Informing the IBM Community

A screen a story – Enabling SSL/TLS for IBM Navigator for i


In today’s world there is a lot of emphasis on IT security. Not strange when the word “Hack” is a word you often hear or read when following the daily news. We all know that there is no better security level possible than security implemented at the source level. I like bringing examples to life with an example everybody can understand. For security at the source level I always use the example of a castle. No castle Lord when the drawbridge is up will think that all his golden treasures are safe and can be left on the kitchen table. Most likely all his golden treasures are in a treasury, in a locked chamber and probably also in a room which cannot be easily accessed.

So with that in mind any HTTP server which requires you to sign on before granting access needs security at the source level. In this case I am talking about SSL/TLS enablement for the IBM Navigator for i.

The New Navigator for i comes with documentation which allows you to configure SSL/TLS for Navigator for i.

If you have not set up SSL/TLS for Telnet, ODBC  or any other IBM i application, this might be a good starting point to consider doing that right away. Please have a look at the note which must ring a bell when you are working with an HMC. Due to the fact that when you are using a certificate which is a self-signed certificate you do get a warning. As a self-signed certificate is better than not using SSL/TLS at all, IBM does offer you the choice when enabling HTTPs using a self-signed certificate or using an existing certificate. Many companies use a wildcard certificate for their domain so they can use one certificate for as many servers as they want. In that case the server IBM i is running on will be just one of the Servers the certificate can be used for.

When following the documentation task “Issue a self-signed certificate”, a certificate is being created by the wizard.  When looking at the details of this certificate there is one detail to keep in mind, it is only valid for one year. In order to keep track of that you can put a reminder in your calendar, but there is of course a better way. For this the Administration Runtime Expert (ARE) will have to come into play. 

To facilitate your tasks, the first thing we do is to add the URL to the bookmarks tab of  Navigator for i, this can be done at the same spot where we already have several others defined:

When we select the “Manage” option we add a bookmark as shown below:

By default the ARE is also without HTTPS, but after we have enabled SSL/TLS for Navigator for i, we know what to do get the job done and add this enablement for ARE. Please do not forget to edit this bookmark afterwards, or else it does not work if you block HTTP access.

Once you have added this bookmark you will need to have the license program 5733-ARE installed.

As you can see, when using the Search field in the top bar and using filtering it is not hard to discover if ARE is installed or not. Please be aware that ARE needs to be installed on only one node in your network.

When you have to install ARE please also make sure that you have the latest PTFs for ARE on your box. For this information you simply have to go to the IBM Administration Runtime Expert for i website and scroll to the bottom of that page. On the same page you will find the Getting started guide. This will help you in getting ARE installed on your box. In order to figure out on which .iso image the ARE license program can be installed from, you have to take a look at the Media labels and their contents. For IBM i we needs to have the iso image B_GROUPx_03 available.

After ARE is installed on one box and has all the PTFs, we are ready to get it started.

Once we have started it we can use the bookmark created earlier for accessing ARE. Our goal is to check if the expiration date of the self-signed certificate is about to expire in the

next 30

 days. Below the SQL statement with which we get this done in ARE:

ARE has the option to define an SMTP server, which can be configured after selecting the “Console Runtime Properties” as shown below:

The console of ARE also has the option to Schedule tasks. For this ARE needs to running but the start of ARE can be configured here in the Web Administration for i, again IBM has already defined a bookmark for this:

Back to ARE and the Scheduler to setup the checking of the self-signed certificate expiration date.

So after having done this every first day of the month ARE will check on iClient2 if the Expiration date is about to expire within the next thirty days. When it does you will get an
e-mail similar to the one below:

You do have to know what the contents of the checking process are but I am sure that this message will alert you enough to check ARE if there is any doubt about the urgency of this message.

In order to get you going as an attachment to this article the template used for checking the date can be download and imported into your own ARE environment.

I hope you enjoyed this article and will encourage you to have a second look at ARE, although this second look might be the first for some of you.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.


Leave a Reply

Your email address will not be published. Required fields are marked *