IBM Support

IBM Navigator for i - TLS Encryption

News


Abstract

IBM Navigator supports full end-to-end encryption with TLS

Content

​You are in: IBM i Technology Updates  > Navigator for i > TLS

Encrypting Each Endpoint for IBM Navigator 
IBM Navigator for i consists of the GUI managing node and a number of different endpoints.  TLS encryption provides options to secure each of these endpoints.  
IBM Navigator for i Encryption Diagram Options
In this diagram, the IBM Navigator GUI interface is running on the IBM i node shown in the middle of the diagram. Users have the ability to configure TLS Encryption on the connections for both sides.  

Users Browser Connection to the Navigator GUI Application
The Navigator application runs on an IBM i node in the ADMIN1 *IAS job.  The ADMIN1 job is an IBM Liberty web application instance that ships with the IBM i operating system. ADMIN1 uses non TLS port 2002 with URL http://hostname:2002/Navigator by default. It is recommended that you configure encryption for this ADMIN1 job. Configuring an *IAS server is easily accomplished by leveraging the TLS Security wizard that is included in the IBM Web Administration for i GUI interface.  Details on how to access and use this wizard can be found at: Enabling SSL/TLS for IBM Navigator for i.  Note: The instructions reference the ADMIN2 server. The new Navigator interface run-ins in the ADMIN1 server. Be sure to select ADMIN1 where instructed to select a server. Once TLS has been configured for ADMIN1, the default TLS port will be 2003 with URL https://hostname:2003/Navigator. 

Connection from the Navigator to the IBM i endpoint node 
IBM Navigator is designed to provide a single pane where you can monitor and managed many IBM i endpoint nodes. The IBM Navigator leverages the Java toolbox to establish the connection between the Navigator application and each endpoint. Each request is handled on the endpoint IBM i by the IBM i Host servers. The Host servers on each endpoint you want to enable with encryption must be configured with a Digital certificate, in order for an encrypted connection to be made between the Navigator application and the IBM i endpoint.  Details on how to configure a digital certificate for the host servers can found at: Enable Encryption for IBM i Host Server
Once the host servers are configured with a digital certificate, the connection between the Navigator application and the endpoint can be established.  
To Establish an encrypted connection, under the Serviceability menu click Connection Properties.
IBM Navigator Serviceability Connection Properties Menu Action
Click the TLS Connection tab.  
The TLS Connection table shows the list of IBM i endpoint nodes that were previously established and their current encryption connection method. To enable encryption to an endpoint node, toggle the TLS Enablement switch to On. The Navigator application then attempts to establish an encrypted connection. If the host servers are properly configured with a Digital Certificate, this certificate is passed back to the Navigator application. The user needs to accept this certificate and the Navigator Application saves this certificate into the Web Application Certificate store. 
IBM Navigator for i Certificate Confirmation Page
 
Click the Accept button. To save and enable this secure connection, click the Save button at the end of the table on the Web Interface TrustStore page.
IBM Navigator for i Save Web Certificate
Once the certificate is accepted and stored in the Web TrustStore, this and all future connections to this endpoint node are made by using an encrypted connection. 
IBM Navigator List Dashboard Showing Secure Connection
From the list view of the dashboard, you can see that the secure connection is used. 
To manage the certificates in the Web TrustStore, click the IBM i Web Interface TrustStore tab before the list of IBM i endpoint nodes. 
IBM Navigator for i Connection Properties Web Interface Trust Store
Manage the certificates with this interface.  You can also renew the certificates once they are expired. 

 
Serviceability
The Serviceability section is denied for default access.  Only user profiles with *ALLOBJ special authority are able to see this section by default.  Normal user profiles need to be added to the QIBM_NAV_SERVICEABILITY function ID.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;and future releases"}]

Document Information

Modified date:
12 January 2022

UID

ibm16483573