Versions Compared

Version Old Version 1 New Version 2
Changes made by

Peter Lafler (Deactivated)

Aaron Fistler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

More information coming soonSecure HTTPS traffic for the BRMS web interface requires a digital certificate. A digital certificate provides two functions:

  1. Providing a way to encrypt communication between the web browser and the server

  2. Verifying the identity of the server to prevent a man-in-the-middle attack.

Depending on the type of digital certificate you configure, the digital certificate will help with either encrypting communication or with both encrypting communication and verifying the identity of the server.

Before you begin

This step requires the following:

  • IBM 5770SS1 Option 34 - Digital Certificate Manager is installed

  • The *SYSTEM certificate store is created

To create the *SYSTEM certificate store, use the following steps:

Expand
titleCreating the *SYSTEM certificate store

  4. Image Added

Info

Info

Procedure

After the *SYSTEM certificate store is created, the procedure consists of the following steps:

  1. Choose a type of certificate to use by following one of the following options

    1. Creating a Self-Signed Certificate

    2. Importing a Signed Certificate

  2. Assigning the certificate to the BRMS Webserver

  3. Enabling the secure HTTPS server

  4. Restarting the BRMS Webserver

1a. Creating a Self-Signed Certificate

A self-signed certificate provides a way to encrypt communication between the web browser and server. However, because the certificate is self-signed, the identity of the server cannot be verified. While a self-signed certificate is still much more secure than non-secured HTTP traffic, it does not protect against a man-in-the-middle attack.

To create a self-signed certificate, use the following steps:

  1. Create a Local Certificate Authority (if one does not already exist)

  2. Create a Certificate Authority (CA) Certificate (if one does not already exist)

  3. Use the Local Certificate Authority to create a self-signed certificate

Expand
titleCreating the Local Certificate Authority

  4. Image Added

Info

Info

Expand
titleCreating a Certificate Authority (CA) Certificate

  3. Image Added

    4. Image Added

Expand
titleCreating a Self-Signed Certificate

  3. Image Added

    2. Image Added

  5. Image Added

1.b Importing a Trusted Certificate

To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.

2. Assigning the Certificate to the BRMS Webserver

Expand
titleAssigning the Certificate to the BRMS Webserver

  3. Image Added

    2. Image Added

  5. Image Added

  6. Image Added

  9. Image Added

3. Enabling the secure HTTPS server

Enable the secure HTTPS server by using the HTTPS(*ON *SAME) parameter on the CHGWEBBRM command. If no other configuration options have changed, by default BRMS is equivalent to the following command:
CHGWEBBRM HTTP(*AUTO 2088) HTTPS(*ON 2089)

This command enables the non-secured HTTP server on port 2088, configured to automatically redirect users to the secured HTTPS server on port 2089.
Alternatively, the non-secured server can be disabled by using the following command:
CHGWEBBRM HTTP(*OFF *SAME) HTTPS(*ON 2089)

4. Restarting the BRMS Web Interface

Restart the BRMS Web Interface for the new changes to take effect. For information on restarting the BRMS web interface see Restarting the BRMS Web Interface.

Tip

After enabling the HTTPS server, use the following format to reach the BRMS web interface https://<system-name>:<https-port>. For example, with the default port configuration the URL would be: https://<system-name>:2089.