IEM Respond HTTPS Configuration Instructions

IEM Respond supports use of this web-enablement tool over a secure HTTPS browser connection. We recommend that when you first set up and configure IEM Respond on your system, that you use the previous non-secure configuration to get started. This will simplify the setup routine. The following documentation assumes that you already have a working configuration using plain HTTP browser connections to your IBM i server.

The following sequence of events must be completed to convert your working HTTP server instance (named IEVENTMON) from a plain HTTP server configuration to a secure HTTPS server configuration.

Step 1: Start the *ADMIN server instance on your IBM i and log in.
Step 2. Enable SSL for the server instance and register the IEVENTMON application.
Step 3. Connect to the Digital Certificate Manager application on your browser.
Step 4. Create a new digital certificate in the *SYSTEM certificate store.
Step 5. Validate the newly created certificate.
Step 6. Assign the new certificate to the IEVENTMON application.
Step 7. Start the updated IEVENTMON server instance.
Step 8. Verify that the configuration is working correctly.

Step 1: Start the *ADMIN server instance on your IBM i and log in.

From the command line on your system, enter the following command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

This will start the web server administration tool on your system. This startup process can take a minute or two (or longer) to complete. After waiting, go to your web browser and enter the following address in the address box of your browser:

http://yoursystemi.com:2001/HTTPAdmin

You will be prompted for a logon process. You must sign on as a security officer with full authority to your system, such as QSECOFR. When the logon is complete, the IBM i HTTP Server Administration application will be started.

Step 2: Enable SSL for the server instance and register the IEVENTMON application

Select the “Manage” tab and then, when it is displayed, select the “HTTP Servers” tab. In the “Server:” selection box, locate and select the IEVENTMON server. If it is not there, then you need to configure it and test it in a non-secure environment before continuing with this procedure. This is covered in the user's guide. When you have selected the IEVENTMON server, verify that it is showing with a status of “Stopped”. If it is showing as active, then you will need to stop it now before continuing.

Select the "Security" option from the left-hand panel, then do the following changes on the right side of the panel:

1. For the SSL option, change the setting so that it shows as ENABLED
2. In the first box to the right of "Server certificate application name:", enter the value IEVENTMON
3. For the HTTPS_PORT setting, enter the value 8077

Press the Apply button at the bottom of the page. Your server instance has now been converted to work with HTTPS.

Step 3: Connect to the Digital Certificate Manager application on your browser.

In your browser, re-enter the base address for the IBM i Tasks:

http://yoursystemi.com:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

Note: The following process will self-issue a digital certificate for use with your HTTPS server instance. When used from your browser, this will give you a warning because your server is not a registered certificate issuer, but the process will work correctly as long as you bypass the warning. On some browsers, such as Firefox, you will be allowed to accept the certificate the first time you use it and it will not be questioned again. Other browsers, like some versions of Internet Explorer, will question your use every time. Regardless, you will know where the certificate came from and you will be able to trust it by virtue of that knowledge.

Step 4: Create a new digital certificate in the *SYSTEM certificate store.

Select the button in the top left corner of your browser that reads “Select a Certificate Store”. On the next panel, select the *SYSTEM store and press the “Continue” button. (If the *SYSTEM store does not exist, you will need to first create it using the “Create New Certificate Store” link.) Your system will prompt you for the password for the *SYSTEM certificate store. If you don’t know the password, you can use the reset function to assign a new password. When you are finished, the *SYSTEM certificate store will be open and available.

Now, select the “Create Certificate” link from the left-hand panel. On the next panel, select the option for “Server or client certificate” and press the “Continue” button. Next, select the option for “Local Certificate Authority” and press “Continue” again. Now the certificate form is displayed. Fill out the required fields as follows:

Certificate label - Enter the value “IEVENTMON”.

Common name - Enter a unique name. Kisco recommends that you use the system name for your system (or partition) as shown from the DSPNETA command display.

Organization name - Enter the name of your company or organization.

State or province - Enter the name of the state or province where you are located.

Country or region - Enter an abbreviation for your country.

Select the “Continue” button at the bottom of the page and your certificate will be created.

Step 5: Validate the newly created certificate.

In the left hand panel, select the “Manage certificates” link. Next, select the “Validate certificate” link. Choose the “Server or client” option and press the “Continue” button. Select the IEVENTMON that you just created, then press the “Validate” button at the bottom of the page. If everything with the certificate is OK, a message will be displayed confirming that the certificate is valid.

Step 6 - Assign the new certificate to the IEVENTMON application.

In the left hand panel, select the “Assign certificate” link. Select the IEVENTMON certificate, then press the “Assign to Applications” button. Locate the IEVENTMON application in the list displayed and place a check mark next to it. Press the “Continue” button. A message will be displayed confirming that the certificate is now assigned to the application.

Step 7 - Start the updated IEVENTMON server instance.

On a terminal session command line, enter the following command:

STRTCPSVR SERVER(*HTTP) HTTPSVR(IEVENTMON)

This will start the server instance that has been converted for use with HTTPS security.

Step 8 - Verify that the configuration is working correctly.

Once the server instance has been started, enter the following web address into your browser’s address box:

https://yoursystemi.com:8077

The IEM Respond test page should now come up using HTTPS security. Please note the comments associated with Step 3 above about this issue.