JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP Server (powered by Apache)

This scenario discusses how to enable SSL protection.

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center for more information.

Scenario

The JKL Toy company (a fictitious company) wants to enable Secure Sockets Layer (SSL) protection for a specific directory on their HTTP Server (powered by Apache). The secured directory will contain confidential corporate earnings information that only a select group of employees and business associates will be able to access. The JKL Web administrator has decided not to create and deploy user certificates to client browsers, but rather use SSL so that all data exchanged with the browser is encrypted. The JKL Web administrator will use a server certificate, basic password protection (based upon existing iSeries™ user accounts), and standard SSL encryption to provide access to the secured information.

Note: Although JKL chooses not to implement digital certificates, they must still register their HTTP Server (powered by Apache) with the iSeries Digital Certificate Manager.

Prerequisites

Start the IBM® Web Administration for i5/OS™ interface

Note: Enter your Webmaster user profile username and password when prompted.
  1. Start a Web browser.
  2. Enter http://[iSeries_hostname]:2001 in the location or URL field .

    Example: http://jkl_server:2001

    Note: If you have changed your port number for the IBM Web Administration for i5/OS interface, replace port 2001 with your port number.
  3. Click IBM HTTP Server for iSeries.
Note: If the IBM Web Administration for i5/OS interface does not start, see Install and test the HTTP Server.

Set up a name-based virtual host

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server (powered by Apache) from the Server list.

    Example: JKLTEST

  4. Select Global configuration from the Server area list.
  5. Expand Server Properties.
  6. Click Virtual Hosts.
  7. Click the Name-based tab in the form.
  8. Click Add under the Named virtual hosts table.
  9. Select or enter an IP address in the IP address column.
    Example: 9.5.61.228
    Note: The IP address 9.5.61.288 used in this scenario is associated with JKL Toy Company's iSeries hostname JKLEARNINGS and registered by a Domain Name Server (DNS). You will need to choose a different IP address and hostname. The IBM Web Administration for i5/OS interface provides the IP addresses used by your iSeries system in the IP Address list; however, you will need to provide the hostname associated with the address you choose.
  10. Enter a port number in the Port column.

    Example: 443

    Note: Specify a port number other than the one currently being used for your HTTP Server (powered by Apache) to maintain an SSL and non-SSL Web site.
  11. Click Add under the Virtual host containers table in the Named host column.
    Note: This is a table within the Named virtual hosts table in the Named host column.
  12. Enter the fully qualified server hostname for the virtual host in the Server name column.

    Example: www.JKLEARNINGS.org

    Note: Make sure the server hostname you enter is fully qualified and associated with the IP address you selected.
  13. Enter a document root for the virtual host index file or welcome file in the Document root column.

    Example: /www/jkltest/earnings/

    Note: You are specifying a document root that will be created below. Remember the document root you have entered; you will be asked to enter the document root again when creating a new directory.
  14. Click Continue.
  15. Click OK.

Set up Listen directive for virtual host

  1. Expand Server Properties.
  2. Click General Server Configuration.
  3. Click the General Settings tab in the form.
  4. Click Add under the Server IP addresses and ports to listen on table.
  5. Select the IP address you entered for the virtual host in the IP address column.

    Example: 9.5.61.288

  6. Enter the port number you entered for the virtual host in the Port column.

    Example: 443

  7. Click Continue.
  8. Click OK.

Set up the virtual host directories

  1. Select the virtual host from the Server area list.
  2. Expand HTTP Tasks and Wizards.
  3. Click Add a Directory to the Web.
  4. Click Next.
  5. Select Static web pages and files.
  6. Click Next.
  7. Enter a directory name for the virtual host in the Name field.

    Example: /www/jkltest/earnings/

  8. Click Next.
  9. Enter an alias for the virtual host in the Alias field.

    Example: /earnings/

  10. Click Next.
  11. Click Finish.

The document root and directory for the virtual host has been created.

Set up password protection via authentication

  1. Select the directory under the virtual host from the Sever area list.

    Example: Directory /www/jkltest/earnings

  2. Expand Server Properties.
  3. Click Security.
  4. Click the Authentication tab in the form.
  5. Select Use OS/400® profile of client under User authentication method.
  6. Enter Projected Earnings in the Authentication name or realm field.
  7. Select Default server profile from the OS/400 user profile to process requests list under Related information. When selected, the value %%SERVER%% will be placed in the field.
  8. Click Apply.
  9. Click the Control Access tab in the form.
  10. Click All authenticated users (valid user name and password) under Control access based on who is making the request.
  11. Click OK.

Enable SSL for the virtual host

  1. Select the virtual host from the Sever area list.

    Example: Virtual Host *:443

  2. Expand Server Properties.
  3. Click Security.
  4. Click the SSL with Certificate Authentication tab in the form.
  5. Select Enable SSL under SSL.
  6. Select QIBM_HTTP_SERVER_[server_name] from the Server certificate application name list.

    Example: QIBM_HTTP_SERVER_JKLTEST

    Note: Remember the name of the server certificate. You will need to select it again in the Digital Certificate Manager.
  7. Select Do not request client certificate for connection under Client certificates when establishing the connection.
  8. Click OK.

The HTTPS_PORT provides a specific environment variable value that is passed to CGI programs . This field is not used in this scenario.

Associate system certificate with HTTP Server (powered by Apache)

The application name (created during the SSL process) is assigned a system certificate via the iSeries Digital Certificate Manager (DCM). During the process of enabling SSL for a virtual host, an iSeries server certificate must be assigned to the application name used when configuring SSL. This task is accomplished via the Digital Certificate Manager interface (accessed from the iSeries Tasks screen). See iSeries Digital Certificate Manager for more information.

Note: The following steps will require a user profile with higher levels of authority than those documented for the Webmaster profile. Web browsers will need to be restarted using the higher authority profile to authenticate.
  1. Click the Related Links tab.
  2. Click Digital Certificate Manager.
  3. Click Select a Certificate Store.
  4. Select *SYSTEM.
  5. Click Continue.
  6. Enter a password in the Certificate store password field.
  7. Click Continue.
  8. Click Manage Applications.
  9. Select Update certificate assignment.
  10. Click Continue.
  11. Select Server.
  12. Click Continue.
  13. Select the appropriate application name.
    Note: Select the application name created while enabling SSL for the virtual host directory.

    Example: QIBM_HTTP_SERVER_JKLTEST

  14. Click Update Certificate Assignment.
  15. Select the appropriate certificate.
  16. Click Assign New Certificate. This assigns the certificate to the application name selected in the previous step.

Restart your HTTP Server (powered by Apache)

Select one of the following methods below:

Manage one server

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server from the Server list.
  4. Click the Stop icon if the server is running.
  5. Click the Start icon.

Manage all servers

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select All Servers from the Server list.
  4. Click the All HTTP Servers tab.
  5. Select your HTTP Server name in the table.

    Example: JKLTEST

  6. Click Stop if the server is running.
  7. Click Start.
Note: If your HTTP Server (powered by Apache) does not start, see Troubleshoot.

Test your HTTP Server (powered by Apache)

  1. Start a new Web browser.
  2. Enter https://[virtual_hostname_name]:[port] in the location or URL field.

    Example: https://www.JKLEARNINGS.org:443

You will be challenged for a user name and password. After entering an appropriate iSeries user name and password, you will see a sample homepage (created by the Serve New Directory wizard) with the browser's security padlock icon enabled. The padlock indicates that SSL is enabled.

View your HTTP Server (powered by Apache) configuration

Your configuration will look similar if you used the given example in this and previous examples.

  1. Click the Manage tab.
  2. Click the HTTP Servers subtab.
  3. Select your HTTP Server (powered by Apache) from the Server list.

    Example: JKLTEST

  4. Expand Tools.
  5. Click Display Configuration File.
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Listen *:1975
Listen 9.5.61.228:443
DocumentRoot /www/jkltest/htdocs
ServerRoot /www/jkltest
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
NameVirtualHost 9.5.61.228:443
AccessFileName .htaccess
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
DirectoryIndex index.html
<Directory />
	Order Deny,Allow
	Deny From all
</Directory>
	<Directory /www/jkltest/htdocs>
	Order Allow,Deny
	Allow From all
</Directory>
<VirtualHost 9.5.61.228:443>
	ServerName www.JKLEARNINGS.org
	DocumentRoot /www/jkltest/earnings/
	SSLEnable
	SSLAppName QIBM_HTTP_SERVER_JKLTEST
	SSLClientAuth None
	<Directory /www/jkltest/earnings>
		Order Allow,Deny
		Allow From all
		Require valid-user
		PasswdFile %%SYSTEM%%
		UserID %%SERVER%%
		AuthType Basic
		AuthName "Projected Earnings"
	</Directory>
	Alias /earnings/ /www/jkltest/earnings/
</VirtualHost>