Thanks so much. I'll work my way thru this.

-----Original Message-----
From: WEB400 <web400-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Brad Stone
Sent: Tuesday, May 31, 2022 4:27 PM
To: Web Enabling the IBM i (AS/400 and iSeries) <web400@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB400] IWS, Rest API, and HTTPS

On Tue, May 31, 2022 at 3:24 PM Stephen Piland < Stephen@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I apologize in advance if this topic has been covered in ad nauseum...
We have a simple Rest API that is currently running in IWS within the
firewall of the company. We'd like to open it up to outside of the
confines and want to run in a more secure way.

What are the high level steps to make this happen? We are currently
on the latest TL of 7.3 of the OS. Is there a white paper on this?

Other questions that come to mind...


1. Would we create a new Certificate Store in DCM? Can we create a
certificate for client side there? Or do we need to create and
purchase cert from 3rd party?


You'd want to purchase from a reputable place, and not use a self-signed cert unless you want to explain to everyone using it how to import your own Certificate Authority.

You could also use from LetsEncrypt for free. You would need to renew it every 90 days. Otherwise you can get them for about $12 a year from a
place like Namecheap.com. Any place asking more than $40 or so is ripping
you off. :)


2. I believe the suggested method of comms is via TLS 1.2 or higher.
Is that a different setup?


No, just make sure what you have enabled on your system is 1.2 and up.


3. Do we create a new Web Service Server and deploy this web
service to it or can it be 'reconfigured'?


You'll want to have a way to direct it in from the internet to your firewall, and then to your IBM i's internal IP address. Most likely you'd set up a subdomain of your host, like

ws.yourcompany.com

This will point to an external IP that will point at your external firewall. Then that will rout requests once past to a specific internal IP address.

I normally like to make a separate internal IP on the IBM i for things like this so that you can easily stop/start it without affecting anything else.
Then you can also block all ports that you don't need to use coming in.
Your network guys would be the best to talk to for this part of it. It's no different really than pointing to an internal web server running any other OS.



Thanks for any suggestions!!
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please
take a moment to review the archives at
https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/web400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.