Enabling Secure Sockets Layer (SSL) in the Web Server for HTTPS protocol

Secure Socket Layer (SSL) is a protocol that provides security for communications between browsers and the Web Server by implementing encrypted data and certificate-based authentication.

You can activate SSL in the Web Server component and link it to an digital certificate. It has an existing digital certificate, self-sign certificates, which should be replaced with personalized certificates generated by customers.

Before you configure the SSL, you must obtain a digital certificate and store it on the computer that the base product is installed on. Follow the instructions provided by the certificate authority (CA) for installing the certificate. You must also know where the keystore is located on the server and the password for the keystore.

In addition, save copies of these files in a safe location so you can find them easily if you need to restore them in the future.

To generate a key and keystore, use the Java keytool command. For details about using keytool, consult your CA or Java documentation.

Note: Your private key password and keystore password must be the same. If they are not the same, you receive a java.io.IOException error.

To configure SSL:

  1. Purchase a digital certificate from a reputable certificate authority (CA).
  2. Follow the instructions provided by the CA to install the certificate on the computer where the InfoPrint Manager server is installed.

  3. Use the Java keytool command to generate a key and keystore. For details about using the keytool command, refer to Java documentation. Write down the location of the keystore and the password for the keystore. You need them later.

  4. Log in to the computer as the InfoPrint Manager administrator.
  5. Copy the .keystore file previously created to the home directory for the InfoPrint Manager system user.
  6. Change the owner of the .keystore file to the appropriate owner and group. Type this command, substituting the InfoPrint Manager user ID for system_ user and the InfoPrint Manager group for system_group:chown system_user:system_group .keystore.

    The default system user is ipm1 and the default group is sys.

  7. If you cannot copy the .keystore file and change the owner, log out and log back in to the primary computer as the root user or use su to become the root user and repeat the previous two steps
  8. Switch to the InfoPrint Manager user. Type this command, substituting the InfoPrint Manager user ID for system_ user:su - system_user.
  9. Go to the /usr/lpp/pd/ipmws/conf directory.
  10. Open the server.xml file and make these changes:
    1. Find this configuration and uncomment it:
       <Connector
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 port="14443"
 maxThreads="150"
 SSLEnabled="true">
 <SSLHostConfig  protocols="TLSv1.2+TLSv1.3" 
 ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,  
 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
                                
 <Certificate
 certificateKeystoreFile="etc/InfoPrint.keystore"
 certificateKeystorePassword="changeit"
 type="RSA"/>
 </SSLHostConfig>
 </Connector>
    2. Replace the value for keystoreFile with the path to your .keystore file.
    3. Replace the keystore_password by changing keystorePass value with the password to your keystore.
    4. Save and close the file.
  11. If you use another port than the default one (14000), run the pdwsinitports utility.
  12. Restart the InfoPrint Manager Web Server.
  13. Verify the secure connection by opening a Web browser and typing this address, replacing server_name with the hostname or IP address of the computer where InfoPrint Manager is installed:

    https://server-name:14443/IPM.

If you use a self-signed certificate or if the certificate is not specifically tied to the server, the Web browser issues a warning that the certificate is not trusted.

If you install service updates or a new version of the InfoPrint Manager, you must activate SSL again because the installation process clears the SSL settings in the Web Server component.

If you need to update or replace your digital certificate, install the new certificate into the keystore and remove the old certificate. You do not have to do this task again because InfoPrint Manager can find the new certificate in the keystore.

Parent topic: Getting started with server systems