Enabling application on IBMi to use a SSL certificate

There’s two common setups for using SSL certicates.

1) The $0 way of using self-signed certificate or

2) the $99 – $X,XXX way of using an internet certificate authority

I’ll go through both ways of accomplishing either

Option 1 : Creating and applying a Self Signed Certificate

Go to your IBMi’s Digital Certificate Manager website at:

http://REPLACE_WITH_YOUR_IBM_I_IP_ADDRESS_OR_DNS_NAME:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

(Change REPLACE_WITH_YOUR_IBM_I_IP_ADDRESS_OR_DNS_NAME to your IBM i IP or DNS Name)

Note: If you can’t access port 2001 make sure the admin instance of apache is running.

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

1. Select Certificate store: *SYSTEM

2. Create cert for the DNS name application (i.e. myapp.example.com)

3. Assign cert to QIBM_HTTP_SERVER_ZENDSVR If you haven’t already you may have to create DNS entries for your app

4. Modify your httpd.conf file (also known as apache config) to listen on port 443 (ssl) (Replace 10.1.1.200 with your actual ip address)

# Load the SSL module into Apache
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
# Listen for HTTPS traffic
Listen 10.1.1.200:80
Listen 10.1.1.200:443
NameVirtualHost 10.1.1.200:443
# MYApp – Redirect to HTTPS
<VirtualHost 10.1.1.201:80>
RewriteEngine On
RewriteRule ^/(.*)? https://%{HTTP_HOST}/$1
</VirtualHost&amp;amp;gt;</pre>
# MYApp1 (HTTPS)
<VirtualHost 10.1.1.200:443>
ServerName myapp1.example.com
DocumentRoot /www/zendsvr/htdocs/
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR_MYApp1
SSLServerCert QIBM_HTTP_SERVER_MYApp1_CERT
SSLCacheEnable
SetEnv HTTPS_PORT 443
Options FollowSymLinks
</VirtualHost>
# MYApp2 (HTTPS) with a different certificate and domain
<VirtualHost 10.1.1.200:443>
ServerName myapp2.example.com
DocumentRoot /www/zendsvr/htdocs/
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR_MYApp2
SSLServerCert QIBM_HTTP_SERVER_MYApp2_CERT
SSLCacheEnable
SetEnv HTTPS_PORT 443
Options FollowSymLinks
</VirtualHost>
#::SSLServerCert directive::
#Description: Sets the server certificate to use for this virtual host
#Scope: IP-based virtual hosts
#Same appname can be used if Multi-Domain (SAN) Certificate, just need a SAN for each domain

view raw
httpd.conf
hosted with ❤ by GitHub

Then you’ll have to restart your web server so the apache config is reloaded by going to http://MY_IBMi_IP_DNSNAME:2001/HTTPAdmin and pressing the restart button on your http instance of ZS

Option 2 : Using a VeriSign or Internet Certificate Authority (CA) SSL Certificate

The self sign certifcate has a limitation that it isn’t as trusted as one from VeriSign. Your browser may give you a warning like:

This Connection is Untrusted You have asked Firefox to connect securely to http://www.yoursite.com, but we can’t confirm that your connection is secure. http://www.yoursite.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)

In this case you’ll go to

  1. Review and compare SSL Certificates (http://www.whichssl.com/compare-ssl-certificates.html)
  2. Purchase a cert per subdomain (secure.mysite.com) OR get a wildcard SSL certificate (*.mysite.com) if you have many apps you want to use ssl with.
  3. Create certificate signing request. Copy the CSR encrypted data from IBMi DCM and paste it into a CA vendors site (i.e. comodo, symantec, thawted).  (Steps to get a CSR https://www.sslsupportdesk.com/certificate-signing-request-csr-instructions-for-ibm-as400-iseries/)
  4. CA Vendor should give you a) your Server Certificate, b) Intermediate Certs c) and Root CA Cert
  5. Download the certs to your computer and upload them to the IFS (record where on the IFS you uploaded the certs as this is needed later) and go back to the DCM.
  6. Import root and/or intermediate certificates: *SYSTEM certificate type Certificate authority (CA), Import File: crt file on the IFS of your root and/or intermediate certificates.  (Note this gotcha “An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled.” – http://www-01.ibm.com/support/docview.wss?uid=nas8N1011678)
  7. Import your Server certificate “Import Certificate”, Certificate Store: *SYSTEM, System or client, Import File: crt file on the IFS of your server cert
  8. Assign the certificate to your application

Different types of SSL Certs

Domain Validated Certificates (DV): verifies the owner of the domain for the certificate.
Organization Validated Certificates (OV): verifies an established organization includes company name and its address.
Extended Validated Certificates (EV): verifies an extensive review of the company was done by the certificate authority following the standards of Certificate Authority/Browser (CA/B) Forum. The browser url bar turns green

Notes:

The X509 standard and TLS

Debugging Tip- Make sure you are using the right root, and intermediate certificates

Example of Thawte certificate chain

ssl certificate hierarchy

SSL on 5250 emulator connection

When you first connect to the IBMi via SSL it downloads the SSL cert set on your IBMi . “The following certificate authority was discovered during SSL negotiations: Would you like to add this certificate authority to your trusted set?”

Chrome 58+ issue – Common Name Support Removed

Seeing this error on your chrome browser:

Your connection is not private

Attackers might be trying to steal information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that is is l its security certificate is from [missing_subjectAltName].  This may be caused by a misconfiguration or an attacker intercepting your connection.

Its probably that your missing the SANs field in your cert.  In the latest version of Chrome 58 they are no longer supporting Common Name field of an SSL Certificate.  This is the domain name like godzillai5.wordpress.com.  You’ll now need to have the domain name listed in the SAN (Subject Alternative Name) field.  Most Public CAs have been populating this field so if you bought a cert this won’t be much of an issue but if you have a self-signed cert or private PKIs you’ll need to re-issue your cert with the SAN field added.

How to create the san field?  Check this out: https://geekflare.com/san-ssl-certificate/

The main command is

openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf

but you’ll need to set up the .cnf file that blog goes over