Now we have our basic Node.js website up and running, let me show you how easy it is to make it a secure site. By secure, I mean making the transport layer secure, ensuring the site uses Secure Sockets Layer (SSL) to ensure all communications between the client and the server are secured.
My previous article on getting the website running can be found here.
To make our site secure, we are going to use the Open Source package OpenSSL to handle the certificate process. No need to use IBMs Digital Certificate Manager (DCM). Ah, that’s a relief!
If you need some light reading on a Friday afternoon, checkout the OpenSSL website, which can be found here.
Firstly, check if we have OpenSSL installed on our box.
Open a PASE shell session using SSH, and type the command
From the figure below, we can see I’m running version 1.0.2
If you do not have OpenSSL installed, use ACS – Open Source Package Management to install.
Now we have to create our certificates.
Follow the steps, that relate to the figure numbers in the graphic below.
As we can see in step number 7, we now have two certificates and the CSR (A certificate signing request). The two certificates are what we need to make our site secure.
To make our Express site secure, the only file we have to change is the /bin/www file.
Open this file in your favourite editor and make the following changes as can be seen in the figure below.
And that is it, our website will now run securely using HTTPS.
And now to the testing.
Use the Nodemon command to start your application (Again, see previous article, if you have no idea what Nodemon is).
Firstly, let us test if our original method works.
All working as expected as we stopped the non-SSL version!
Now testing the HTTPS version.
Ah, that’s a lot better, believe me!
If we click on the certificate error, we will see our certificate we generated earlier. The browser is complaining as it does not like self-signed certificates.
To get around this, click on the Go on to the webpage link in the browser and our website will open. Our site is now using secure communications.
To stop this warning being shown all the time, we need to install the certificate we created into our windows certificate manager.
The steps needed to do this are as follows:
Click on the certificate error, then select Export to file.
Once we have it exported, we need to install it onto our PC.
Using the windows search key, enter manage user certificates and open the Manage user certificates.
And navigate to Import under the Trusted Root Certification Authorities à Certificates à All tasks à Import option.
Follow the wizard to import the certificate you saved in the previous step. Taking all the defaults will suffice.
Now when we open our browser, we have the all-important padlock sign to state our certificate is working as expected and it will not say the certificate has an issue.
Please note that the above article produces a ‘Self-Signed Certificate’, they are not signed by a CA (Certificate Authority) and that is why you have to install them manually onto your devices.
Self-signed certificates are great for internal use, ie Intranets, but should not be used for externally facing web-sites. If you need to have a certificate for your external site, consider using Lets Encrypt, or something similar.
These changes have now be published to my GitHub repository, which can be found at this link. Hopefully, this will provide you with a template to experiment with Node.js on IBM i.
Take a look and have a play!
Hopefully in this article I’ve shown how easy it is to amend our basic website to include SSL security.
We will further enhance it in my next article.
If you have any questions, either on this article, or any other open source, use the comments below, or send me a message on twitter @AndyYouens
I’m looking forward to the next round of the IBM i i-UG user group meetings this year in the UK, on the 7th November 2019.
Hopefully we can all meet up again at these useful user group meetings. Full details can be found on the iUG site here.
Andy Youens is an IBM i consultant/instructor at Milton Keynes, UK-based FormaServe Systems with over 39 years IBM midrange experience.
Leave a Reply