WebSphere Commerce Suite not only protects Web pages during the shopping experience, but it also secures Web traffic for administration tasks such as accessing store services or the admin console. Follow these steps to enable the Secure Socket Layer (SSL) protocol for the IBM HTTP Server for iSeries (Original).
The following prerequisites must be met before you can enable SSL for the HTTP server:
- Install the prerequisite license programs.
- Create a *SYSTEM certificate store using the Digital Certificate Manager (DCM).
- Obtain a server certificate from one of the following certificate authorities:
- Well-known Certificate Authority (CA), such as VeriSign or RSA Security
- OS/400 local Certificate Authority For a WebSphere Commerce Suite site you should always use a server certificate that is issued by a well-known CA. A server certificate issued by a private or local CA should be used only in a development or test environment.
- Verify that the CA certificate of the CA that issued the server certificate is in the list of trusted CAs in the *SYSTEM certificate store.
For detailed information on how create a local Certificate Authority, obtain a server certificate and verify the CA trust using OS/400 V5R1 refer to IBM eServer iSeries Wired Network Security: OS/400 V5R1 DCM and Cryptography Enhancements -- SG24-6168.
Configuring IBM HTTP Server instance
To be able to assign a server certificate to an SSL-capable application, such as the IBM HTTP Server, the application has to be registered in Digital Certificate Manager (DCM). Typically when you create an IBM HTTP Server instance using the AS/400 Tasks page, the IBM HTTP Server instance gets automatically registered in DCM when you enable SSL via the graphical user interface. The IBM HTTP Server instance that is created by the WebSphere Commerce Suite configuration manager is not automatically registered in DCM.
Perform the following steps to register the WebSphere Commerce HTTP server instance in DCM:
- Using a Web browser, enter the following URL to start the AS/400 Tasks page:
host_name is the iSeries server TCP/IP host name.
If you get an error accessing the AS/400 Tasks page, verify that the administration server (ADMIN) is started under the QHTTPSVR subsystem. If the administration server is not started, type the following command:
STRTCPSVR *HTTP HTTPSVR(*ADMIN)
- When prompted to enter a user and password, sign on with a user profile that has at least *ALLOBJ, *SECADM, and *IOSYSCFG special authorities.
- From the AS/400 Tasks page click IBM HTTP Server for AS/400 and then Configuration and Administration.
- From the task bar, click Configuration.
- From the Configuration for server pull-down list select the HTTP server instance that was created by the WebSphere Commerce configuration manager. In the scenario covered in this document, the instances names are ITSO and ITSOT.
- From the navigation bar, click Security configuration.
- Verify that Allow SSL connections check box is selected and click Apply. (See Figure 1)
- Return to the AS/400 Tasks page and click Digital Certificate Manager.
- From the Digital Certificate Manager navigation bar, click Select a Certificate Store. As mentioned at the beginning of this section, the signed-on user needs the listed special authorities to perform the configuration steps.
- Select the *SYSTEM certificate store and click Continue.
- Enter the certificate store password and click Continue. The navigation bar refreshes and displays the options available for the signed-on user.
- From the navigation bar, click Fast Path and then from the expanded Fast Path menu, click Work with server applications. A list of registered server applications is displayed.
- Locate and select (one at a time) your HTTP server applications. In this scenario, the applications are registered with the application ID QIBM_HTTP_SERVER_ITSO and QIBM_HTTP_SERVER_ITSOT.
Note: You will have to perform the subsequent steps for each IBM HTTP Server instance that you want to configure to use SSL.
- Click Work with application. This button is located at the bottom of the server applications list.
- Click Update Certificate Assignment. A list of available server certificates is displayed as shown in Figure 2.
- Select the server certificate you want to use for your WebSphere Commerce instance and click Assign New Certificate to assign the selected certificate to the HTTP server instance.
- Click Cancel to return to the Work with Server Applications window.
- Under the Certificate Authority (CA) certificates in the application trust list section, click Define CA Trust List. A list of enabled CA certificates in the system certificate store is displayed. You need to trust at least the CA that issued the server certificate that is assigned to the HTTP server application. If you require client authentication using digital certificates, you also need to trust all CA certificates you are accepting client certificates from. For more information regarding CA trust, refer to IBM eServer iSeries Wired Network Security: OS/400 V5R1 DCM and Cryptography Enhancements -- SG24-6168.
- Select the CA certificate that signed the server certificate and click OK. A confirmation message is displayed.
- Click Cancel to return to the Work with Server Applications window and exit DCM.
This concludes the configuration task to enable SSL for an HTTP server.
WebSphere Payment Manager
This section provides additional configuration steps in order to enable WebSphere Payment Manager to use SSL and verify the correct installation.
SSL is a security protocol. SSL ensures that data transferred between a client and a server remains private. It allows the client to authenticate the identity of the server and the server to authenticate the identity of the client.
Digital certificates are electronic documents that authenticate the servers and clients involved in secured transactions over the Internet. The issuer of digital certificates is called a certificate authority (CA). The iSeries system can perform the role of CA in an Intranet environment issuing server and client certificates, and run as an authenticated server with server certificates issued either by an iSeries CA or an Internet CA like VeriSign. As a Web server, the IBM HTTP Server for iSeries can also be configured to request client certificates for authentication of SSL-enabled clients.
For detailed information on how to enable SSL on the IBM HTTP Server for iSeries, refer to the iSeries Information Center at following Web address:
Once there, select your operating system version, and your language, and click Go. Search on Securing applications with SSL for guidance on how to enable SSL.
Verifying WebSphere Payment Manager user profiles
The purpose of this section is to ensure that after the installation of WebSphere Payment Manager the involved user profiles are configured and enabled. The following steps describe how to accomplish this process:
- From an OS/400 command line type the following commands:
you should see the user profiles as shown in the following example.
- Select option 2 on each of the user profiles and press Enter. Ensure that each of the user profiles has the Status option with the value *ENABLED.
Work with User Profiles Type options, press Enter. 1=Create 2=Change 3=Copy 4=Delete 5=Display 12=Work with objects by owner User Opt Profile Text ___ QPYMADM Payment Manager Administrator ___ QPYMSVR ___ QPYMWEB Bottom Parameters for options 1, 2, 3, 4 and 5 or command ===>
Granting access to WebSphere Commerce components
After creating your WebSphere Commerce instance, you must grant both the WebSphere Payment Manager instance and the WebSphere Commerce instance access to the system certificate store. For example, the following commands will grant the WebSphere Payment Manager instance the required access on a V5R1 system:
CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server') USER(QPYMSVR) DTAAUT(*RX) CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB') USER(QPYMSVR) DTAAUT(*R)
And the following commands will grant the WebSphere Commerce the required access on a V5R1 system:
CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server') USER(QEJBSVR) DTAAUT(*RX) CHGAUT OBJ('/QIBM/UserData/ICSS/Cert/Server/DEFAULT.KDB') USER(QEJBSVR) DTAAUT(*R)
About the author: Aleksandr V. Nartovich is a senior I/T specialist in the IBM International Technical Support Organization (ITSO) Rochester Center. He joined the ITSO in January 2001 after working as a developer in the IBM WebSphere Business Components (WSBC) organization. You can reach Aleksandr at firstname.lastname@example.org.
This was first published in November 2002