We had been asked by a prospect for iAMP how they should go about configuring and installing SSL Certificates for the iAMP server. They had already found some information about creating and installing the certificates as it pertained to other platforms but not for the IBM i. Here is a link to the information we used as a basis for our setup.
Using the information provided we were able to create the setup for the iAMP server and now have a running server which serves both secure and non secure webpages.
First of all we had to create the directories we were going to use to generate the certificates, we decided on /usr/local/sslcert as the base directory for the certificates to be generated. Create the directories using the following commands from an IBMi command line.
Next we needed to create the files used by the process, it is important these are created in ASCII format so DO NOT use the IBMi commands (EDTF etc) to create them. We used notepad on a PC and transferred the files to the relevant directory on the IBMi using FTP.
First of all we need the config file here is a sample we used, The bold items need to be filled in by you. We named it openssl.conf as per the instructions.
# OpenSSL configuration file.
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
0.organizationName_default = Shield Advanced Solutions Ltd
localityName_default = Caledon
stateOrProvinceName_default = Ontario
countryName_default = CA
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
The bolded items are simply shown when the request to build the keys is carried out, you can override these values when the command runs as well, it just allows you to press enter when these values are required to be entered which is useful when you generate lots of certificates.
Next we need to create the file which stores the serial number in it. This is going to be called serial (note it does not have a type such as .txt etc) and simply has the serial number assigned to the certificate. Again we used the 100001 serial number as suggested in the linked information.
The other document we created was certindex.txt, there is no content for this file.
Once we had created these files we used FTP to copy them to the /usr/local/sslcert directory on the IBMi.
Now to create the actual certificates. We need to use the PASE environment to access the openssl commands so on a command line issue the following command.
Now change the directory using the following command.
Now we are ready to build the certificates.
Here is the command we ran in the QP2TERM environment, note we were still in the /usr/local/sslcert directory.
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
As the request runs you will see the following prompts returned.
Generating a 1024 bit RSA private key
unable to write ‘random state’
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
You need to enter your pass phrase here, make sure you remember it and keep in a safe place. you will be asked to repeat it
Verifying – Enter PEM pass phrase:
Repeat the previous pass phrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Organization Name (company) [Shield Advanced Solutions Ltd]: Note how it is reading the data from the config file, we can press enter as this is what we want to use or enter new values
Organizational Unit Name (department, division) : We did not configure a default for this so the prompt is blank, you can enter what you want
Email Address : Same as above no default so enter an email address associated with the company who people can contact about the certificate
Locality Name (city, district) [Caledon]: Predefined in the config file
State or Province Name (full name) [Ontario]: again…
Country Name (2 letter code) [CA]: ….
Common Name (hostname, IP, or your name) : Enter a value you want here which denotes the server
If you get no errors you should now have a couple of new files.
Now we need to create the server certificates for the http server (the above are the ROOT certificates). It is going to use these certificates just generated to build the server certificates so make sure you have these before moving to the next stage.
To build the server certificates we ran the following commands. We are still in the sslcert directory.
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
You will be asked similar questions to above BUT remember the Common Name HAS to be the name of your server such as “www.mysslserver.tst” which HAS to match that you will configure as the server name in the httpd.conf. We used our server name which is shield4.
Now we will create the certificate using the following command.
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
The following is a sample output.
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
The Subject’s Distinguished Name is as follows
organizationName :PRINTABLE:’Shield Advanced Solutions Ltd’
Certificate is to be certified until Mar 19 13:56:23 2013 GMT (365 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated
unable to write ‘random state’
We saw the unable to write random state but the certificates were created?
So now we have to change the the config files for the iAMP server to allow it to run the ssl config. In the httpd.conf file which is located in the webserver config directory (/www/iamp/conf directory if you took the defaults) we need to enable the import of the ssl config file. This is a simple task of un-commenting the line ‘Include conf/extra/httpd-ssl.conf’ by removing the ‘#’ from the beginning.
Now we will install a couple of new directories where we will store the certificates, use the following commands on an IBMi command line.
Now you can copy the certificates into the relevant directories. This can be done through the copy option when viewing the IFS or the following commands.
CPY OBJ('/usr/local/sslcert/private/name-key.pem') TODIR('/www/iamp/conf/ssl.key/')
CPY OBJ('/usr/local/sslcert/name-cert.pem') TODIR('/www/iamp/conf/ssl.crt/')
The config file ‘/www/iamp/conf/extra/httpd-ssl.conf now needs to be changed to point to the correct certificates and keys. Open the config file in the editor and make the following changes.
The virtual host container can be changed to the following. Change the information to match what you entered as the Command Name for the ServerName or it will reject the start request. We created a sub directory in the htdocs directory to just hold the ssl server pages.
Change the Certificate paths and names to show the following.
Now you can save the file and restart the server, the non secure pages will still show as before but now when you request a connection to the https server such as “https://shield4” you will be prompted with a certificate challenge before allowing to view the page, accept the challenge and store the certificate after which the required page will be displayed.
That is it, we now have iAMP server up and running with certificates generated using the openssl commands. The other choice would be to create the certificates and copy them to the location required by the server.
If you have any questions etc let us know, we are not experts on this but having been through the exercise we can show it is possible to do.