This section provides guidelines for configuring Secure Sockets Layer (SSL) support for the aXes Application Server.

Secure Sockets Layer (SSL) Requirements

Secure Sockets Layer (SSL) support on IBM i requires the following IBM components installed:

  • One of the Cryptographic Access Provider versions:
    • Crypto Access Provider 40-bit for AS/400.
    • Crypto Access Provider 56-bit for AS/400.
    • Cryptographic Access Provider 128-bit.
  • IBM i - Digital Certificate Manager or later versions.

SSL locates the correct certificate through the use of application identifier.

Configuring aXes Application Server

  1. Use IBM’s Digital Certificate Manager to define an application identifier.
  2. Edit the aXes Application Server configuration file and update the following directives.
    1. #SSLOnly=1
    2. SSLPort=443
    3. SSLAppID=<application identifier>
  3. You must also ensure that the AXES user profile has read (*R) authority to the certificate files and execute (*X) authority to any directories in the certificate path.
    1. The path for the *SYSTEM certificate store is:
      1. /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB
      2. /QIBM/UserData/ICSS/Cert/Server/DEFAULT.RDB


Configuring TLSv1.2 on IBM i 7.1

  1. Check if TLSv1.2 is enabled on the system.
    1. Use WRKSYSVAL QSSLPCL. If the value is set as *OPSYS, change it to:
      1. *TLSV1.2
      2. *TLSV1.1
      3. *TLSV1
      4. *SSLV3
    2. If QSSLPCL is set to something other than *OPSYS, just add *TLSV1.2 and *TLSV1.1.    
  2. After setting the above, TLSV1.2 can now be set in the Application definition using the Digital Certificate Manager.
    1. In the DCM, set the SSL protocols to *PGM or tick the TLS1.2 check box.    

Administrators

Legal Mentions

aXes is brought to you by:

LANSA

Serving the IBM i community for 30 years.