Troubleshooting
Problem
Navigator for i does not come enabled for TLS by default. Navigator for i running on ADMIN1 can be enabled for TLS using these steps. Other ADMIN servers can also use these steps.
Environment
IBM i 7.3 and later
Navigator for i - ADMIN1 application server
Resolving The Problem
You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Enabling TLS for Navigator for i
Ensure you have the latest HTTP PTF Group levels for Navigator:
NOTE: Install the latest HTTP Group PTF to ensure all options for Admin1 are available on Web Admin. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
Navigator for i:
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2002/Navigator
- TLS URL is https://systemname:2003/Navigator
These instructions use the HTTPAdmin (Web Admin GUI). The steps can also be performed in IBM Navigator using the Web Administration functions to enable TLS.
You can enable HTTPS by either using the default Java keystore used within IBM Navigator for i or by using Digital Certificate Manager.
Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):
Choose ONE of the following options (either use the default JKS keystore that Admin1 (or Admin2-heritage) ship with, or use certificates within Digital Certificate Manager):
- Enable HTTPS using the default Java keystore
NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Configure 'inav_key.jks' as the keystore on Step 3:
7. This will prompt to create the new keystore and set the password:
8. Select 'Default Ciphers' and click 'Next' on Step 8:
9. Select the restart server style you like on Step 9:
10. Confirm the information and click Finish on the last step:
Once the server has been restarted and user can connect via the following URL (using port specified above in configuration)
New Navigator:https://hostname:2003/NavigatorHeritage Navigator:https://hostname:2005/ibm/console/logon.jsp
- Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore
- Issue a new self-signed certificate
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
7. Specify the password of the *SYSTEM store:
8. Select 'Issue a new self-signed certificate' and click 'Next'
9. Select ' Default ciphers' and click 'Next'
10. Select your restart option and click Next:
11. You will be presented a summary screen of your choices. Click Finish. The server will be restarted and user should connect via the following URL.
Heritage Navigator for i:https://hostname:2005/ibm/console/logon.jsp
Navigator for i:https://hostname:2003/Navigator - Select an existing certificate from the *SYSTEM keystore
1. Open a web browser and go to the following URL (login with your IBM i user profile):
http://hostname:2001/HTTPAdmin
2. Click Manage -> Application Servers-> select 'Admin1' (Navigator for i) on Servers list
3. Click 'Configure TLS'
4. Click Next on Step 1:
5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
7. Specify the password of the *SYSTEM store:
8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'
9. Select 'No trust certificate to import' on Step 7 -> click 'Next'
10. Select 'Default ciphers' on Step 8 and click Next:
11. Select your restart option and click Next:
12. You will be presented with a summary of your choices. Confirm the information and click Finish on the last stepThe server will be restarted and user should connect via the following URL.
Heritage Navigator:https://hostname:2005/ibm/console/logon.jsp
New Navigator:https://hostname:2003/Navigator
NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used - Issue a new self-signed certificate
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
More support for:
IBM i
Component:
IBM Navigator for i
Software version:
All Versions
Operating system(s):
IBM i
Document number:
7166029
Modified date:
09 January 2025
UID
ibm17166029
Manage My Notification Subscriptions