|
Hi Dave, >> I can not find one piece of information that walks me through the entire set up, step by step. I find info on SSL , HTTP, DCM all seperate, but nothing putting the pieces together. This is my first post on the list so I'll try to be helpful. I had the exact same question when I embarked on getting SSL / HTTPS going. Perhaps we can progressively evolve something here that will pull all this together. Here's my starter. If you use the guidelines below to work through the process please make a note of anything I've missed or got wrong. Likewise anyone here please feel free to correct/refine/expand this. Eventually we could put it on the web somewhere with links to the relevant redbooks etc I also developed iSeries client apps to push data out the other way. I downloaded Scott K's HTTPLIB and developed a client app that has a certs assigned to it for connecting out from the iseries using SSL. Access was needed to the IFS throughout for both client and server apps, once again Scott K to the rescue, downloaded IFSEBOOK. Many thanks to Scott, your code was incredibly helpful and all works great. I avoided using CGIDEV2 and coded all my own HTML generation; there was some uncertainty about its future at the time and I couldn't get the source code to look at which was a worry to me. Since we're only doing simple EDI document interchange using POST there wasn't much server side HTML to generate so I coded it within the pgms. Background: ========== * We're running an S20 (dev box) and an 830 (production), both on V5R2 * Requirement was to issue certs from the iseries to clients on our own intranet. * The iSeries server apps requested by said clients were developed in RPGLE CGI and received POST-ed EDI data, verified it and queued it for posting into our ERP system. * Use SSL on port 443 combined with basic user/password. Here are the steps I took to get an SSL Apache website going and clients connecting securely to it: 1. Ensure prereq LICPGM products installed: ========================================== * HTTP Server (5722DG1 *BASE) * Java Tools (5722JC1 *BASE) * Java 1.3 (5722JV1 *BASE & Opt 5) Needed for HTTP Admin server to work. * DCM (5722SS1 opt 34) * QSHELL (5722SS1 opt 30) not strictly necessary but useful * Cryptographic Access (5722AC3) OPTION(*BASE) * I also uninstalled Java 1.1.8 2. PTFs: ======= After LICPGMs I looked at PTFs. * Test box: I set this up first and I put on absolutely everything, latest CUM/HIPER/database packages. Got some SQL performance degradation (BPCS 6.02) at first which fixed itself. * Live box: To reduce risk I decided to not apply any PTFs. I managed to get everything going with no additional PTFs, ~YMMV~ 3. DCM Create Local Cert Authority: ================================== * Ensure the HTTP server Admin instance is started; WRKACTJOB and look for ADMIN jobs in SBS QHTTPSVR; if not type STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN). Do WRKACTJOB again and if it didn't start diagnostics can probably be found in its joblog by doing WRKSPLF QTMHHTTP * Use browser to go to HTTP Admin http://myIseries.Fully.Qualified.Name:2001 * Click on DCM * Create a Local Certificate Authority so you can generate and issue Certs for your intranet users. Best to refer to redbook SG24-6168-00, Appendix D, which walks you through it. Sorry to duck this one but the option disappears once you've created it so I can't check out the steps. 4. Create server certificates you can assign to your website & clients: ====================================================================== * Click (left panel) Select a Certificate Store. * Select *SYSTEM and log in * In the left pane click on 'Create Certificate' * Select 'Server or client certificate' * I selected, for signing authority, 'Local Certificate Authority (CA)'. * The 'Create Certificate' form now appears. There is one 'gotcha' on this. 'Common name' should be the fully qualified iseries domain name your users will connect to, i.e. the URL string between 'https://' and the next embedded slash. If not the browser will throw a warning message at the user and ask them to confirm they want to trust the certificate when it sees a mismatch between requested url and the one encoded in the certificate data. The other fields are straightforward. 4. Create a secure website. ========================== I created a non SSL enabled one first, got it going and then changed it to SSL. * Create a website with basic settings * Start it, test it w/browser * Go back into HTTP Admin, select the site and change it to SSL: Click on Security in left panel Change SSL to 'Enabled' Note on this form it shows you the Server certificate application name, you use this later to assign a cert to the site. It looks like this: QIBM_HTTP_SERVER_sitename I changed the HTTPS_PORT environment variable to 443 * Display the configuration file, you should have these directives: Listen *:443 SSLEngine On SSLAppName QIBM_HTTP_SERVER_sitename SetEnv HTTPS_PORT 443 * If you want it to force the client to do basic login via a popup window, and server to validate against an iseries user profile you'll also need these directives; here within the group for the default welcome html page: <Directory /www/sitename/htdocs/> AuthName "LOGIN" (or whatever you want to appear on the browser login form) AuthType Basic PasswdFile %%SYSTEM%% UserID %%CLIENT%% Require valid-user # Options None order allow,deny allow from all </Directory> 5. Assign Cert to site ====================== Go back into DCM Click on 'Select a Certificate Store' in left panel. Select *SYSTEM Type password Expand 'Manage Applications' in left panel Click on 'Update certificate assignment' Select 'Server' and press Continue button Find your website's application entry QIBM_HTTP_SERVER_sitename, select it and press Update cert... You should now see the Cert you created in step 4 (above). Select it and press the Assign button. 6. Tell the server app to trust this certificate ================================================ * Click on Manage Applications > Define CA Trust List * Select the App ID for your site QIBM_HTTP_SERVER_sitename, click Define CA Trust List * Select the Cert Authorities to trust, or click 'Trust All' Restart the site. 7. Export Cert public key and install in client cert store ========================================================== * Click on 'Install Local CA Certificate on Your PC' on left panel * Select 'Copy and paste certificate' * Copy the encrypted public key text, from, to and including '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' * Open your text editor and paste in the copied public key. * Save it as filename 'myIseriesFullyQualifiedName.cer' somewhere the desktop client m/c can access it. * If using Windows you can actually double click on the .cer file and the cert should reveal it's properties. * Import the cert into the client's cert store. Open your browser, this assumes IE6 * Go Tools > Internet options. * Click the 'Content' tab. Click 'Certificates'. Click 'Import'. The Cert Import Wizard will open. * Click 'Next', Click 'Browse', select your .cer file created above. Click 'Next'. * Select a suitable cert store in which to place it, e.g. Trusted Publishers. Click 'Finish'. 8. Test ======= * Go to the same URL as you used when you tested the insecure simple website, before you changed it to SSL, except use https:// instead of http:// * You should get a login prompt, sign in using a valid user, and possibly a warning about the certificate that's now in play between client and server (not clear on what triggers these warnings, anyone?). * Elect to trust it, and you should see the default welcome page, and the little padlock icon in the right hand corner means you should award yourself a beer. 9. Diagnostics ============== * Check the error log; type wrklnk 'www/websitename/logs/*'. * Scroll down to the last daily error log, 5=Display Hope this helps, Regards, Mark H Fletcher Steel Group NZ The information contained in this document is confidential to the addressee and is not necessarily the view of the Company. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify us by return email. The Company does not guarantee the security or reliability of this email or any attachments.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.