and click Finish on the last step:
    image-20220620134306-10

    Once the server has been restarted and user can connect via the following URL (using port specified above in configuration)
     
    New Navigator:
    https://hostname:2003/Navigator
    Heritage Navigator:
    https://hostname:2005/ibm/console/logon.jsp

     

  • Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore

    • Issue a new self-signed certificate



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin

       


      2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12


      8. Select 'Issue a new self-signed certificate' and click 'Next'
      image-20220620134726-14

      9. Select ' Default ciphers' and click 'Next'
      image-20220620134903-16

      10. Select your restart option and click Next:
      image-20220620135059-17

       
      11. You will be presented a summary screen of your choices. Click Finish.  The server will be restarted and user should connect via the following URL.
       
      Heritage Navigator for i:
      https://hostname:2005/ibm/console/logon.jsp
       
      Navigator for i:
      https://hostname:2003/Navigator





    • Select an existing certificate from the *SYSTEM keystore



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin

       


      2. Click Manage -> Application Servers-> select 'Admin1' (Navigator for i) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12

      8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'

      image-20220620135754-18

      9. Select 'No trust certificate to import' on Step 7 -> click 'Next'

      image-20220620135932-19

      10. Select 'Default ciphers' on Step 8 and click Next:
       
      image-20220620140029-21
       
      11. Select your restart option and click Next:
       
      image-20220620135059-17
      12. You will be presented with a summary of your choices.  Confirm the information and click Finish on the last step
      The server will be restarted and user should connect via the following URL.
       
      Heritage Navigator:
      https://hostname:2005/ibm/console/logon.jsp
       
      New Navigator:
      https://hostname:2003/Navigator


    NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
11 November 2025

UID

ibm17166029

Page Feedback