How To
Summary
When configuring your ADMINx/Integrated Application Server/Integrated Web Service application servers for TLS communications, you have the option of specifying what keystore type you wish to use in the configuration. This can be a specific keystore path and type or the Digital Certificate Manager *SYSTEM certificate store. This document will discuss how to configure your application server using a specific keystore path and type. For detailed information on how to configure the application server with the Digital Certificate Manager *SYSTEM certificate store, please refer to the URL, https://www.ibm.com/support/pages/node/667835.
Environment
IBM i 7.2, 7.3, 7.4, & 7.5 OS
Required IBM i PTF levels:
IBM i 7.5 - included in GA
IBM i 7.4 - IBM i HTTP Group PTF level, SF99662 - 19
IBM i 7.3 - IBM i HTTP Group PTF level, SF99722 - 38
IBM i 7.2 - IBM i HTTP Group PTF level, SF99713 - 50
IBM i 7.4 - IBM i HTTP Group PTF level, SF99662 - 19
IBM i 7.3 - IBM i HTTP Group PTF level, SF99722 - 38
IBM i 7.2 - IBM i HTTP Group PTF level, SF99713 - 50
ADMIN1, ADMIN2, ADMIN3, and ADMIN5 Application Server Instances
Integrated Application Server v8.5 Instances
Integrated Web Services v2.6 Instances
Steps
Disable any previous application server TLS configuration
1) Log into the IBM Web Admin GUI.
2) Go to Manage -> Application Servers -> select your application server from the Server list.
3) Click the "Disable TLS" link on the left under "Application Server Wizards" or "Common Tasks and Wizards".
ADMINx Application Servers:
Integrated Web Services and Integrated Application Servers:
4) Click the Next button.
5) If a current TLS configuration does exist, check the box next to the TLS port to be disabled. Then, click the Next button.
If the message "Error: ZUI_54556: There is no TLS configurations found for this application server." is displayed at the bottom, no current TLS configurations for the application server exist. As a result, you can move onto "Configure the application server for TLS using a specified keystore path and type.".
6) Choose your restart type depending if you want the application server restarted immediately or if you want to restart it at a later time manually. Then, click the Next button.
7) Finally, click the Finish bottom on the Summary page to commit the disablement of TLS for the application server.
Configure the application server for TLS using a specified keystore path and type
Important!!! The "Configure TLS" wizard is available for the ADMIN1, ADMIN2, ADMIN3, and ADMIN5 application servers only! The ADMIN4 application server cannot be configured for TLS since this will affect access to the IBM Web Administration for i web application. The ADMIN HTTP Server would be configured for TLS instead to enable port 2010.
For ADMINx application servers (ADMIN1, ADMIN2, ADMIN3, and ADMIN5 only!)
NOTE: Do not run the "Configure TLS" wizard for the ADMIN4 application server! This will affect access to the IBM Web Administration for i web application.
The following steps demonstrate how to configure the ADMIN3 application server.
1) Go to Manage -> Application Servers -> select your ADMIN1, ADMIN2, ADMIN3, or ADMIN5 application server from the Server list.
2) Click the "Configure TLS" link on the left under "Application Server Wizards".
3) Click the Next button.
The recommended TLS port value will be auto-populated.
ADMIN1 - TLS Port = 2003
ADMIN2 - TLS Port = 2005
ADMIN3 - TLS Port = 2007
ADMIN5 - TLS Port = 2012
4) Change the "SSL protocol" field to "TLSv1.2".
IBM recommends you select "Yes, disable non-TLS port while configuring TLS port" under "Disable the non-TLS port?" question.
5) Click the Next button to continue.
6) Select "Specify keystore path and type" and use the default keystore path and type configuration. You are welcome to customize the type and path, but IBM recommends you record these values since you will need to know them when working with the keystore at a later date.
NOTE: You can use the same keystore file for all ADMINx application servers.
Here are the default keystore paths for the ADMINx application servers:
ADMIN1 - /qibm/userdata/os/admininst/admin1/wlp/usr/servers/admin1/resources/security/key.jks
ADMIN2 - /qibm/userdata/os/admininst/admin2/wlp/usr/servers/admin2/resources/security/key.jks
ADMIN3 - /qibm/userdata/os/admininst/admin3/wlp/usr/servers/admin3/resources/security/key.jks
ADMIN5 - /qibm/userdata/os/admininst/admin5/wlp/usr/servers/admin5/resources/security/key.jks
Once you have your keystore path and type configured, click the Next button.
7) Specify either a new password or an existing password for the keystore file specified.
It is important this keystore password be recorded. It will be required to manage the keystore and certificates in the keystore. This password cannot be recovered. If you do not know the password to the keystore, you will have to disable the TLS configuration for the application server, delete the existing keystore file, and then reconfigure the application server for TLS.
8) Click the Next button to continue.
9) Specify the cipher suite list for the TLS configuration.
IBM recommends selecting "Default ciphers", but you may select ciphers from an available cipher suite list. When selecting the option "Select ciphers from available ciphers list", you will need to select one or more ciphers from the "Available ciphers" list and then click the > button to move them to the "Enabled ciphers for TLS" box. The "Enabled ciphers for TLS" box will be the list of cipher suites enabled in the TLS configuration for the application server. TLS clients connecting to the application server MUST support at least one of these enabled ciphers in order to successfully connect via TLS.
OR
10) Click the Next button to continue.
11) Choose your restart type depending if you want the application server restarted immediately or if you want to restart it at a later time manually. Then, click the Next button.
12) Finally, click the Finish bottom on the Summary page to commit the enablement of TLS for the application server.
13) Ensure the ADMINx application server has been restarted first. Then, you can begin using HTTPS and the configured TLS port to access the hosted web applications.
ADMIN1:
https://server:2003/Navigator
ADMIN2:
https://server:2005/ibm/console
https://server:2005/IDSWebApp/IDSjsp/Login.jsp
ADMIN3:
https://server:2007/dcm
ADMIN5:
https://server:2012/rseapi
For Integrated Application Servers and Integrated Web Services Servers
1) Go to Manage -> Application Servers -> select your IWS v2.6 or IAS v8.5 application server from the Server list.
IWS v2.6 application server
IAS v8.5 application server
2) Expand the "Common Tasks and Wizards" section on the left and click the "Configure TLS" link.
3) Click the Next button.
4) Configure the TLS port to a value currently not in use. Typically, we recommend the TLS port be either set to the current non-TLS port or another port value that is not currently in use by another TCP server on the IBM i partition. You go to Manage -> All Servers and NETSTAT *CNN to see what TCP ports are currently in-use. You can identify the current non-TLS HTTP port under Server Properties -> Properties -> Ports.
In the example below, the current non-TLS HTTP port is 10054. Since I will be disabling the non-TLS port when configuring TLS, I will specify my TLS port to be 10054 which will change this port from non-TLS to a TLS-enabled port.
5) Change the "SSL protocol" field to "TLSv1.2".
IBM recommends you select "Yes, disable non-TLS port while configuring TLS port" under "Disable the non-TLS port?" question.
6) Click the Next button to continue.
7) Select "Specify keystore path and type" and use the default keystore path and type configuration. You are welcome to customize the type and path, but IBM recommends you record these values since you will need to know them when working with the keystore at a later date.
NOTE: You can use the same keystore file for all IWS v2.6/IAS v8.5 application servers.
Here is the default keystore path for IWS v2.6/IAS v8.5 application server:
/www/<server>/wlp/usr/servers/<server>/resources/security/key.jks
Once you have your keystore path and type configured, click the Next button.
8) Specify either a new password or an existing password for the keystore file specified.
It is important this keystore password be recorded. It will be required to manage the keystore and certificates in the keystore. This password cannot be recovered. If you do not know the password to the keystore, you will have to disable the TLS configuration for the application server, delete the existing keystore file, and then reconfigure the application server for TLS.
9) Click the Next button to continue.
10) Specify the cipher suite list for the TLS configuration.
IBM recommends selecting "Default ciphers", but you may select ciphers from an available cipher suite list. When selecting the option "Select ciphers from available ciphers list", you will need to select one or more ciphers from the "Available ciphers" list and then click the > button to move them to the "Enabled ciphers for TLS" box. The "Enabled ciphers for TLS" box will be the list of cipher suites enabled in the TLS configuration for the application server. TLS clients connecting to the application server MUST support at least one of these enabled ciphers in order to successfully connect via TLS.
11) Click the Next button to continue.
12) Choose your restart type depending if you want the application server restarted immediately or if you want to restart it at a later time manually. Then, click the Next button.
13) Finally, click the Finish bottom on the Summary page to commit the enablement of TLS for the application server.
14) Ensure the IWS v2.6/IAS v8.5 application server has been restarted first. Then, you can begin using HTTPS and the configured TLS port to access the hosted web applications.
For the above WSERVICE2 application server example, the HTTPS URL would be:
https://server:10054/web/services/<webSerivceURI>
Importing a certificate from Digital Certificate Manager to your specified keystore
Follow the instructions in the IBM Document, Importing And Configuring A Certificate From Digital Certificate Manager To A Specified Keystore With ADMIN/IAS/IWS Application Servers, on how to import a certificate from the IBM i Digital Certificate Manager *SYSTEM certificate store and configure your application server to use it.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CIcAAM","label":"IBM i Administration Server"}],"ARM Case Number":"TS006667442","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
07 July 2022
UID
ibm16567207