Installing & Renewing SSL on Strategi Webserver - V1R9 or later
Product: Strategi
Modified Date:

SSL is the strongest encryption available to secure transactions over the internet. Installing SSL on a Strategi webserver is simple. This document assumes that, as a customer, you have submitted all necessary paperwork & payment to use Strategi SSL. It also assumes that you have acquired or know your organization's Dun & Bradstreet D-U-N-S number. It is likely your Accounting Department will know your D&B number.

The steps in this document can also be followed to properly renew your SSL certificate. It is important to renew your certificate in this manner, as it will generate a new private key. Renewal methods that make use of a previous CSR (Certificate Signing Request) will use the previous year's private key, and therefore, incur greater risk that the key will be cracked. If you have already proceeded through a renewal process and received a new certificate without following this procedure, please contact BusinessLink Technical Support staff for help in proceeding.

Preparing Strategi for SSL key

Step 1 - Install SSL Enabling License Key
This step can be skipped if an SSL Enabling License Key has already been installed. If you are renewing, you will generally already have this key installed)
  • Contact BusinessLink Technical Support, who will create a new SSL enabling license key for you.
  • Install the license key.
  • Restart Strategi.

    Step 2 - Enter SSL Required Information
  • (iSeries 400 Command) ADDLIBLE STRATEGI
  • (iSeries 400 Command) GENSGISSL

    WEBSITE(DEFAULT)The name of the Strategi Website definition you are creating a certificate for. In many cases this is DEFAULT
    KEYLEN(1024)In most cases 1024
    HOST(abc.yourdnsname.com)The DNS name of your Strategi site. This must be DNS. If you do not have a DNS name for the IP address that Strategi uses on your iSeries 400, postpone SSL install until a name is acquired.
    NAME(The Company, Ltd.)The name of your Organization
    UNIT(Tech Support)The Department this website will represent
    LOCALITY(City)City Name, or, if more appropriate, County Name
    STATE(State Full Name)The full name of your state or province, for example, "Washington", not "WA"
    COUNTRY(CO)Two Character Country Code. If in doubt, check http://digitalid.verisign.com/ccodes.html.
    **Take note of this information for use when creating next year's key. Otherwise your certificate signing authority may not let you "Renew" your certificate if the information doesn't match the previous year.

    Step 3 - Set Proper Authorities to Certificate Zones and SYSTEM Server
  • (iSeries 400 Command) GO STRATEGI/SGI
  • Select "6" for "Web Sites"
  • Select "12" for "Work with Zones" for the RESOURCES website
  • Select "12" for "Work with Authorities" on the "CERTIFICATE" zone
  • Use F6 to add your user number for *READWRITE authority
  • Return to the command line
  • (iSeries 400 Command) ADDHSMAUT
    SVRNAM(*SYSTEM)
    OPCODE(SSLCSR)
    SETFOR:
        REQUESTOR TYPE:Leave as *USER
        REQUESTOR ID:Replace "N" with your Strategi User number.
    ALWACC(*YES)
  • (iSeries 400 Command) ADDHSMAUT
    SVRNAM(*SYSTEM)
    OPCODE(SSLCTF)
    SETFOR:
        REQUESTOR TYPE:Leave as *USER
        REQUESTOR ID:Replace "N" with your Strategi User number.
    ALWACC(*YES)



    Applying for an SSL Server Certificate

    Step 1 - Acquire a Certificate Request for Strategi Website
  • Go to http://your.ip.address/resources/main.htm
  • Click the "Admin Resources" link
  • Click the "SSL Certificate Request" link
  • Log in using your Strategi user id
  • Select your website code (in most cases "DEFAULT")
  • Click the "REQUEST CERTIFICATE" button
  • Click on the "DISPLAY CERTIFICATE" button. The certificate information will pop up into a separate window
  • Select the certificate, selecting from where it says "-----BEGIN NEW CERTIFICATE REQUEST-----" to "----END NEW CERTIFICATE REQUEST----".
  • Copy the request to your clipboard.

    Step 2 - Submit Server Certificate Application
    You will now submit your CSR to the Certificate Signing Authority of your choice. The most commonly used companies are Thawte and Verisign. For your convenience, links for purchase or renewal for these two companies is listed below, but there are additional companies that can be used.

    If this is a first-time SSL Certificate purchase, you can use one of the links below. If you are renewing your certificate, you most likely received an email from your certificate authority with a link, or you can still use one of the links below.

    Renewals
    Thawte: http://www.thawte.com/renew/
    Verisign: http://www.verisign.com/products-services/security-services/ssl/current-ssl-customers/index.html

    New Purchases
    Thawte: http://www.thawte.com/buy/
    Verisign: http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/index.html

  • If purchasing a new certificate, read up on the various plans offered. If renewing, you will purchase the same type as last year.
  • If using Thawte, you will click "Click to Buy" for a new purchase or "Click to Renew" if renewing. If using Verisign, you will click on "Buy" for a new purchase or "Renew" if renewing.
  • When you get to the "Certificate Signing Request (CSR)" page, paste the contents of your clipboard (which should be the CSR from Strategi) into the large field designated for your CSR.
  • When asked to select your Server Platform or Web Server Software, in Verisign, you will choose "Advanced Businesslink" and in Thawte, you will choose select "Other" and type "Strategi by ADVANCED BusinessLink" in the field to the right.
  • The rest of the application is very straightforward. Proceed through until you get through to the screen that tells you your certificate is on the way!


    Installing and Testing SSL Certificate

    Step 1 - Receive the Certificate
  • Thawte will email you a notification that the certificate is ready, and tell you how to pick it up.
  • Copy the certificate contents to your clipboard

    Important Note: Your CA may return your certificate in PKCS#7 format
    (indicated by "-----BEGIN PKCS #7 SIGNED DATA-----" at the top of the text).
    This format cannot be installed into Strategi.
    Click here for information on how to export your server certificate out of this file.

    Step 2 - Apply Certificate to Strategi Webserver
  • Go to http://your.ip.address/resources/main.htm
  • Click the "Admin Resources" link
  • Click the "SSL Certificate Install" link
  • Log in using your Strategi user id
  • Select your website code (in most cases "DEFAULT") and click on the "RETRIEVE CERTIFICATE" button
  • Paste your clipboard contents (should be the certificate) into the "Server Certificate" textarea
  • Click "Install Certificate"
  • The new certificate will not take effect until you restart the Strategi subsystem. Waiting to restart the subsystem will not affect your current SSL certificate. Strategi will continue to use your current certificate until the subsystem has been restarted.

    Step 3 - Add SSL Support and Restart Strategi This Step Only Required For New SSL Installations
  • (iSeries 400 Command) GO STRATEGI/SGI
  • Select "Web Sites"
  • Take option "2" to edit your website (in most cases "DEFAULT")
  • If necessary, change "Secure HTTP" from "*NONE" to "*HTTP"
  • Restart Strategi

    Step 4 - Test SSL
  • Go to https://your.dns.address/resources/main.htm
  • A "locked key" should show at the bottom of your browser window. If one does not, discuss this with BusinessLink technical support
  • Go to User Resources and select "Java 5250" from the drop-down menu
  • Click one of the GUI or Green Screen options
  • When the applet login window appears, let it sit for a few seconds. The words "Secure Connection" should appear below the passphrase field

    ** End of Technical Support Bulletin **