1.  Home
  2. MIDRANGE-L
  3. April 2026

Re: Assorted questions and musings, Re: So has anybody come up with a solution for certificate automation that will work on a Midrange box?

Jim can weigh in but I am not sure you can bypass DCM when it comes to using TLS.  It doesn't factor in until then, but that is your issue, you want to secure your connection with TLS.  What is the oldest version of IBM i that you are running?  There could be an issue with TLS protocol support and ciphers depending upon the OS version.

It does seem to me that you could script a solution.  That is how I ended up writing the app I use for updating certs:  First I was doing it manually.  Then I discovered a Certbot script that would do most of the work but I'd have to manually import the certificates into DCM.  Then I just jumped to scripting the whole thing.

My guess would be that there would be a scripted solution for you.  You might check with Mr. Schultz to see if he has the script he referenced in the presentation.  I think this is the script and I think it's his repo: https://github.com/ChristopherSchultz/apache-tomcat-stuff/blob/main/bin/letsencrypt/lets-encrypt-renew.sh

Pete Helgren
www.petesworkshop.com
CISSP - MSCM
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals

On 4/3/2026 12:46 PM, James H. H. Lampert via MIDRANGE-L wrote:
On 4/3/26 10:29 AM, Jim Oberholtzer wrote:
It is Apache in current versions.

Realize that James is often times referring to very, very old OS versions.  Prior to adopting Apache, IBM had their own HTTP server that was a branch of Apache (not entirely accurate but close enough)

Very true, I'm afraid.

When it became apparent that (1) DCM was an enormous pain in the butt, and (2) the simplest, easiest to maintain solution for the web front-end on our CRM application was to run it in Tomcat, downloaded directly from Apache's Tomcat site, using JSSE for SSL, with the cert in a Java Keystore, I pretty much started completely ignoring what IBM was providing, other than Java support.

And on top of that, I can practically configure TLS for Tomcat in my sleep, but I don't dare do so for httpd without having the docs handy, because things can be in so many different places.

So I have no idea when it was that IBM switched from Apache-like to real Apache httpd. I am a bit puzzled. Am I to understand that you're no longer forced to use DCM? Does it still have the capability of using DCM?

--
JHHL

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.