Troubleshooting
Problem
Navigator for i does not come enabled for TLS by default. Navigator for i running on ADMIN1 can be enabled for TLS using these steps. Other servers can also use the wizard.
Environment
IBM i 7.3 and later
Navigator for i - ADMIN1 application server
Resolving The Problem
You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Enabling TLS for Navigator for i
Navigator for i can be configured to use TLS using these steps in Navigator. The Navigator wizard is now available through PTF approved on September 26, 2024. It will be in the HTTP group update on September 30, 2024. To use the heritage WebAdmin GUI, follow these steps.
Make sure you are running with the latest HTTP group PTF levels. The following is a link to the preventative service planning page that shows the current levels:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021657#1
Navigator for i:
- Runs on the Admin1 HTTP server job using ports 2002 (Non-secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://hostName:2002/Navigator
- TLS URL is https://hostName:2003/Navigator
You can enable HTTPS by either using an existing certificate store or by using the Digital Certificate Manager *SYSTEM store.
- Before you launch TLS Wizard:
The selected certificate store is required to contain a valid certificate. Users can create CMS certificate stores and self-signed certificates in Digital Certificate Manager. Launch to DCM is available in Navigator at Bookmarks > DCM
-
Configuring the certificate store table ahead of time can save a lot of time when doing multiple TLS configurations, and can help users keep an inventory of the certificate stores on their IBM i. This can be found in Navigator at Network > Web Administration > Certificate Stores:
-
The ports will be auto-defaulted in an upcoming release of Navigator. Until then, use these recommended port numbers:
Ports: Non TLSTLS ADMIN1 2002 2003 ADMIN2 2004 2005 ADMIN3 2006 2007 ADMIN5 2012 2015 -
Launch TLS Wizard
1. Click Network > Web Administration > Application Servers2. Select Admin1 on Application Servers list, right-click and select Configure TLS Wizard
3. Step 1: Set the ID, TLS port, and TLS protocol. Also select if the Non-TLS port should be disabled after the wizard. Click Next
4. Step 2: Select your intended certificate store4A. Using the DCM *SYSTEM Store:4B. Specify a path to the certificate store:4C. Select using the certificate store table:Note: Certificate stores can be added to the table in Network > Web Administration > Certificate Stores
5. This will prompt the user to enter the certificate store password:6. Step 5: Select an existing certificate from the searchable drop-down list populated from the certificate store location provided.7. Select Default Ciphers and click Next
8. Step 6: Select the restart server style you prefer (we recommend restarting immediately):
9. Step 7: Confirm the information and click Finish
Once the server has been restarted, user can connect to Navigator with the following URL (using port specified above in configuration):https://hostname:2003/Navigator
-
NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser, a certificate from a well-known Certificate Authority can be used. -
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 October 2024
UID
nas8N1021834