Secure Sockets Layer Support
This section provides guidelines for configuring Secure Sockets Layer (SSL) support for the aXes Application Server.
Setting up SSL for aXesW3
Secure Sockets Layer (SSL) Requirements
Secure Sockets Layer (SSL) support on IBM i requires the following IBM components installed:
- One of the Cryptographic Access Provider versions:
- Crypto Access Provider 40-bit for AS/400.
- Crypto Access Provider 56-bit for AS/400.
- Cryptographic Access Provider 128-bit.
- IBM i - Digital Certificate Manager or later versions.
SSL locates the correct certificate through the use of application identifier.
Configuring aXes Application Server
- Use IBM’s Digital Certificate Manager to define an application identifier.
- Edit the aXes Application Server configuration file and update the following directives.
- #SSLOnly=1
- SSLPort=443
- SSLAppID=<application identifier>
- You must also ensure that the AXES user profile has read (*R) authority to the certificate files and execute (*X) authority to any directories in the certificate path.
- The path for the *SYSTEM certificate store is:
- /QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB
- /QIBM/UserData/ICSS/Cert/Server/DEFAULT.RDB
- The path for the *SYSTEM certificate store is:
Configuring TLSv1.2 on IBM i 7.1
- Check if TLSv1.2 is enabled on the system.
- Use WRKSYSVAL QSSLPCL. If the value is set as *OPSYS, change it to:
- *TLSV1.2
- *TLSV1.1
- *TLSV1
- *SSLV3
- If QSSLPCL is set to something other than *OPSYS, just add *TLSV1.2 and *TLSV1.1.
- Use WRKSYSVAL QSSLPCL. If the value is set as *OPSYS, change it to:
- After setting the above, TLSV1.2 can now be set in the Application definition using the Digital Certificate Manager.
- In the DCM, set the SSL protocols to *PGM or tick the TLS1.2 check box.
Setting up SSL for aXesJSM
This guide assumes that aXes product is installed and working and that you are using aXesJSM.
QShell
Launch the QShell on IBM i by typing QSH on the command line.
Generate the keytool
Use the keytool command from the JAVA toolkit to generate a keystore at the following location /axesjsm/jsm/instance/pki/wwwssl.jks. See below for an example
change the keypass, storepass and keystore location to your own values.
keytool -genkeypair -alias sslkey –keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=10.2.0.1,OU=aXes,O=LANSSSLA,L=Inc,S=Sydney,C=AU" -ext san=ip:10.2.0.1 -validity 9999 -keypass password -keystore /axesjsm/jsm/instance/pki/wwwssl.jks -storepass password -v
Edit the axesJSM config file
Edit the aXesJSM config file (httpd.xml) by amending the values in bold with your own values matching the keystore you have created above.
From
<listen port="8420" interface="*ALL" backlog="256" secure="false" store="pki/wwwssl.jks" password="password" sslprotocol="TLSV1.2" buffersend="-1" bufferreceive="-1" nodelay="false" timeout="5"/>
To
<listen port="8420" interface="*ALL" backlog="256" secure="true" store="pki/wwwssl.jks" password="password" sslprotocol="TLSV1.2" buffersend="-1" bufferreceive="-1" nodelay="false" timeout="5"/>
Note: when the secure option is activated, the server will only provide HTTPS connections. If you want HTTP, you need to set to false the secure option above. You cannot have HTTP and HTTPS connections turned on simultaneously.
Export the CA certificate
Use the keytool command in the QSH to export the CA certificate from the keystore. See an example below.
keytool -exportcert -alias sslkey -keystore /axesjsm/jsm/instance/pki/wwwssl.jks -storepass password -file /axesjsm/jsm/instance/pki/axes.cer -v
Replace the keystore location and keypass value with the settings used when creating the keystore.
Restart
Restart the AXESJSM subsystem on the IBM i server for the changes to take effect.
Install CA in User Browser
Install the CA as a Trusted CA in your computer to remove the insecure certificate warning.