Re: Implementing SSL for web services -- WEB400

Thanks for the input everyone. So, it sounds like I only need to set it up in the Apache server which makes sense. Thanks for the step by step instructions Brad. I'll give it a shot.

Dean Eshleman
Software Development Architect

Everence Financial
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
www.everence.com

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Tuesday, March 03, 2015 12:23 PM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Implementing SSL for web services

1. Make a certificate request using Digital Certificate Manager.

2. Pick your favorite supplier of an SSL certificate (be careful with
V5R4... there were issues with the newer certs 2048 bit that didn't work
without the right PTFs). This can be GoDaddy, Verisign, or many other
places. Shop around.

3. Install the Certificate on your IBM i again using DCM once you get it
from the provider.

4. Create a server application name for your web services and assign your
new certificate to it using DCM.

5. Update the web instance that is running to use the certificate. You'll
also want to use port 443 which is standard for SSL (you don't HAVE to,
but it's probably a good idea). You may need to set up a redirect from
port 80 (or whatever port you're using now) to 443 as well as notify all
your users to use port 443 from now on.

Here's a sample of what's needed:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM

<VirtualHost xx.xx.xx.xx:443> <---- this is the IP address the server is
running on
SSLAppName SSL_WEB_SERVICE <--- This is the server application name
from step 4
SSLEngine On
SSLCacheDisable
</VirtualHost>

Listen xx.xx.xx.xx:443
NameVirtualHost xx.xx.xx.xx:443

<rest of the config>

6. Stop and restart your server instance.

There may be other steps (such as the possibility you may need to import
any CAs in the CA chain first) but this is a general overview of the
process.

Brad
www.bvstools.com

On Tue, Mar 3, 2015 at 11:01 AM, Dean Eshleman <Dean.Eshleman@xxxxxxxxxxxx>
wrote:

Hi,

I need to implement SSL for our web services that are deployed in
Websphere on IBM i. They are called via the Apache HTTP server from our
own servers. The SSL requirement is coming from our auditors. I'm having
trouble figuring out where I need to turn on SSL. Do I do it in the Apache
HTTP Server, do I do it in Websphere or do I need to do it in both places?
This is Websphere 5.1 Express (I know it is an old version) running on a
V5R4 system. We do plan to upgrade this year sometime.

Part of my confusion regarding Apache is that the documentation talks
about turning on SSL for an application in Apache. In this case, I don't
have an application. Apache just forwards the requests to Websphere. I am
currently controlling who can call the web services by defining Locations
in Apache and using Allow or Deny on ip addresses. Any ideas or pointers
from anyone?

Dean Eshleman
Software Development Architect

Everence Financial
1110 North Main Street
PO Box 483
Goshen, IN 46527
Phone: (574) 533-9515 x3528
www.everence.com<http://www.everence.com/>

______________________________________________________________________
Confidentiality Notice: This information is intended only for the
individual or entity named. If you are not the intended recipient, do not
use or disclose this information. If you received this e-mail in error,
please delete or otherwise destroy it and contact us at (800) 348-7468 so
we can take steps to avoid such transmission errors in the future. Thank
you.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.