First we need to purchase the SSL certificate or certificates. In order to process the purchase we need to create a Certificate Signing Request (CSR). To do this start the HTTP admin server:
STRTCPSVR SERVER(HTTP) HTTPSVR(ADMIN)
Then goto port 2001 of the HTTP server IP address or host name eg:
http://192.168.86.15:2001
And login with your IBM i credentials:
Then select the IBM i Tasks Page:
Then select the Digital Certificate Manager link:
On the DCM home page take the option to select the Certificate Store:
Select the System certificate store and continue:
Enter the system certificate store password:
Then select Create Certificate:
Select server or client certificate and continue:
Enter the certificate signing request details. The minimum details required are detailed below. The Common Name is the domain name and the Certificate Label is a name which will be used to refer to this particular certificate. The country code needs to conform to the ISO 3166 standard.
Then hit continue and the certificate signing request data will be shown. Save the data in between and including the “—–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” lines to a text file. Now purchase the SSL certificate. You will need the data saved to the text file when purchasing the certificate. Before loading the domain certificate upload the root and intermediate certificates supplied by the issuer. This can be trial and error as sometimes I find that the correct intermediate and root certificates aren’t always supplied by the third party suppliers and I’ve ended up getting the bundle from the Certificate Authority website. Here are the screens where you load the root and intermediate certificates:
Enter the file location for the CA root or intermediate certificate being imported and hit continue:
Once all the relevant CA certificates have been installed then import the server certificate (DCM will will error if it finds any issues with the validity of the certificate back to the CA root certificate which will need to be resolved):
Then specify the file location for the server certificate and press continue:
Now we need to setup the applications. For multi domain virtual hosts we need to add an application for each domain. To do this select the Add Application link:
Then select add server application:
Now we need to assign the certificate uploaded earlier to the application by electing Assign Certificate under Manage Certificates:
Select the certificate we uploaded earlier:
Hit assign applications and then select the application we created earlier and hit replace:
At this point we need to setup the virtual host. Here is an example of a virtual host definition:
<VirtualHost 192.168.86.15:80> ServerName novagem.co.uk ServerAlias www.novagem.co.uk RewriteEngine on Redirect permanent / https://novagem.co.uk/ </VirtualHost> <VirtualHost 192.168.86.15:443> SSLEngine On SSLAppName NOVAGEM.CO.UK SSLServerCert 2020.novagem.co.uk AddType application/x-httpd-php .php AddHandler fastcgi-script .php AddOutputFilterByType DEFLATE application/x-httpd-php application/json text/css application/x-javascript application/javascript text/html DocumentRoot /www/novagem.co.uk/htdocs ServerName novagem.co.uk ServerAlias www.novagem.co.uk Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" CustomLog /www/novagem.co.uk/logs/accesslog combined ErrorLog /www/novagem.co.uk/logs/errorlog LogMaint /www/novagem.co.uk/logs/access_log 30 0 LogMaint /www/novagem.co.uk/logs/error_log 30 0 <Directory /> Order allow,deny Allow from all </Directory> <Directory /www/novagem.co.uk/htdocs> Order allow,deny Allow from all addOutputFilter INCLUDES .html .php Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch +IncludesNoExec +Includes </Directory> </VirtualHost>
The key statements outside the virtual host definition are:
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM SetEnv HTTPS_PORT 443
And inside the virtual host:
SSLEngine On SSLAppName NOVAGEM.CO.UK SSLServerCert 2020.novagem.co.uk
In order for the SSL settings to take effect the virtual host webserver needs to be stopped and started either through the admin interface of from the command line. I have included the verbose debug settings with the restart option just in case the server doesn’t resume as this may aid fault finding:
ENDTCPSVR SERVER(HTTP) HTTPSVR(VIRTHOST) STRTCPSVR *HTTP HTTPSVR(VIRTHOST '-vv')