Troubleshooting
Problem
A common security measure to take on an IBM i system is to configure the system to be TLS only. An important component of that is setting up the Host Servers on the system to be able to connect to them using a TLS connection. This guide will cover:
- Configuring the Host Servers for TLS connections
- Setting up Secure Connections in Navigator such that users are utilizing the TLS Host Server ports
- Disabling the Non-TLS Ports (Optional)
Disabling the Non-TLS ports can affect the functionality of some of the older IBM i applications like Web Admin GUI. Digital Certificate Manager also requires additional setup in order to work TLS-only that is not documented in this guide.
Environment
IBM i 7.3 and later
Resolving The Problem
You are in: IBM i Technology Updates > Navigator for i > Documentation on Functional Areas > Configure Host Servers with TLS using Navigator for i
1. Configuring the Host Servers for TLS Connections
Open Navigator for i and through the side menu goto Network > Servers > TLS Configuration
In this table, we can see the Network Servers that can be TLS Configured, as well as the TLS related status of those servers.
From here, right click any row, and select Configure TLS Wizard
In the first step, the user can choose which servers are being configured by the current wizard. All the servers in the TLS Configuration table can be configured at the same time.
In the second through fourth steps, the user selects a certificate store and certificate for the TLS Configuration. It's important to note that this wizard only works with CMS certificate stores. The *SYSTEM store managed by Digital Certificate Manager is a good option if another certificate store isn't available on the target system.
On step five, the user is prompted with the option to restart the host servers on completion of the wizard. In order for the assigned certificates to be used by the host servers, they should be restarted first.
On the last step of the wizard a summary of the user's selections are provided.
Upon completion of the wizard, the user will return to the TLS Configuration table. An easy way to confirm that the configuration has run correctly is to expand the row of a server that was just configured. The user should see the certificate they assigned to that server listed.
2. Setup Secure Connections in Navigator
Using secure connections in Navigator is how you configure a user profile to use the TLS enabled host server ports. In the side menu, navigate to Serviceability > Connection Properties
Select TLS Connection on the side menu in the new window to get to the TLS Connection/Nodes tab
In the TLS Enablement column, if the user selects "On" for the target system, that will ensure this user profile will use the TLS ports for the Host Servers on that system. If the current user doesn't see the "Use TLS For All Users" column, that means they don't have the *ALLOBJ special authority. It's recommended to set TLS for all users if planning to disable the unsecure Host Server ports.
Once TLS Enablement OR TLS for all Users has been set properly, remember to click save at the bottom. It's easy to miss on smaller screens or with a system and user profile with a lot of nodes.
3. Disabling the Non-TLS Ports (Optional)
Note: Disabling the Non-TLS ports can cause problems for older IBM web applications deployed on IBM i. Web Admin GUI will not work, Digital Certificate Manager requires extra steps to be able to run on the secure ports. User profiles that don't have secure connections set up (section 2) will run into difficulties using Navigator with the Non-TLS ports disabled. It is recommended that Secure Connections is set for all users by an *ALLOBJ profile - as mentioned in section 2.
To disable the non-TLS ports, the user needs to get back to the TLS Configuration table. Navigate through the side menu via Network > Servers > TLS Configuration to get there.
Once back to the table, right click on any row and select Disable Unsecure Port.
Note: If this option is disabled, that means the current user isn't setup with secure connections. Go back to section 2 if this is the case.
After that, the user will see the Disable Unsecure Port dialog.
In this dialog, select all of the Host Servers that are intended to have their unsecure ports disabled. In order for the changes to take effect, the servers need to be restarted after. Make the selections that make sense for the current user & system and click OK. Once the dialog is finished, the result should be seen in the TLS Configurations Table. If after restarting a change isn't seen, try refreshing the table once.
4. Re-enabling the Unsecure Ports
Disabling the unsecure host server ports has a lot of room for errors. Here's some background on what's going on and how to "undo" what's been done if something has gone wrong.
Navigator disables the unsecure ports by applying a port restriction on the unsecure ports. We can see this in Navigator at Network > TCP/IP Configuration > TCP/IP Configuration Properties > Port Restrictions. Below is an example where the Unsecure Port was disabled for the Net Print server.
In the above example, the port restriction was applied for just one port. This table in Navigator tends to group port restrictions together. If the user selected all 7 servers, they will see the QWEBADMIN row represent 7 ports (start & end) as opposed to the one above.
The Host Servers unsecure ports are the range between 8470 - 8476. If a user wants to re-enable these unsecure ports, remove the QWEBADMIN port restrictions on the 8470 - 8476 ports, and then restart the affected Host Servers. Restarting is best done in the TLS Configuration table in Navigator where the status can be checked after each restart.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CH1AAM","label":"IBM Navigator for i"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 December 2024
UID
ibm17179054