Versions Compared

Old Version 1

changes.mady.by.user Brian Nordland

Saved on

compared with

New Version Current

changes.mady.by.user Brian Nordland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The PowerHA Web Interface provides at-a-glance health information and allowing easy management of PowerHA operations from a web browser.

Status
colourYellow
title7.5 HA 5.2.2
Status
colourGreen
title7.4 HA 4.8.2

...

Software Requirements

The PowerHA Web Interface requires the following program temporary fixes (PTFs):

Release

PTF

7.5 PowerHA

SI81914

7.4 PowerHA

SI81913

Background

The PowerHA web interface is configured automatically with the following settings:

...

Note

We recommend you configure the PowerHA webserver web interface for secure HTTPS traffic. This ensures all information sent over the network is encrypted.

...

See Enabling Secure HTTPS for the PowerHA Web Interface

...

The PowerHA web interface can be started by starting the QHAWEBSVR instance with the following command: STRTCPSVR SERVER(*HTTP) HTTPSVR(QHAWEBSVR)

To end the PowerHA web interface, use ENDTCPSVR SERVER(*HTTP) HTTPSVR(QHAWEBSVR).

Info

If the PowerHA web interface is configured to start with the *HTTP server, the web interface will start when TCP is started or with STRTCPSVR SERVER(*AUTOSTART).

Changing the PowerHA Web Interface Configuration

The Change PowerHA Webserver (CHGHAWEB) command enables easy configuration changes of the PowerHA web interface. When using F4 to prompt on the command, existing configuration values will be shown on the command.

Enabling secure HTTPS for the PowerHA Web Interface

Secure HTTPS traffic for the PowerHA web interface requires a digital certificate. A digital certificate provides two functions:

  1. Providing a way to encrypt communication between the web browser and the server

  2. Verifying the identity of the server to prevent a man-in-the-middle attack.

Depending on the type of digital certificate you configure, the digital certificate will help with either encrypting communication or with both encrypting communication and verifying the identity of the server.

Before you begin

This step requires the following:

  • IBM 5770SS1 Option 34 - Digital Certificate Manager is installed

  • The *SYSTEM certificate store is created

To create the *SYSTEM certificate store, use the following steps:

Expand
titleCreating the *SYSTEM certificate store
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu

  4. On the right-hand side of the page select *SYSTEM.

    Image Removed
Info

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

5. Create a password for the *SYSTEM store and click Create.

Info

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Result

The *SYSTEM certificate store is created on the node.

Procedure

After the *SYSTEM certificate store is created, the procedure consists of the following steps:

  1. Choose a type of certificate to use by following one of the following options

    1. Creating a Self-Signed Certificate

    2. Importing a Signed Certificate

  2. Assigning the certificate to the PowerHA Webserver

  3. Enabling the secure HTTPS server

  4. Restarting the PowerHA Webserver

1a. Creating a Self-Signed Certificate

A self-signed certificate provides a way to encrypt communication between the web browser and server. However, because the certificate is self-signed, the identity of the server cannot be verified. While a self-signed certificate is still much more secure than non-secured HTTP traffic, it does not protect against a man-in-the-middle attack.

To create a self-signed certificate, use the following steps:

  1. Create a Local Certificate Authority (if one does not already exist)

  2. Create a Certificate Authority (CA) Certificate (if one does not already exist)

  3. Use the Local Certificate Authority to create a self-signed certificate

Expand
titleCreating the Local Certificate Authority
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu.

  4. On the right-hand side of the page select Local CA.

    Image Removed
Info

Note: If the Local CA option is not available in the list, it indicates that there is already a local certificate authority on this system, and these steps have already been performed.

5. Create a password for the Local CA store and click Create.

Info

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Result

The *SYSTEM certificate store is created on the node.

Expand
titleCreating a Certificate Authority (CA) Certificate
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. In the left-hand menu, select Local CA

    Image Removed

  4. If Local CA is not in the left-hand menu, open it by doing the following:

    1. Select Open Certificate Store.

    2. Enter the password for the local certificate authority, and click open.

    3. The Local CA will now automatically be selected in the left-hand menu.

  5. Under Certificate Authority (CA) Certificates, create one if one does not exist by selecting Create.

  6. Fill in the required fields. At a minimum:

    1. Common name: Provide a unique common name for this. For example: MyCompany MySystem CA

    2. Organization Name: Provide the name of your company

    3. State or Province: Provide the state or province of the system

    4. Country or Region: Provide the two character country code

      Image Removed

  7. Click Create.

Result

The CA Certificate is created on the node.

Expand
titleCreating a Self-Signed Certificate
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. In the left-hand menu, select the *SYSTEM certificate store.

    Image Removed

  4. If the *SYSTEM certificate store is not in the left-hand menu, open the certificate store:

    1. Select Open Certificate Store in the left-hand menu.

    2. Select *SYSTEM on the right-hand side of the screen.

      Image Removed

    3. Enter the password for the *SYSTEM certificate store.

    4. Click Open.

  5. Under certificates on the right-hand side, select Create.

    Image Removed

  6. For type, select Local CA

  7. Fill in the required fields. At a minimum:

    1. Label: Provide a unique common name for this. For example: MyCompany MySystem PowerHA Web Interface

    2. Organization Name: Provide the name of your company

    3. State or Province: Provide the state or province of the system

    4. Country or Region: Provide the two character country code

  8. Click Create.

Result

The self-signed certificate is created on the node.

1.b Importing a Trusted Certificate

To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.

2. Assigning the Certificate to the PowerHA Webserver
Expand
titleAssigning the Certificate to the PowerHA Webserver
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. In the left-hand menu, select the *SYSTEM certificate store.

    Image Removed

  4. If the *SYSTEM certificate store is not in the left-hand menu, open the certificate store:

    1. Select Open Certificate Store in the left-hand menu.

    2. Select *SYSTEM on the right-hand side of the screen.

      Image Removed

    3. Enter the password for the *SYSTEM certificate store.

    4. Click Open.

  5. Select Manage Application Definitions.

    Image Removed

  6. Search for QIBM_QHASM_WEB.

    Image Removed

  7. Click on the + symbol at the lower-right of the QIBM_QHASM_WEB box.

  8. Click on Assign Certificates.

  9. Check the box for the certificate you wish to assign, and click Assign.

    Image Removed

Result

The certificate is now assigned to the PowerHA web interface

3. Enabling the secure HTTPS server

Enable the secure HTTPS server by using the HTTPS(*ON *SAME) parameter on the CHGHAWEB command. If no other configuration options have changed, by default PowerHA is equivalent to the following command:
CHGHAWEB HTTP(*AUTO 2098) HTTPS(*ON 2099)

This command enables the non-secured HTTP server on port 2098, configured to automatically redirect users to the secured HTTPS server on port 2099.
Alternatively, the non-secured server can be disabled by using the following command:
CHGHAWEB HTTP(*OFF *SAME) HTTPS(*ON 2099)

4. Restarting the PowerHA Web Interface

Restart the PowerHA webserver for the new changes to take effect.

  1. Run the ENDTCPSVR command, to end the QHAWEBSVR instance:
    ENDTCPSVR SERVER(*HTTP) HTTPSVR(QHAWEBSVR)

  2. Wait for all of the QHAWEBSVR jobs to end. This can be checked by using the WRKACTJOB JOB(QHAWEBSVR) command, which should show No active jobs to display.

    Image Removed

  3. Use the STRTCPSVR command, to start the QHAWEBSVR instance:
    STRTCPSVR SERVER(*HTTP) HTTPSVR(QHAWEBSVR)

Tip

After enabling the HTTPS server, use the following format to reach the PowerHA web interface https://<system-name>:<https-port>. For example, with the default port configuration the URL would be: https://<system-name>:2099.

Changing the default port

Use the Change PowerHA Webserver (CHGHAWEB) command to specify the port numbers used for the HTTP server and the HTTPS server. The port number is ignored if a particular server is *OFF. The following example changes the secure HTTPS server port to 12345:

CHGHAWEB HTTPS(*SAME 12345)

Changing the server to no longer automatically start

CHGHAWEB AUTOSTART(*NO)

...

for additional information.

Web Interface Jobs

The PowerHA web interface introduces the following jobs into the system:

  • The QHTTPSVR subsystem will have up to 9 jobs named QHAWEBSVR that are responsible for providing the web interface. These jobs start and end when the PowerHA web server is started and ended.

  • The QSYSWRK subsystem will have the QHAWACNSVR job. PowerHA starts this job automatically when needed and typically keeps it running even when the web server is ended.

Additional Information

The following topics contain additional information on configuring the PowerHA Web Interfaces:

Page Tree
root@self
startDepth5