SSL for iSeries Access for Web

To configure the HTTP server for SSL, do the following:

Step 1: Enable the Instance for SSL. Do the following:

1.	Using a browser, go to the IBM Web Administration Tool: i5IPaddress:2001/HTTPAdmin (where i5IPaddress is the name of the TCP/IP address of the IBM Power Systems.)
2.	Click on Manage > HTTP Servers and select the MWSSL instance.
3.	Click on the Security link.

4.	On the SSL with Certificate Authentication tab, click the SSL drop-down window and select Enabled.

5.	Click the drop-down window on the right to select the Server Certificate Application Name. In the following example, the Application Name is QIBM_HTTP_SERVER_MWSSL.

6.	Click Apply. This action registers the application name into the Digital Certificate Manager.

7.	On the same screen, click the SSL drop-down window and select Disabled.

8.	Click Apply.
9.	Click on Edit Configuration File.

10.

At the end of your configuration file, paste the following: Listen 44443 SetEnv HTTPS_PORT 44443 <VirtualHost *:44443> SSLAppName QIBM_HTTP_SERVER_MWSSL SSLEnable SSLCacheDisable </VirtualHost> Note: Modify the SSLAppName to be the Server Certificate Application name that you are using for your instance. In the directives Listen, SetEnv HTTPS_PORT, and Virtual Host, change the port number (44443) to be the port that you are using for your instance.

11.	Click Apply.

Step 2: Assign a certificate to your instance. Do the following:

1.	Go in the Digital Certificate Manager.

2.	Sign on the *SYSTEM Certificate Store.

3.	Go to the FASTPATH links, and select Work with server applications.

4.	On the Work with Server Applications screen, select your Server Application ID. In the following example, it is QIBM_HTTP_SERVER_MWSSL.
5.	Select Work with Application.

6.	On the next screen, select Update Certificate Assignment to assign the certificate that you want for this instance.

7.	After the Certificate is assigned to the instance, start your instance and access it using SSL (HTTPS).

Add the virtual host to IBM WebSphere to complete the link between HTTP and the WebSphere Application Server that is running iSeries Access for Web. Update the application server virtual host by using the WebSphere administrative console; do the following:

1.	Stop and start the HTTP server instance.
2.	From a Web browser, access the IBM Web Administration for iSeries GUI using the Web site http://hostname:2001/HTTPAdmin, and sign in.
3.	Select the Manage tab, and the Application Servers tab.
4.	In the Server drop-down list, select your application server.
5.	In the Tools section of the left navigation pane, click on Launch Administrative Console.
6.	Type a user name at the User ID prompt, and click on the Log In button.
7.	From the WebSphere Administration Console, expand Environment and select Virtual Hosts.
8.	Select the default_host virtual host.
9.	Click on the Host Aliases link.
10.	Click on the New button. For the Host Name, use *, and type your HTTPS port for the Port value (34096 in this example).
11.	Click on the Apply button.
12.	In the Messages dialog box, click Save, and then click the Save button.
13.	From the left navigation pane, expand Servers, then click on Web servers.
14.	Select the check box next to your HTTP server (for example, IHS_hostname_WEBSERVE), and then click on the Generate Plug-in button.
15.	Stop and start your WebSphere Application Server using the IBM Web Administration for iSeries GUI.

Note: With the Integrated Application Server, there is no Administration console.

To update the IAS server, you should do the following:

1. Go to the ADMIN GUI, HTTP Web Administration, Manage tab.
2. Click the Application Servers tab.
3. Select your integrated Application Server instance.
4. On the right, expand Server Properties.
5. Select View HTTP Servers.
6. Select Change Port.
7. Add the secure port number.

The Web Admin GUI currently does not have a mechanism to update the lwi-plugin-cfg.xml with both secure and non-secure ports. It only has the one that is defined at server creation time. A secured port can be added manually to the lwi-plugin-cfg.xml. The file name will change with the 8.5 Integrated Web Application Server to ias-plugin-cfg.xml.

In the lwi-plugin-cfg.xml, you may see something like this:

<VirtualHostGroup Name="virtualHosts">
<VirtualHost Name="*:80"/>
</VirtualHostGroup>

To add a secure port, you should manually modify the file as shown below:

<VirtualHostGroup Name="virtualHosts">
<VirtualHost Name="*:80"/>
<VirtualHost Name="*:443"/>
</VirtualHostGroup>

After the change is made, the server would need to be ended and restarted to allow both secure and non-secure requests.

Refer to the following Web site from the WebSphere Application Server Information Center for additional information about virtual hosts:
http://www.ibm.com/support/knowledgecenter/ssw_i5_54/rzamy/50/admin/acvhost.htm

Important Note:
If you are using an 8.5 Integrated Web Application Server, you must add this extra configuration change to the ias-plugin-cfg.xml file.

Locate this line toward the top of the configuration:
<Config RefreshInterval="300">

Change it to look like the following:
<Config RefreshInterval="300" UseInsecure="true">