Enable HTTPS for an HTTP Server Instance
Published: 2024-05-14
Requirements
- TLS/SSL already configured on the IBM i.
- User profile with *IOSYSCFG and *SECADM authority
- *ADMIN HTTP Server instance to be started
- Web browser access to IBM i on port number TCP port 2001
- DCM Application ID used when creating the DCM Application during TLS/SSL setup
Warning
A user profile with *IOSYSCFG authority is required for these setup tasks
Open HTTP server Instance Editor
To begin, verify that the *ADMIN HTTP server job is running with the following command:
WRKSBSJOB SBS(QHTTPSVR)
If you don’t see *ADMIN in the list, please run the following command to start it:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
After you’ve ensured that the *ADMIN server is running, open a web browser (Microsoft Edge or Chrome is recommended), and go to http://[youribmiserver]:2001/HTTPAdmin - you should see a login page as seen below:
Select the "Manage" and "HTTP Servers" tabs in the top left hand part of the window after logging in.
From the drop down box just below the "Manage" tab select the server you wish to enable for HTTPS
In the left hand part of the window, expand the "Tools" menu and select "Edit Configuration File" from the available options. An editor window will appear on the right hand side.
Add TLS-SSL Config Entries
On the second line of the configuration, paste the following value:
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Scroll down the configuration data until the "Listen *...." is reached. Edit this line to:
Listen *:443
Warning
Port number 443 is the default port number for HTTPS. If ANY other server on this IBM i uses port 443, this server instance will not start. Consult your networking/infrastructure staff to ensure this is the correct port number, and it is not in use on this IBM i server already.
Edit the following values and paste on the line AFTER the "Listen *:443" entry above. QIBM_HTTP_SERVER should be replaced with the DCM Application ID used to setup SSL on the IBM i.
<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER
SSLProtocolDisable SSLv3 TLSv1 TLSv1.1
</VirtualHost>
Click "OK" or "Apply" at the bottom of the editor window to save these settings.
Restart the server and attempt to connect once again using HTTPS instead of HTTP in the address bar. For example:
https://[youribmiserver]/mdcms/applications |
The above URL should display the following JSON in the browser window:
{ "Error": "No authorization token received" }
This indicates that the connection via HTTPS has been successful!
Warning
Please remember to update the MDCMS HTTP Server Configuration in MDCMS, and any external web hooks configured to access MDCMS via the MDCMS REST API's