× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. August 2005

RE: HELP SSL Client Side Certificate

Hi Dave,

>> I can not find one piece of information that
walks me through the entire set up, step by step. I find info on SSL , 
HTTP, DCM all seperate, but nothing putting the pieces together.

This is my first post on the list so I'll try to be helpful. I had the
exact same question when I embarked on getting SSL / HTTPS going.
Perhaps we can progressively evolve something here that will pull all
this together. Here's my starter.

If you use the guidelines below to work through the process please make
a note of anything I've missed or got wrong. Likewise anyone here please
feel free to correct/refine/expand this. Eventually we could put it on
the web somewhere with links to the relevant redbooks etc

I also developed iSeries client apps to push data out the other way. I
downloaded Scott K's HTTPLIB and developed a client app that has a certs
assigned to it for connecting out from the iseries using SSL. Access was
needed to the IFS throughout for both client and server apps, once again
Scott K to the rescue, downloaded IFSEBOOK. Many thanks to Scott, your
code was incredibly helpful and all works great.

I avoided using CGIDEV2 and coded all my own HTML generation; there was
some uncertainty about its future at the time and I couldn't get the
source code to look at which was a worry to me. Since we're only doing
simple EDI document interchange using POST there wasn't much server side
HTML to generate so I coded it within the pgms.

Background:
==========
* We're running an S20 (dev box) and an 830 (production), both on V5R2
* Requirement was to issue certs from the iseries to clients on our own
intranet.
* The iSeries server apps requested by said clients were developed in
RPGLE CGI and received POST-ed EDI data, verified it and queued it for
posting into our ERP system. 
* Use SSL on port 443 combined with basic user/password.

Here are the steps I took to get an SSL Apache website going and clients
connecting securely to it:

1. Ensure prereq LICPGM products installed: 
==========================================
* HTTP Server (5722DG1 *BASE)
* Java Tools (5722JC1 *BASE)
* Java 1.3 (5722JV1 *BASE & Opt 5) Needed for HTTP Admin server to work.
* DCM (5722SS1 opt 34)
* QSHELL (5722SS1 opt 30) not strictly necessary but useful 
* Cryptographic Access (5722AC3) OPTION(*BASE) 

* I also uninstalled Java 1.1.8

2. PTFs:
======= 
After LICPGMs I looked at PTFs. 
* Test box: I set this up first and I put on absolutely everything,
latest CUM/HIPER/database packages. Got some SQL performance degradation
(BPCS 6.02) at first which fixed itself. 
* Live box: To reduce risk I decided to not apply any PTFs. I managed to
get everything going with no additional PTFs, ~YMMV~

3. DCM Create Local Cert Authority:  
==================================
* Ensure the HTTP server Admin instance is started; WRKACTJOB and look
for ADMIN jobs in SBS QHTTPSVR; if not type STRTCPSVR SERVER(*HTTP)
HTTPSVR(*ADMIN). Do WRKACTJOB again and if it didn't start diagnostics
can probably be found in its joblog by doing WRKSPLF QTMHHTTP
* Use browser to go to HTTP Admin
http://myIseries.Fully.Qualified.Name:2001
* Click on DCM
* Create a Local Certificate Authority so you can generate and issue
Certs for your intranet users. Best to refer to redbook SG24-6168-00,
Appendix D, which walks you through it. Sorry to duck this one but the
option disappears once you've created it so I can't check out the steps.

4. Create server certificates you can assign to your website & clients: 
======================================================================
* Click (left panel) Select a Certificate Store.
* Select *SYSTEM and log in
* In the left pane click on 'Create Certificate'
* Select 'Server or client certificate'
* I selected, for signing authority, 'Local Certificate Authority (CA)'.
* The 'Create Certificate' form now appears. There is one 'gotcha' on
this. 'Common name' should be the fully qualified iseries domain name
your users will connect to, i.e. the URL string between 'https://' and
the next embedded slash. If not the browser will throw a warning message
at the user and ask them to confirm they want to trust the certificate
when it sees a mismatch between requested url and the one encoded in the
certificate data. The other fields are straightforward.

4. Create a secure website. 
==========================
I created a non SSL enabled one first, got it going and then changed it
to SSL. 
* Create a website with basic settings
* Start it, test it w/browser
* Go back into HTTP Admin, select the site and change it to SSL:
    Click on Security in left panel
    Change SSL to 'Enabled'
    Note on this form it shows you the Server certificate application
name, you use this later to assign a cert to the site. It looks like
this: QIBM_HTTP_SERVER_sitename
    I changed the HTTPS_PORT environment variable to 443 

* Display the configuration file, you should have these directives:
    Listen *:443
    SSLEngine On 
    SSLAppName QIBM_HTTP_SERVER_sitename 
    SetEnv HTTPS_PORT 443 

* If you want it to force the client to do basic login via a popup
window, and server to validate against an iseries user profile you'll
also need these directives; here within the group for the default
welcome html page:

 <Directory /www/sitename/htdocs/> 
   AuthName "LOGIN" (or whatever you want to appear on the browser login
form)
   AuthType Basic 
   PasswdFile %%SYSTEM%% 
   UserID %%CLIENT%% 
   Require valid-user 
   # Options None  
   order allow,deny  
   allow from all  
 </Directory> 

5. Assign Cert to site
======================
  Go back into DCM
  Click on 'Select a Certificate Store' in left panel.
  Select *SYSTEM
  Type password
  Expand 'Manage Applications' in left panel
  Click on 'Update certificate assignment'
  Select 'Server' and press Continue button
  Find your website's application entry QIBM_HTTP_SERVER_sitename,
select it and press Update cert...
  You should now see the Cert you created in step 4 (above). Select it
and press the Assign button.

6. Tell the server app to trust this certificate
================================================
* Click on Manage Applications > Define CA Trust List
* Select the App ID for your site QIBM_HTTP_SERVER_sitename, click
Define CA Trust List
* Select the Cert Authorities to trust, or click 'Trust All'
  
Restart the site. 

7. Export Cert public key and install in client cert store
==========================================================
* Click on 'Install Local CA Certificate on Your PC' on left panel
* Select 'Copy and paste certificate'
* Copy the encrypted public key text, from, to and including '-----BEGIN
CERTIFICATE-----' and '-----END CERTIFICATE-----'
* Open your text editor and paste in the copied public key.
* Save it as filename 'myIseriesFullyQualifiedName.cer' somewhere the
desktop client m/c can access it.
* If using Windows you can actually double click on the .cer file and
the cert should reveal it's properties.
* Import the cert into the client's cert store. Open your browser, this
assumes IE6 
* Go Tools > Internet options. 
* Click the 'Content' tab. Click 'Certificates'. Click 'Import'. The
Cert Import Wizard will open. 
* Click 'Next', Click 'Browse', select your .cer file created above.
Click 'Next'. 
* Select a suitable cert store in which to place it, e.g. Trusted
Publishers. Click 'Finish'.

8. Test
=======
* Go to the same URL as you used when you tested the insecure simple
website, before you changed it to SSL, except use https:// instead of
http:// 
* You should get a login prompt, sign in using a valid user, and
possibly a warning about the certificate that's now in play between
client and server (not clear on what triggers these warnings, anyone?). 
* Elect to trust it, and you should see the default welcome page, and
the little padlock icon in the right hand corner means you should award
yourself a beer.

9. Diagnostics
==============
* Check the error log; type wrklnk 'www/websitename/logs/*'. 
* Scroll down to the last daily error log, 5=Display 

Hope this helps,

Regards,

Mark H
Fletcher Steel Group NZ
The information contained in this document is confidential to the
addressee and is not necessarily the view of the Company. If you are not
the intended recipient, you must not peruse, use, disseminate,
distribute or copy this email or attachments. If you have received this 
in error, please notify us by return email. The Company does not
guarantee the security or reliability of this email or any attachments.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.