This scenario discusses how to enable SSL protection.
for more information. Scenario
The JKL Toy company (a fictitious company) wants to enable Secure Sockets Layer (SSL) protection for a specific directory on their HTTP Server (powered by Apache). The secured directory will contain confidential corporate earnings information that only a select group of employees and business associates will be able to access. The JKL Web administrator has decided not to create and deploy user certificates to client browsers, but rather use SSL so that all data exchanged with the browser is encrypted. The JKL Web administrator will use a server certificate, basic password protection (based upon existing iSeries™ user accounts), and standard SSL encryption to provide access to the secured information.
Prerequisites
- It is assumed you have read Scenarios for HTTP Server.
- It is assumed you have read and completed JKL Toy Company creates an HTTP Server (powered by Apache) or you have an existing HTTP Server (powered by Apache) configuration.
- It is assumed that a certificate authority (and certificate store) is already established for the iSeries Digital Certificate Manager.
- It is assumed you are familiar with Domain Name Servers (DNS).
Start the IBM® Web Administration for i5/OS™ interface
- Start a Web browser.
- Enter http://[iSeries_hostname]:2001 in the location or URL field
.
Example: http://jkl_server:2001
Note: If you have changed your port number for the IBM Web Administration for i5/OS interface, replace port 2001 with your port number. - Click IBM HTTP Server for iSeries.
Set up a name-based virtual host
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select your HTTP Server (powered by Apache) from the Server list.
Example: JKLTEST
- Select Global configuration from the Server area list.
- Expand Server Properties.
- Click Virtual Hosts.
- Click the Name-based tab in the form.
- Click Add under the Named virtual hosts table.
- Select or enter an IP address in the IP address column.Example: 9.5.61.228Note: The IP address 9.5.61.288 used in this scenario is associated with JKL Toy Company's iSeries hostname JKLEARNINGS and registered by a Domain Name Server (DNS). You will need to choose a different IP address and hostname. The IBM Web Administration for i5/OS interface provides the IP addresses used by your iSeries system in the IP Address list; however, you will need to provide the hostname associated with the address you choose.
- Enter a port number in the Port column.
Example: 443
Note: Specify a port number other than the one currently being used for your HTTP Server (powered by Apache) to maintain an SSL and non-SSL Web site. - Click Add under the Virtual host containers table in the Named
host column.Note: This is a table within the Named virtual hosts table in the Named host column.
- Enter the fully qualified server hostname for the virtual host in the Server
name column.
Example: www.JKLEARNINGS.org
Note: Make sure the server hostname you enter is fully qualified and associated with the IP address you selected. - Enter a document root for the virtual host index file or welcome file
in the Document root column.
Example: /www/jkltest/earnings/
Note: You are specifying a document root that will be created below. Remember the document root you have entered; you will be asked to enter the document root again when creating a new directory. - Click Continue.
- Click OK.
Set up Listen directive for virtual host
- Expand Server Properties.
- Click General Server Configuration.
- Click the General Settings tab in the form.
- Click Add under the Server IP addresses and ports to listen on table.
- Select the IP address you entered for the virtual host in the IP address column.
Example: 9.5.61.288
- Enter the port number you entered for the virtual host in the Port column.
Example: 443
- Click Continue.
- Click OK.
Set up the virtual host directories
- Select the virtual host from the Server area list.
- Expand HTTP Tasks and Wizards.
- Click Add a Directory to the Web.
- Click Next.
- Select Static web pages and files.
- Click Next.
- Enter a directory name for the virtual host in the Name field.
Example: /www/jkltest/earnings/
- Click Next.
- Enter an alias for the virtual host in the Alias field.
Example: /earnings/
- Click Next.
- Click Finish.
The document root and directory for the virtual host has been created.
Set up password protection via authentication
- Select the directory under the virtual host from the Sever area list.
Example: Directory /www/jkltest/earnings
- Expand Server Properties.
- Click Security.
- Click the Authentication tab in the form.
- Select Use OS/400® profile of client under User authentication method.
- Enter Projected Earnings in the Authentication name or realm field.
- Select Default server profile from the OS/400 user profile to process requests list under Related information. When selected, the value %%SERVER%% will be placed in the field.
- Click Apply.
- Click the Control Access tab in the form.
- Click All authenticated users (valid user name and password) under Control access based on who is making the request.
- Click OK.
Enable SSL for the virtual host
- Select the virtual host from the Sever area list.
Example: Virtual Host *:443
- Expand Server Properties.
- Click Security.
- Click the SSL with Certificate Authentication tab in the form.
- Select Enable SSL under SSL.
- Select QIBM_HTTP_SERVER_[server_name] from the Server certificate
application name list.
Example: QIBM_HTTP_SERVER_JKLTEST
Note: Remember the name of the server certificate. You will need to select it again in the Digital Certificate Manager. - Select Do not request client certificate for connection under Client certificates when establishing the connection.
- Click OK.
The HTTPS_PORT provides a specific environment variable value that is passed to CGI programs . This field is not used in this scenario.
Associate system certificate with HTTP Server (powered by Apache)
The application name (created during the SSL process) is assigned a system certificate via the iSeries Digital Certificate Manager (DCM). During the process of enabling SSL for a virtual host, an iSeries server certificate must be assigned to the application name used when configuring SSL. This task is accomplished via the Digital Certificate Manager interface (accessed from the iSeries Tasks screen). See iSeries Digital Certificate Manager for more information.
- Click the Related Links tab.
- Click Digital Certificate Manager.
- Click Select a Certificate Store.
- Select *SYSTEM.
- Click Continue.
- Enter a password in the Certificate store password field.
- Click Continue.
- Click Manage Applications.
- Select Update certificate assignment.
- Click Continue.
- Select Server.
- Click Continue.
- Select the appropriate application name.Note: Select the application name created while enabling SSL for the virtual host directory.
Example: QIBM_HTTP_SERVER_JKLTEST
- Click Update Certificate Assignment.
- Select the appropriate certificate.
- Click Assign New Certificate. This assigns the certificate to the application name selected in the previous step.
Restart your HTTP Server (powered by Apache)
Select one of the following methods below:
Manage one server
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select your HTTP Server from the Server list.
- Click the Stop icon if the server is running.
- Click the Start icon.
Manage all servers
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select All Servers from the Server list.
- Click the All HTTP Servers tab.
- Select your HTTP Server name in the table.
Example: JKLTEST
- Click Stop if the server is running.
- Click Start.
Test your HTTP Server (powered by Apache)
- Start a new Web browser.
- Enter https://[virtual_hostname_name]:[port] in the location or
URL field.
Example: https://www.JKLEARNINGS.org:443
You will be challenged for a user name and password. After entering an appropriate iSeries user name and password, you will see a sample homepage (created by the Serve New Directory wizard) with the browser's security padlock icon enabled. The padlock indicates that SSL is enabled.
View your HTTP Server (powered by Apache) configuration
Your configuration will look similar if you used the given example in this and previous examples.
- Click the Manage tab.
- Click the HTTP Servers subtab.
- Select your HTTP Server (powered by Apache) from the Server list.
Example: JKLTEST
- Expand Tools.
- Click Display Configuration File.
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Listen *:1975
Listen 9.5.61.228:443
DocumentRoot /www/jkltest/htdocs
ServerRoot /www/jkltest
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
NameVirtualHost 9.5.61.228:443
AccessFileName .htaccess
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -> %U" referer
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log combined
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
DirectoryIndex index.html
<Directory />
Order Deny,Allow
Deny From all
</Directory>
<Directory /www/jkltest/htdocs>
Order Allow,Deny
Allow From all
</Directory>
<VirtualHost 9.5.61.228:443>
ServerName www.JKLEARNINGS.org
DocumentRoot /www/jkltest/earnings/
SSLEnable
SSLAppName QIBM_HTTP_SERVER_JKLTEST
SSLClientAuth None
<Directory /www/jkltest/earnings>
Order Allow,Deny
Allow From all
Require valid-user
PasswdFile %%SYSTEM%%
UserID %%SERVER%%
AuthType Basic
AuthName "Projected Earnings"
</Directory>
Alias /earnings/ /www/jkltest/earnings/
</VirtualHost>