How to Secure Your Web Site Running on IBM i

If you’re running a Web application on IBM i, you may be worried about security. The incoming and outgoing HTTP requests and responses exchanged with the HTTP server will contain a customer account number and, therefore, must be secured. If you don’t have any experience with Web security technology, such as Secure Sockets Layer (SSL), you may be wondering if it’s possible to secure your Web site in a very simple and quick way. The answer is yes!

 

For this article, I’ll share a simple way to secure your HTTP server configuration with SSL technology. There are five easy steps to SSL-enable your HTTP server:

 

Step 1. Make sure that you have the following product and product option installed:

·    For V5R4, Digital Certificate Manager Option 34 of 5722-SS1

·    For V6R1, Digital Certificate Manager Option 34 of 5761-SS1

To complete this task you must supply a digital certificate. For more information on how to obtain a digital certificate, see the Digital Certificate Management Web page in the IBM Information Center.

 

Step 2. Edit your HTTP configuration file.

Enter the following information in your HTTP configuration file:

 

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM

Listen 80

# Secure HTTP Port

Listen 443

SetEnv HTTPS_PORT 443

# Enable SSL function on this server

SSLEngine On

# Server certificate application name

SSLAppName QIBM_HTTP_SERVER_MYSERVER

 

This service program /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM  is loaded, linked, and used when you configure the LoadModule to encrypt your data using Secure Sockets Layer.

 

If there are CGI programs that will be using SSL, the environment variable HTTPS_PORT must be set in the configuration file. The SetEnv HTTPS_PORT port-number directive is used for this.

 

The SSLAppName directive is used for the following reasons:

·    unique label to identify the server as an application that intends to use SSL

·    to keep track of the registered name used by the server

·    to identify the server when association of a server certificate with a secure application is done in the Digital Certificate Manager (DCM)

·    to identify the server to the SSL API's so that the SSL API's can use the certificate that is associated with the server

The SSLEngine directive toggles the usage of SSL processing. If SSLEngine On is specified, SSL processing is enabled. If SSLEngine Off is specified, SSL processing is disabled. If SSLEngine Optional is specified, SSL processing is turned on to handle upgrading a non-SSL connection to an SSL connection.

 

Make sure you have proper authority to the directories and file. See the User profiles and required authorities for HTTP Server Web page for more information.

 

Step 3. Use DCM to create an appropriate certificate.

Access DCM, click Select a Certificate Store and choose *SYSTEM. Click Continue.  Enter a password in the Certificate Store Password field and click Continue.

 

Step 4. Assign the certificate to your application name.

Access DCM again, and this time click Manage Applications. Select Update certificate assignment and click Continue. Select Server and click Continue again. Next, select QIBM_HTTP_MYSERVER application name, then click Update Certificate Assignment. Once you’ve selected the appropriate certificate, click Assign New Certificate to assign the certificate to the application name selected in the previous step. This completes your SSL enablement.

 

Step 5. Restart your HTTP server and your Web browser.

Using the following command, restart your HTTP server:

 

STRTCPSVR SERVER(*HTTP) RESTART(*HTTP) HTTPSVR(MYSERVER)

 

Now you can use your server. Type http://[IBM_i_hostname] for a non-secure connection or https://[ IBM_i_hostname] for a secure connection.

 

Note: If you have trouble getting the secure connection working, check your server error log file located in the (/<server root>/logs/ directory for information.

 

You now have five easy steps to securing your IBM i site and your important data.