The *ADMIN server provides a number of browser-based HTTP configuration tools served from port 2001. To access these tools, go to IBM Navigator for i:
If you are on a version of IBM i before 6.1, you will use the Digital Certificate Manager option.
If you are running 6.1 or above, DCM Find Digital Certificate Manager (DCM), which is found under the Internet Configurations option in the i5/OS IBM i Management section.
You will now enter the DCM
When you receive the certificate, create or place a certificate text file on the iSeries IBM i IFS in some temporary location.
Then select Manage Certificates, Import Certificate. Select Server or Client Certificate and specify the IFS file name for Import File. You will then have to choose the vendor/certificate issuer.
If the vendor/certificate issuer does not exist, you then the certificate will fail to import. You can import a CA certificate of the issuer using a similar process.process–upload the CA certificate to the IFS, choose Import Certificate, choose Certificate Authority. After adding the CA certificate, repeat the step to import the certificate from an IFS file.
If your organization already has a wild-card certificate from a certificate authority you will still need to create a CSR from IBM's Digital Certificate Manager; otherwise, the certificate will fail to import. Your vendor should provide a way to request a duplicate certificate, and the CSR is used there.
Creating your own certificates through your own CA
# Listen 8080 was already set for this instance, leave it as-is LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM Listen 8081 <VirtualHost *:8081> SSLEngine On SSLAppName myappname </VirtualHost>
You may wish to keep the old port open but automatically redirect users to the SSL port. Users may have the old port bookmarked in their browsers. You can automatically redirect using a rule like the following:
# Redirect all HTTP requests to HTTPS port. <VirtualHost *:8080> RedirectPermanent / https://yourIBMiMachine:8081/ </VirtualHost>
This rule causes all requests from the non-SSL port, 8080, to be sent to the SSL port, 8081.
As with any change to httpd.conf, you will need to restart the PROFOUNDUI web server.
You If you are allowing access to the IBM i from external locations, then you may also wish to disable certain components of Profound UI so that they aren't available in your SSL instance (e.g. Visual Designer). More information on that can be found under Allowing External Access
If you've added a new port to the IBM i, then your organization's firewall may not yet be configured to allow the new port's traffic to your IBM i. Work with your organization's network administrator to open the new port.
Preserving Rules During Upgrade of Profound UI
When upgrading an instance of Profound UI you are given an option to write the httpd.conf file, the IBM HTTP Server configuration. Choose no to preserve the SSL configuration.
When asked for the port number, you can leave the port to the non-SSL port even if you have two ports listening
Have Profound Logic enable SSL for you