friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaie_5.4.0.1/rzaiejklenablessl.htm

325 lines
18 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="topic" />
<meta name="DC.Title" content="JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP Server (powered by Apache)" />
<meta name="abstract" content="This scenario discusses how to enable SSL protection." />
<meta name="description" content="This scenario discusses how to enable SSL protection." />
<meta name="DC.Relation" scheme="URI" content="rzaiescenarios.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiejklenablessl" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP
Server (powered by Apache)</title>
</head>
<body id="rzaiejklenablessl"><a name="rzaiejklenablessl"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP
Server (powered by Apache)</h1>
<div><p>This scenario discusses how to enable SSL protection.</p>
<div class="important"><span class="importanttitle">Important:</span> Information
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
It is recommended that you install the latest PTFs to upgrade to the latest
level of the HTTP Server for i5/OS. Some of the topics documented here are
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
<div class="section"><h4 class="sectiontitle">Scenario</h4><p>The JKL Toy company (a fictitious company)
wants to enable Secure Sockets Layer (SSL) protection for a specific directory
on their HTTP Server (powered by Apache). The secured directory will contain
confidential corporate earnings information that only a select group of employees
and business associates will be able to access. The JKL Web administrator
has decided not to create and deploy user certificates to client browsers,
but rather use SSL so that all data exchanged with the browser is encrypted.
The JKL Web administrator will use a server certificate, basic password protection
(based upon existing iSeries™ user accounts), and standard SSL encryption
to provide access to the secured information. </p>
<div class="note"><span class="notetitle">Note:</span> Although JKL chooses
not to implement digital certificates, they must still register their HTTP
Server (powered by Apache) with the iSeries Digital Certificate Manager.</div>
</div>
<div class="section" id="rzaiejklenablessl__prerequisites"><a name="rzaiejklenablessl__prerequisites"><!-- --></a><h4 class="sectiontitle">Prerequisites</h4><ul><li>It is assumed you have read <a href="rzaiescenarios.htm">Scenarios for HTTP Server</a>.</li>
<li>It is assumed you have read and completed <a href="rzaiejklbasic.htm">JKL Toy Company creates an HTTP Server (powered by Apache)</a> or you have an existing HTTP Server (powered by Apache)
configuration.</li>
<li>It is assumed that a certificate authority (and certificate store) is
already established for the <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">iSeries Digital Certificate Manager</a>.</li>
<li>It is assumed you are familiar with Domain Name Servers (DNS).</li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">Start the <span>IBM<sup>®</sup> Web Administration for i5/OS™ interface</span></h4><div class="note"><span class="notetitle">Note:</span> Enter
your <a href="rzaiesetauth.htm">Webmaster user profile username
and password</a> when prompted.</div>
<ol><li>Start a <a href="rzaieinstalling.htm#rzaieinstalling__web">Web
browser</a>.</li>
<li>Enter <strong>http://[iSeries_hostname]:2001</strong> in the location or URL field
.<p>Example: http://jkl_server:2001</p>
<div class="note"><span class="notetitle">Note:</span> If you have <a href="rzaiechangeport.htm">changed your port number for the <span>IBM Web Administration for i5/OS interface</span></a>,
replace port 2001 with your port number.</div>
</li>
<li>Click <strong>IBM HTTP
Server for iSeries</strong>.</li>
</ol>
<div class="note"><span class="notetitle">Note:</span> If the <span>IBM Web Administration for i5/OS interface</span> does
not start, see <a href="rzaieinstalling.htm">Install and test the HTTP Server</a>.</div>
</div>
<div class="section"><h4 class="sectiontitle">Set up a name-based virtual host</h4><ol><li>Click the <strong>Manage</strong> tab.</li>
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
<li>Select your HTTP Server (powered by Apache) from the <strong>Server</strong> list.<p>Example:
JKLTEST</p>
</li>
<li>Select <strong>Global configuration</strong> from the <strong>Server area</strong> list.</li>
<li>Expand <strong>Server Properties</strong>.</li>
<li>Click <strong>Virtual Hosts</strong>.</li>
<li>Click the <strong>Name-based</strong> tab in the form.</li>
<li>Click <strong>Add</strong> under the <strong>Named virtual hosts</strong> table.</li>
<li>Select or enter an IP address in the <strong>IP address </strong>column.<div class="p">Example:
9.5.61.228<div class="note"><span class="notetitle">Note:</span> The IP address 9.5.61.288 used in this scenario is associated
with JKL Toy Company's iSeries hostname <strong>JKLEARNINGS</strong> and registered
by a Domain Name Server (DNS). You will need to choose a different IP address
and hostname. The <span>IBM Web Administration for i5/OS interface</span> provides
the IP addresses used by your iSeries system in the IP Address list; however,
you will need to provide the hostname associated with the address you choose.</div>
</div>
</li>
<li>Enter a port number in the <strong>Port</strong> column.<p>Example: 443</p>
<div class="note"><span class="notetitle">Note:</span> Specify
a port number other than the one currently being used for your HTTP Server
(powered by Apache) to maintain an SSL and non-SSL Web site.</div>
</li>
<li>Click <strong>Add</strong> under the <strong>Virtual host containers</strong> table in the <strong>Named
host</strong> column.<div class="note"><span class="notetitle">Note:</span> This is a table within the <strong>Named virtual hosts</strong> table
in the <strong>Named host</strong> column.</div>
</li>
<li>Enter the fully qualified server hostname for the virtual host in the <strong>Server
name</strong> column.<p>Example: www.JKLEARNINGS.org</p>
<div class="note"><span class="notetitle">Note:</span> Make sure the server
hostname you enter is fully qualified and associated with the IP address you
selected.</div>
</li>
<li>Enter a document root for the virtual host index file or welcome file
in the <strong>Document root</strong> column.<p>Example: /www/jkltest/earnings/</p>
<div class="note"><span class="notetitle">Note:</span> You
are specifying a document root that will be created below. Remember the document
root you have entered; you will be asked to enter the document root again
when creating a new directory.</div>
</li>
<li>Click <strong>Continue</strong>.</li>
<li>Click <strong>OK</strong>.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Set up Listen directive for virtual host</h4><ol><li>Expand <strong>Server Properties</strong>.</li>
<li>Click <strong>General Server Configuration</strong>.</li>
<li>Click the <strong>General Settings</strong> tab in the form.</li>
<li>Click <strong>Add</strong> under the <strong>Server IP addresses and ports to listen</strong> on
table.</li>
<li>Select the IP address you entered for the virtual host in the <strong>IP address</strong> column.<p>Example:
9.5.61.288</p>
</li>
<li>Enter the port number you entered for the virtual host in the <strong>Port</strong> column.<p>Example:
443</p>
</li>
<li>Click <strong>Continue</strong>.</li>
<li>Click <strong>OK</strong>.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Set up the virtual host directories</h4><ol><li>Select the virtual host from the <strong>Server area</strong> list.</li>
<li>Expand <strong>HTTP Tasks and Wizards</strong>.</li>
<li>Click <strong>Add a Directory to the Web</strong>.</li>
<li>Click <strong>Next</strong>.</li>
<li>Select <strong>Static web pages and files</strong>.</li>
<li>Click <strong>Next</strong>.</li>
<li>Enter a directory name for the virtual host in the <strong>Name</strong> field.<p>Example:
/www/jkltest/earnings/</p>
</li>
<li>Click <strong>Next</strong>.</li>
<li>Enter an alias for the virtual host in the <strong>Alias</strong> field.<p>Example:
/earnings/</p>
</li>
<li>Click <strong>Next</strong>.</li>
<li>Click <strong>Finish</strong>.</li>
</ol>
<p>The document root and directory for the virtual host has been created.</p>
</div>
<div class="section"><h4 class="sectiontitle">Set up password protection via authentication</h4><ol><li>Select the directory under the virtual host from the <strong>Sever area</strong> list.<p>Example:
Directory /www/jkltest/earnings</p>
</li>
<li>Expand <strong>Server Properties</strong>.</li>
<li>Click <strong>Security</strong>.</li>
<li>Click the <strong>Authentication</strong> tab in the form.</li>
<li>Select <strong>Use OS/400<sup>®</sup> profile of client</strong> under <strong>User authentication
method</strong>.</li>
<li>Enter <strong>Projected Earnings</strong> in the <strong>Authentication name or realm</strong> field.</li>
<li>Select <strong>Default server profile</strong> from the <strong>OS/400 user profile to
process requests</strong> list under <strong>Related information</strong>. When selected,
the value <strong>%%SERVER%%</strong> will be placed in the field.</li>
<li>Click <strong>Apply</strong>.</li>
<li>Click the <strong>Control Access</strong> tab in the form.</li>
<li>Click <strong>All authenticated users (valid user name and password)</strong> under <strong>Control
access based on who is making the request</strong>.</li>
<li>Click <strong>OK</strong>.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Enable SSL for the virtual host</h4><ol><li>Select the virtual host from the <strong>Sever area</strong> list.<p>Example: Virtual
Host *:443</p>
</li>
<li>Expand <strong>Server Properties</strong>.</li>
<li>Click <strong>Security</strong>.</li>
<li>Click the <strong>SSL with Certificate Authentication</strong> tab in the form.</li>
<li>Select <strong>Enable SSL</strong> under <strong>SSL</strong>.</li>
<li>Select <strong>QIBM_HTTP_SERVER_[server_name]</strong> from the <strong>Server certificate
application name</strong> list.<p>Example: QIBM_HTTP_SERVER_JKLTEST</p>
<div class="note"><span class="notetitle">Note:</span> Remember
the name of the server certificate. You will need to select it again in the
Digital Certificate Manager.</div>
</li>
<li>Select <strong>Do not request client certificate for connection</strong> under <strong>Client
certificates when establishing the connection</strong>.</li>
<li>Click <strong>OK</strong>.</li>
</ol>
<p>The HTTPS_PORT provides a specific environment variable value that
is passed to CGI programs . This field is not used in this scenario.</p>
</div>
<div class="section"><h4 class="sectiontitle">Associate system certificate with HTTP Server (powered by
Apache)</h4><p>The application name (created during the SSL process) is
assigned a system certificate via the iSeries Digital Certificate Manager
(DCM). During the process of enabling SSL for a virtual host, an iSeries server
certificate must be assigned to the application name used when configuring
SSL. This task is accomplished via the Digital Certificate Manager interface
(accessed from the iSeries Tasks screen). See <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">iSeries Digital Certificate Manager</a> for
more information.</p>
<div class="note"><span class="notetitle">Note:</span> The following steps will require a user profile
with higher levels of authority than those documented for the Webmaster profile.
Web browsers will need to be restarted using the higher authority profile
to authenticate.</div>
<ol><li>Click the <strong>Related Links</strong> tab.</li>
<li>Click <strong>Digital Certificate Manager</strong>.</li>
<li>Click <strong>Select a Certificate Store</strong>.</li>
<li>Select <strong>*SYSTEM</strong>.</li>
<li>Click <strong>Continue</strong>.</li>
<li>Enter a password in the Certificate store password field.</li>
<li>Click <strong>Continue</strong>.</li>
<li>Click <strong>Manage Applications</strong>.</li>
<li>Select <strong>Update certificate assignment</strong>.</li>
<li>Click <strong>Continue</strong>.</li>
<li>Select <strong>Server</strong>.</li>
<li>Click <strong>Continue</strong>.</li>
<li>Select the appropriate application name.<div class="note"><span class="notetitle">Note:</span> Select the application name
created while enabling SSL for the virtual host directory.<p>Example: QIBM_HTTP_SERVER_JKLTEST</p>
</div>
</li>
<li>Click <strong>Update Certificate Assignment</strong>.</li>
<li>Select the appropriate certificate.</li>
<li>Click <strong>Assign New Certificate</strong>. This assigns the certificate to the
application name selected in the previous step.</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">Restart your HTTP Server (powered by Apache)</h4><p>Select
one of the following methods below:</p>
<p><strong>Manage one server</strong></p>
<ol><li>Click the <strong>Manage</strong> tab.</li>
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
<li>Select your HTTP Server from the Server list.</li>
<li>Click the <strong>Stop</strong> icon if the server is running.</li>
<li>Click the <strong>Start</strong> icon.</li>
</ol>
<p><strong>Manage all servers</strong></p>
<ol><li>Click the <strong>Manage</strong> tab.</li>
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
<li>Select <strong>All Servers</strong> from the Server list.</li>
<li>Click the <span class="uicontrol">All HTTP Servers</span> tab.</li>
<li>Select your HTTP Server name in the table.<p>Example: JKLTEST</p>
</li>
<li>Click <strong>Stop</strong> if the server is running.</li>
<li>Click <strong>Start</strong>.</li>
</ol>
<div class="note"><span class="notetitle">Note:</span> If your HTTP Server (powered by Apache) does not start, see <a href="rzaietrouble.htm">Troubleshoot</a>.</div>
</div>
<div class="section"><h4 class="sectiontitle">Test your HTTP Server (powered by Apache)</h4><ol><li>Start a new Web browser.</li>
<li>Enter <strong>https://[virtual_hostname_name]:[port]</strong> in the location or
URL field.<p>Example: https://www.JKLEARNINGS.org:443</p>
</li>
</ol>
<p>You will be challenged for a user name and password. After entering
an appropriate iSeries user name and password, you will see a sample homepage
(created by the Serve New Directory wizard) with the browser's security padlock
icon enabled. The padlock indicates that SSL is enabled. </p>
</div>
<div class="section"><h4 class="sectiontitle">View your HTTP Server (powered by Apache)
configuration</h4><p>Your configuration will look similar if you used the
given example in this and previous examples.</p>
<ol><li>Click the <strong>Manage</strong> tab.</li>
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
<li>Select your HTTP Server (powered by Apache) from the <strong>Server</strong> list.<p>Example:
JKLTEST</p>
</li>
<li>Expand <strong>Tools</strong>.</li>
<li>Click <strong>Display Configuration File</strong>.</li>
</ol>
</div>
<div class="section"><pre>LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Listen *:1975
Listen 9.5.61.228:443
DocumentRoot /www/jkltest/htdocs
ServerRoot /www/jkltest
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
NameVirtualHost 9.5.61.228:443
AccessFileName .htaccess
LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Cookie}n \"%r\" %t" cookie
LogFormat "%{User-agent}i" agent
LogFormat "%{Referer}i -&gt; %U" referer
LogFormat "%h %l %u %t \"%r\" %&gt;s %b" common
CustomLog logs/access_log combined
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
DirectoryIndex index.html
&lt;Directory /&gt;
Order Deny,Allow
Deny From all
&lt;/Directory&gt;
&lt;Directory /www/jkltest/htdocs&gt;
Order Allow,Deny
Allow From all
&lt;/Directory&gt;
&lt;VirtualHost 9.5.61.228:443&gt;
ServerName www.JKLEARNINGS.org
DocumentRoot /www/jkltest/earnings/
SSLEnable
SSLAppName QIBM_HTTP_SERVER_JKLTEST
SSLClientAuth None
&lt;Directory /www/jkltest/earnings&gt;
Order Allow,Deny
Allow From all
Require valid-user
PasswdFile %%SYSTEM%%
UserID %%SERVER%%
AuthType Basic
AuthName "Projected Earnings"
&lt;/Directory&gt;
Alias /earnings/ /www/jkltest/earnings/
&lt;/VirtualHost&gt;</pre>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiescenarios.htm" title="This topic provides information on how to use the IBM Web Administration for i5/OS interface to set up or manage your HTTP Server, step-by-step. Each task is specific and includes a usable HTTP Server configuration file when completed.">Scenarios for HTTP Server</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink