RE: How do I configure HTTPS on IBM i 6.1?

I appreciate all the advice - now, to get the cert, set up the testbed and
give it a go...

Tom


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Friday, December 14, 2012 9:36 AM
To: Midrange Systems Technical Discussion
Subject: Re: How do I configure HTTPS on IBM i 6.1?

What I'm saying is it DOES happen, as you did. So, even though you may find
a config file using your method, it doesn't mean it's the right one.

If you look at the right member in QATMHINSTC, or even if the job for the
server is running (the first job) it will be listed and there's zero chance
of a wild goose chase or wondering why your changes made zero effect.

There is no obfuscation if you know where to look. Which should be part of
an admin's job. It's nothing like hardcoding a library list.

Brad
www.bvstools.com


On Fri, Dec 14, 2012 at 9:13 AM, DrFranken <midrange@xxxxxxxxxxxx> wrote:

Oh sure, confuse the poor guy. :-)

YES you can move stuff like that around and it Does Happen. *I* don't
recommend it because obfuscates the configuration for all future
generations..... unless you remember QUSRSYS/QATMHINSTC.

Sorta like one of my customers where the library list was hard coded
into the routing program for the subsystems and to get a different
list you used different routing data. Yeah that was obvious....

- DrF

On 12/14/2012 9:38 AM, Bradley Stone wrote:

Not necessarily.

First find the instance name, then look in the instance source for
the location of the configuration file.

QUSRSYS/QATMHINSTC member name of the instance name. That will
contain information for the location of the configuration file.


On Thu, Dec 13, 2012 at 9:08 PM, DrFranken <midrange@xxxxxxxxxxxx>

wrote:

OK That's an easy one. /www/<servername>/conf/httd.conf

- DrFranken
On 12/13/2012 5:42 PM, Tom Hightower wrote:

Ok, so the next question:

Where are the apache configs stored on IBM i? I'd like to copy the
current non-SSL one, make changes to the copy and try all this out.

Tom

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Porterfield,

Sean

Sent: Thursday, December 13, 2012 4:11 PM
To: Midrange Systems Technical Discussion
Subject: RE: How do I configure HTTPS on System i v6r1?

I've not done it on IBM i, but Apache on other servers has
redirected

me

to

the requested page, not just the root of the new site. One config
line

to

rule them all ;)

Example: http://porterfield.net/west/whois.html redirects to
http://west.porterfield.net/whois.html based on Redirect Permanent

/west/

http://west.porterfield.net/

So the /west/ is matched and replaced; the rest of the URI is left
and returned.

If you wanted http://idocket.com/secure to go to

https://secure.idocket.com

then you'd need another redirect entry.
--
Sean Porterfield


-----Original Message-----
From: Tom Hightower
Sent: Thursday, December 13, 2012 17:04
To: 'Midrange Systems Technical Discussion'
Subject: RE: How do I configure HTTPS on System i v6r1?

Ok, so if I create a Redirect Permant / https://idocket.com

Then a user enters this as URL: http://idocket.com

They'll be redirected to: https://idocket.com

Right?


How about if they enter: http://idocket.com/subscribe

Will they be redirected to: https://idocket.com/subscribe ?

Or do I need another Redirect Permanent config line?

TomH


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Porterfield,

Sean

Sent: Thursday, December 13, 2012 3:21 PM
To: Midrange Systems Technical Discussion
Subject: RE: How do I configure HTTPS on System i v6r1?

One way to do it is change your existing configuration to use SSL
then

add a

new section to listen on port 80 and put in Redirect Permanent /
https://idocket.com
--
Sean Porterfield


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Tom
Hightower
Sent: Thursday, December 13, 2012 15:15
To: 'Midrange Systems Technical Discussion'
Subject: RE: How do I configure HTTPS on System i v6r1?

I like the idea of using https for the whole site, it would make
configuration a lot easier, though there are A LOT of macro
changes

that

would need to be made. But it brings some questions:

- suppose someone enters http://idocket.com as the URL; how do I
get

that to

auto-route to https://idocket.com ?
-- would that be a change in our DNS host config setting, or a web

server

config directive change?

TomH

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rich Loeber
Sent: Thursday, December 13, 2012 10:59 AM
To: Midrange Systems Technical Discussion
Subject: Re: How do I configure HTTPS on System i v6r1?

Tom,

I ran into this a little while ago and slogged through it myself.

I

ended
up posting a blog about the process that you might find helpful:
[1]http://www.kisco.com/ibm-i-security-tips/?p=3

Rich Loeber - @richloeber
Kisco Information Systems
[2]http://www.kisco.com

----------------------------------------------------------------------
----

On 12/13/2012 11:34 AM, Tom Hightower wrote:

I have the following website, hosted on the System i:
[3]http://idocket.com

Clicking Register now on that homepage takes you to:
[4]https://secure.idocket.com/idocket/register.asp

As you can infer from the .asp, the https is hosted on a
Windows

server on

our internal network.

Management wants to move the https from the Windows server onto
our

System

I, and I'm all in on that. But it's been quite a long time (10
years?)

and

many OS releases since I've done that. Can someone point me to a
guide

that

walks me thru getting that up and going?

Thanks,
TomH

References

Visible links
1. http://www.kisco.com/ibm-i-security-tips/?p=3
2. http://www.kisco.com/
3. http://idocket.com/
4. https://secure.idocket.com/idocket/register.asp
--


This email is confidential, intended only for the named
recipient(s)

above

and may contain information that is privileged. If you have
received

this

message in error or are not the named recipient(s), please notify
the

sender

immediately and delete this email message from your computer as
any and

all

unauthorized distribution or use of this message is strictly

prohibited.

Thank you.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,

unsubscribe,

or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take

a

moment to review the archives at

http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.