IBM Navigator for i - in Cloud environment

News

Abstract

Using IBM Navigator for i in a Cloud environment requires ability to access using localhost and may have all insecure ports blocked. This document explains how you can configure your IBM i in the cloud for using IBM Navigator for i.

Content

You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Connection Properties > Navigator for i in the Cloud

Connection Properties topics:

GUI Preferences
- TLS Override
- Localhost Override - Navigator for i in Cloud environment

Authentication: Access Authorization
TLS Connection

Navigator for i in a Cloud environment:

Verify these items are completed to run Navigator in a cloud environment:

1. Make sure fully qualified system/partition/node DNS name is in TCP/IP Host Table and TCP/IP Domain. These are used for the system name on the IBM Navigator dashboard. If these are not set, you will be connected to "localhost". We cannot use the request header system name for security reasons.

This will look something like: POWER-IAAS.CLOUD.IBM.COM

2. Prepare for ssh tunneling and using localhost (steps below).

3. Shut down all insecure ports (if needed).

Prepare for ssh tunneling and using localhost

The Localhost override will disable checks for requests coming from localhost. This allows navigator to work with port forwarding and tunneling.

When turned on, the localhost override will disable checks for requests coming from localhost. This allows Navigator to work in environments that use port forwarding and tunneling. Turn this on if you have trouble connecting to Navigator and have set up port forwarding or are in a cloud environment using ssh tunnel and localhost.

This can be done in two ways:

On the GUI node set Configuration Properties (which requires ability to access IBM Navigator for i through the GUI so will not work for initial cloud configuration)
Manually modify the preferences file to set localhostOverride to true - /qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==
- Edit preferences file (name: pIgMiytjMDLAhlQ1m+wcBQ==) found here: /qibm/userdata/os400/Navigator/preferences
  - Add "localhostOverride":true or if it exists with value set to false, change to true. Your file will then look something like this:
    - {"prefDirAdjustedRel":460288,"globalTLSList":[],"tlsOverride":false,"localhostOverride":true}
- If the file does not exist, create "pIgMiytjMDLAhlQ1m+wcBQ==" (CCSID 819) with the contents:
  - ▼{"prefDirAdjustedRel":459776,"globalTLSList":[],"tlsOverride":false,"localhostOverride":true}

CHGATR OBJ('/qibm/userdata/os400/navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==') ATR(*CCSID) VALUE(819)                                          
CHGOWN obj('/qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==') newown(QWEBADMIN)
CHGAUT obj('/qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==') user(QWEBADMIN) dtaaut(*RWX) OBJAUT(*NONE)
CHGAUT obj('/qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==') user(*PUBLIC) dtaaut(*EXCLUDE) OBJAUT(*NONE)

Restart ADMIN1 server:

ENDTCPSVR *IAS INSTANCE(ADMIN1)
STRTCPSVR *IAS INSTANCE(ADMIN1)

Shut down all insecure ports

For successful access from the Cloud, you may need to block all insecure ports.

First you will need to log in to Navigator with insecure ports enabled.
Then configure TLS
Block insecure ports - this can be done with Navigator under TLS > Deactivate Unsecure Ports or by adding port restrictions

If the fully qualified name is used for the host name in requests, you may need to add this fully qualified name to the preferences file for Global TLS. This is set by Navigator when you request "Use TLS for all users". If you use the IP address to access the Navigator URL, you may still need to add the host name (system.domain) to the preferences file.

Change the file /qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ==' as follows
1. edtf '/qibm/userdata/os400/Navigator/preferences/pIgMiytjMDLAhlQ1m+wcBQ=='
2. Change it to add the FQDN to the globalTLSList value, leaving everything else:
```
{"prefDirAdjustedRel":460032,"globalTLSList":["system.domain","192.x.y.100"],"tlsOverride":false,"localhostOverride":true}
```

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]

Tips

IBM Navigator for i - in Cloud environment

News

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?