Enable HTTPS for an HTTP Server Instance

Published: 2024-05-14

Requirements

TLS/SSL already configured on the IBM i.
User profile with *IOSYSCFG and *SECADM authority
*ADMIN HTTP Server instance to be started
Web browser access to IBM i on port number TCP port 2001
DCM Application ID used when creating the DCM Application during TLS/SSL setup

Warning

A user profile with *IOSYSCFG authority is required for these setup tasks

Open HTTP server Instance Editor

To begin, verify that the *ADMIN HTTP server job is running with the following command:

WRKSBSJOB SBS(QHTTPSVR)

If you don’t see *ADMIN in the list, please run the following command to start it:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

After you’ve ensured that the *ADMIN server is running, open a web browser (Microsoft Edge or Chrome is recommended), and go to http://[youribmiserver]:2001/HTTPAdmin - you should see a login page as seen below:

Select the "Manage" and "HTTP Servers" tabs in the top left hand part of the window after logging in.

From the drop down box just below the "Manage" tab select the server you wish to enable for HTTPS

In the left hand part of the window, expand the "Tools" menu and select "Edit Configuration File" from the available options. An editor window will appear on the right hand side.

Add TLS-SSL Config Entries

On the second line of the configuration, paste the following value:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGMWRKSBSJOB SBS(QHTTPSVR)

Scroll down the configuration data until the "Listen *...." is reached. Edit this line to:

Listen *:443

Warning

Port number 443 is the default port number for HTTPS. If ANY other server on this IBM i uses port 443, this server instance will not start. Consult your networking/infrastructure staff to ensure this is the correct port number, and it is not in use on this IBM i server already.

Edit the following values and paste on the line AFTER the "Listen *:443" entry above. QIBM_HTTP_SERVER should be replaced with the DCM Application ID used to setup SSL on the IBM i.

</Directory> <VirtualHost *:443> SSLEngine On SSLAppName QIBM_HTTP_SERVER </VirtualHost>

Click "OK" or "Apply" at the bottom of the editor window to save these settings.

Restart the server and attempt to connect once again using HTTPS instead of HTTP in the address bar. For example:

https://[youribmiserver]/mdcms/applications

The above URL should display the following JSON in the browser window:

{ "Error": "No authorization token received" }

This indicates that the connection via HTTPS has been successful!

Warning

Please remember to update the MDCMS HTTP Server Configuration in MDCMS, and any external web hooks configured to access MDCMS via the MDCMS REST API's