Secure HTTPS traffic for the PowerHA web interface requires a digital certificate. A digital certificate provides two functions:
Providing a way to encrypt communication between the web browser and the server
Verifying the identity of the server to prevent a man-in-the-middle attack.
Depending on the type of digital certificate you configure, the digital certificate will help with either encrypting communication or with both encrypting communication and verifying the identity of the server.
Before you begin
This step requires the following:
To create the *SYSTEM certificate store, use the following steps:
Creating the *SYSTEM certificate store
Procedure
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
Click on Create Certificate Store on the left-hand navigation menu
On the right-hand side of the page select *SYSTEM.
Create a password for the
*SYSTEM store and click Create.
Result
The *SYSTEM certificate store is created on the node.
Procedure
After the *SYSTEM certificate store is created, the procedure consists of the following steps:
Choose a type of certificate to use by following one of the following options
Creating a Self-Signed Certificate
Importing a Signed Certificate
Assigning the certificate to the PowerHA Webserver
Enabling the secure HTTPS server
Restarting the PowerHA Webserver
1a. Creating a Self-Signed Certificate
A self-signed certificate provides a way to encrypt communication between the web browser and server. However, because the certificate is self-signed, the identity of the server cannot be verified. While a self-signed certificate is still much more secure than non-secured HTTP traffic, it does not protect against a man-in-the-middle attack.
To create a self-signed certificate, use the following steps:
Create a Local Certificate Authority (if one does not already exist)
Create a Certificate Authority (CA) Certificate (if one does not already exist)
Use the Local Certificate Authority to create a self-signed certificate
Creating the Local Certificate Authority
Procedure
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
Click on Create Certificate Store on the left-hand navigation menu.
On the right-hand side of the page select Local CA.
Create a password for the
Local CA store and click Create.
Result
The *SYSTEM certificate store is created on the node.
Creating a Certificate Authority (CA) Certificate
Procedure
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
In the left-hand menu, select Local CA
If Local CA is not in the left-hand menu, open it by doing the following:
Select Open Certificate Store.
Enter the password for the local certificate authority, and click open.
The Local CA will now automatically be selected in the left-hand menu.
Under Certificate Authority (CA) Certificates, create one if one does not exist by selecting Create.
Fill in the required fields. At a minimum:
Common name: Provide a unique common name for this. For example: MyCompany MySystem CA
Organization Name: Provide the name of your company
State or Province: Provide the state or province of the system
Country or Region: Provide the two character country code
Click Create.
Result
The CA Certificate is created on the node.
Creating a Self-Signed Certificate
Procedure
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
In the left-hand menu, select the *SYSTEM certificate store.
If the *SYSTEM certificate store is not in the left-hand menu, open the certificate store:
Select Open Certificate Store in the left-hand menu.
Select *SYSTEM on the right-hand side of the screen.
Enter the password for the *SYSTEM certificate store.
Click Open.
Under certificates on the right-hand side, select Create.
For type, select Local CA
Fill in the required fields. At a minimum:
Label: Provide a unique common name for this. For example: MyCompany MySystem PowerHA Web Interface
Organization Name: Provide the name of your company
State or Province: Provide the state or province of the system
Country or Region: Provide the two character country code
Click Create.
Result
The self-signed certificate is created on the node.
1.b Importing a Trusted Certificate
To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.
2. Assigning the Certificate to the PowerHA Webserver
Assigning the Certificate to the PowerHA Webserver
Procedure
In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.
Log in with an IBM i profile with sufficient authority.
In the left-hand menu, select the *SYSTEM certificate store.
If the *SYSTEM certificate store is not in the left-hand menu, open the certificate store:
Select Open Certificate Store in the left-hand menu.
Select *SYSTEM on the right-hand side of the screen.
Enter the password for the *SYSTEM certificate store.
Click Open.
Select Manage Application Definitions.
Search for QIBM_QHASM_WEB.
Click on the + symbol at the lower-right of the QIBM_QHASM_WEB box.
Click on Assign Certificates.
Check the box for the certificate you wish to assign, and click Assign.
Result
The certificate is now assigned to the PowerHA web interface
3. Enabling the secure HTTPS server
Enable the secure HTTPS server by using the HTTPS(*ON *SAME)
parameter on the CHGHAWEB
command. If no other configuration options have changed, by default PowerHA is equivalent to the following command:
CHGHAWEB HTTP(*AUTO 2098) HTTPS(*ON 2099)
This command enables the non-secured HTTP server on port 2098, configured to automatically redirect users to the secured HTTPS server on port 2099.
Alternatively, the non-secured server can be disabled by using the following command:
CHGHAWEB HTTP(*OFF *SAME) HTTPS(*ON 2099)
4. Restarting the PowerHA Web Interface
Restart the PowerHA Web Interface for the new changes to take effect. For information on restarting the PowerHA web interface see Restarting the PowerHA Web Interface.