Enabling application on IBMi to use a SSL certificate
There’s two common setups for using SSL certicates.
1) The $0 way of using self-signed certificate or
2) the $99 – $X,XXX way of using an internet certificate authority
I’ll go through both ways of accomplishing either
Option 1 : Creating and applying a Self Signed Certificate
Go to your IBMi’s Digital Certificate Manager website at:
(Change REPLACE_WITH_YOUR_IBM_I_IP_ADDRESS_OR_DNS_NAME to your IBM i IP or DNS Name)
Note: If you can’t access port 2001 make sure the admin instance of apache is running.
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
1. Select Certificate store: *SYSTEM
2. Create cert for the DNS name application (i.e. myapp.example.com)
3. Assign cert to QIBM_HTTP_SERVER_ZENDSVR If you haven’t already you may have to create DNS entries for your app
4. Modify your httpd.conf file (also known as apache config) to listen on port 443 (ssl) (Replace 10.1.1.200 with your actual ip address)
Then you’ll have to restart your web server so the apache config is reloaded by going to http://MY_IBMi_IP_DNSNAME:2001/HTTPAdmin and pressing the restart button on your http instance of ZS
Option 2 : Using a VeriSign or Internet Certificate Authority (CA) SSL Certificate
The self sign certifcate has a limitation that it isn’t as trusted as one from VeriSign. Your browser may give you a warning like:
This Connection is Untrusted You have asked Firefox to connect securely to http://www.yoursite.com, but we can’t confirm that your connection is secure. http://www.yoursite.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)
In this case you’ll go to
- Review and compare SSL Certificates (http://www.whichssl.com/compare-ssl-certificates.html)
- Purchase a cert per subdomain (secure.mysite.com) OR get a wildcard SSL certificate (*.mysite.com) if you have many apps you want to use ssl with.
- Create certificate signing request. Copy the CSR encrypted data from IBMi DCM and paste it into a CA vendors site (i.e. comodo, symantec, thawted). (Steps to get a CSR https://www.sslsupportdesk.com/certificate-signing-request-csr-instructions-for-ibm-as400-iseries/)
- CA Vendor should give you a) your Server Certificate, b) Intermediate Certs c) and Root CA Cert
- Download the certs to your computer and upload them to the IFS (record where on the IFS you uploaded the certs as this is needed later) and go back to the DCM.
- Import root and/or intermediate certificates: *SYSTEM certificate type Certificate authority (CA), Import File: crt file on the IFS of your root and/or intermediate certificates. (Note this gotcha “An error occurred during certificate validation. The issuer of the certificate may not be in the certificate store or the issuer may not be enabled.” – http://www-01.ibm.com/support/docview.wss?uid=nas8N1011678)
- Import your Server certificate “Import Certificate”, Certificate Store: *SYSTEM, System or client, Import File: crt file on the IFS of your server cert
- Assign the certificate to your application
Different types of SSL Certs
Domain Validated Certificates (DV): verifies the owner of the domain for the certificate.
Organization Validated Certificates (OV): verifies an established organization includes company name and its address.
Extended Validated Certificates (EV): verifies an extensive review of the company was done by the certificate authority following the standards of Certificate Authority/Browser (CA/B) Forum. The browser url bar turns green
Debugging Tip- Make sure you are using the right root, and intermediate certificates
Example of Thawte certificate chain
SSL on 5250 emulator connection
When you first connect to the IBMi via SSL it downloads the SSL cert set on your IBMi . “The following certificate authority was discovered during SSL negotiations: Would you like to add this certificate authority to your trusted set?”
Chrome 58+ issue – Common Name Support Removed
Seeing this error on your chrome browser:
Your connection is not private
Attackers might be trying to steal information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that is is l its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.
Its probably that your missing the SANs field in your cert. In the latest version of Chrome 58 they are no longer supporting Common Name field of an SSL Certificate. This is the domain name like godzillai5.wordpress.com. You’ll now need to have the domain name listed in the SAN (Subject Alternative Name) field. Most Public CAs have been populating this field so if you bought a cert this won’t be much of an issue but if you have a self-signed cert or private PKIs you’ll need to re-issue your cert with the SAN field added.
How to create the san field? Check this out: https://geekflare.com/san-ssl-certificate/
The main command is
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
but you’ll need to set up the .cnf file that blog goes over