IBM Support

Enabling TLS for IBM Navigator for i

Troubleshooting


Problem

 Navigator for i does not come enabled for TLS by default. Both Heritage Navigator for i and Navigator for i can be enabled for TLS using the same steps. 

Environment

IBM i 7.1 and later
Heritage Navigator for i - ADMIN2 application server
IBM i 7.3 and later
Navigator for i - ADMIN1 application server

Resolving The Problem

The 7.4 and 7.3 HTTP PTF group that was released in September of 2021 has introduced a brand new version of Navigator for i. This new version will run along side of the current version (now called Heritage Navigator for i) and can also be configured to use TLS. Here are further details explaining the two available versions:
HTTP PTF Group levels introducing New Navigator:
7.4 HTTP Group - SF99662 level 14
7.3 HTTP Group - SF99722 level 33 
(Not Available on 7.2) 
Heritage Navigator for i:
- Runs on Admin2 HTTP server job using ports 2004(Non secure) and 2005 (with TLS configured)
- Non-TLSURL used to connect is http://systemname:2004/ibm/console/logon.jsp 
- TLS URL will be https://systemname:2005/ibm/console/logon.jsp 
Navigator for i (Introduced Sept 2021):
- Runs on the Admin1 HTTP server job using ports 2002 (Non secure) and 2003 (with TLS configured)
- Non-TLS URL used to connect is http://systemname:2002/Navigator
- TLS URL will be https://systemname:2003/Navigator
NOTE: Install the latest HTTP Group PTF to ensure all options for Admin1 and Admin2 are available on Web Admin. The following is a link to the preventative service planning page that shows the current levels:
You can enable HTTPS by either using the default Java keystore used within IBM Navigator for i or by using Digital Certificate Manager.

Choose ONE of the following options (either use the default JKS keystore that Admin1 and Admin2 ship with, or use certificates within Digital Certificate Manager):    
  •         Enable HTTPS using the default Java keystore

    NOTE: This option will create a new self-signed certificate to be placed in the Java keystore.

    1. Open a web browser and go to the following URL (login with your IBM i user profile):
    http://hostname:2001/HTTPAdmin


    2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) or 'Admin2' (Heritage Navigator) on Servers list

    3. Click 'Configure TLS'

    4. Click Next on Step 1:

    image-20220620132206-1

    5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
    image-20220620132445-2

    6. Configure 'inav_key.jks' as the keystore on Step 3:
    image-20220620132649-3

    7. This will prompt to create the new keystore and set the password:
    image-20220620133721-5
    8. Select 'Default Ciphers' and click 'Next' on Step 8:
    image-20220620134118-7

    9. Select the restart server style you like on Step 9:
    image-20220620134040-6

    10. Confirm the information and click Finish on the last step:
    image-20220620134306-10

    The server will be restarted and user should connect via the following URL.
    Heritage Navigator:
    https://hostname:2005/ibm/console/logon.jsp
    New Navigator:
    https://hostname:2003/Navigator

  • Enable HTTPS using the Digital Certificate Manager *SYSTEM keystore
    • Issue a new self-signed certificate



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin


      2. Click Manage -> Application Servers-> select 'Admin1' (New Navigator) or 'Admin2' (Heritage Navigator) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12


      8. Select 'Issue a new self-signed certificate' and click 'Next'
      image-20220620134726-14

      9. Select ' Default ciphers' and click 'Next'
      image-20220620134903-16

      10. Select your restart option and click Next:
      image-20220620135059-17
      11. You will be presented a summary screen of your choices. Click Finish.  The server will be restarted and user should connect via the following URL.
      Heritage Navigator for i:
      https://hostname:2005/ibm/console/logon.jsp
      Navigator for i:
      https://hostname:2003/Navigator




    • Select an existing certificate from the *SYSTEM keystore



      1. Open a web browser and go to the following URL (login with your IBM i user profile):
      http://hostname:2001/HTTPAdmin


      2. Click Manage -> Application Servers-> select 'Admin1' (Navigator for i) or 'Admin2' (Heritage Navigator for i) on Servers list

      3. Click 'Configure TLS'

      4. Click Next on Step 1:
      image-20220620132206-1

      5. Configure port/protocol and whether to enable http also on Step 2 (NOTE: It is recommended to select TLSv1.2 for the protocol and leave the TLS port as the default port it recommends):
      image-20220620132445-2

      6. Select 'Use Digital Certificate Manager (DCM) SYSTEM store' on Step 3 -> click 'Next':
      image-20220620134538-11

      7. Specify the password of the *SYSTEM store:
      image-20220620134618-12

      8. Select 'Select existing certificate from the keystore', then choose an existing certificate from the drop down (avoid certificates with an * at the end, these are expired) on Step 6 -> click 'Next'

      image-20220620135754-18

      9. Select 'No trust certificate to import' on Step 7 -> click 'Next'

      image-20220620135932-19

      10. Select 'Default ciphers' on Step 8 and click Next:
       
      image-20220620140029-21
      11. Select your restart option and click Next:
      image-20220620135059-17
      12. You will be presented with a summary of your choices.  Confirm the information and click Finish on the last step
      The server will be restarted and user should connect via the following URL.
      Heritage Navigator:
      https://hostname:2005/ibm/console/logon.jsp
      New Navigator:
      https://hostname:2003/Navigator

    NOTE: To prevent an TLS warning regarding the certificate not being trusted in the browser a certificate from a well-known Certificate Authority can be used

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
20 June 2022

UID

nas8N1021834