Certificates have two places to put the valid domain name(s). The Common
Name field, and the Subject Alternative Names field. The SAN field
allows a single certificate to be valid for multiple domains. Both sub
domains like a.b.com and c.b.com and completely different domains like
a.b.com and hackme.cn. It has the advantage of being valid for
completely different domains, but the drawback is that you have to list
every domain, and if you want to add one, you have to generate a new
certificate. This is a very old standard, and well supported.

SNI is an extension of the TLS protocol that moves the hostname outside
of the handshaking portion of the encryption process. This has the
advantage of allowing compatible clients and servers to request and
serve multiple domains from a single server. The drawback is that now
the hostname you are connecting to can be sniffed. It is also a much
newer protocol. It has only been around a little over 10 years, but at
this point all major clients and servers support it.




Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of
Bradley Stone
Sent: Friday, January 26, 2018 8:58 AM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Multiple http servers for zendphp7

SNI = Server Name Identification:
https://www.fieldexit.com/forum/display?threadid=439

SAN = Subject alternative name:
https://www.digicert.com/subject-alternative-name.htm


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #19 <https://www.bvstools.com/mailtool.html>: The
ability to turn off "Strict SSL" settings. This means no importing
Certificate
Authorities (CAs) unless you want to.

On Fri, Jan 26, 2018 at 8:52 AM, Nathan Andelin <nandelin@xxxxxxxxx>
wrote:

Kevin could you provide references to what you mean by the acronyms
SAN and SNI?

Nathan Andelin


On Jan 26, 2018, at 7:02 AM, Kevin Bucknum
<Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

San is a function of the certificate, not the server, so any
server
that can present a certificate should support it. All modern
browsers should support san certificates, so if your websites are
all running one code base and it is the only codebase you need on
your server, san should work. We only tried to use it once, and it
wasn't
served off the IBM i.
We ended up having to scrape the certificate however because the
vendor connecting to us required the domain to match the common
name. That was a while back, and I'm not sure if they still
require
that, but we just renew the certificates when they expire now, and
haven't tried to combine them again.

Virtual hosts have been around for a long time. They allow one
server listening on one ip:port combination to have different
configurations based on the domain being served. For a long time
SSL
sites were limited because of the timing of serving the
certificate.
You were limited to one certificate per server. SNI allows you to
overcome that. It moved just enough of the headers outside the
encrypted portion of the communication to allow a server to
determine what site the client is trying to reach, and allows the
server to have different configurations (including different
certificates)
for each domain being served.

With SAN you have one server serving one certificate for multiple
domains. You are limited to one configuration including codebase,
certificate, permissions, etc.

With named virtual hosts and SNI, you have one server serving
multiple configurations. You can use the same or different
codebases, certificates, permissions, etc.

Both have strengths and weaknesses. Once you get past your
deadline,
fire up a linux VM and create some letsencrypt certs and play
around
with both just so you understand the config and routing.




Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of
Don
Brown
Sent: Thursday, January 25, 2018 5:07 PM
To: Web Enabling the IBM i(AS/400 and iSeries)
Subject: Re: [WEB400] Multiple http servers for zendphp7

Ok this is well above my skill level!

I had to look SNI up to find it is Server Name Identification

I have a single PHP application running on IBMi at 7.2 and 7.3
that
is
used by
multiple entities and each entity requires a https connection
with
appropriate ssl certificate.

I have a deadline of 1st Feb to get this operational.

There is such a certificate as a SAN but getting specific
information
on this is
seeming difficult. I tried calling the US and UK offices of
GeoTrust
and after
10 minutes + on hold to each I left a message and no replies as
yet.

And I can not find anything that specifically indicates this is
supported on
IBMi.

While not totally great I can do this with a simple wildcard
certificate and just
put the entities accessing the site; for example
fredsaccounts.msd.net.au
and acmeaccounts.msd.net.au ... Etcetera.

Kevin: Thanks for the apache config - I will at some stage go
through
this in
detail and try and understand exactly what you are saying - like
I
said this is
way above my current skill level. Sorry but I really do not
understand what
this is doing, it may be the perfect solution for my but I can't
visualise the
network diagram or traffic flow.


Pete: I have read a lot about reverse proxies in this blog but
again
until you
actually work with one it is my old head that is struggling with
the
concept. I
know nothing of letsEncrypt Ok scratch that they are a free
Certificate
provider WOW I will have to investigate this further in the
future.
So I am
struggling with the overview of how a reverse proxy will allow me
to
have
multiple certificates as indicated above in what I am trying to
achieve. As
much as I would love to be going to Sam Antonio this year just
not
in
the
budget (I did Orlando last year) but if you want a guinea pig to
test
your
presentation on I can definitely assist :-)

So I am a little bit stuck.

Appreciate the assistance



Don Brown





From: "Kevin Bucknum" <Kevin@xxxxxxxxxxxxxxxxxxx>
To: "Web Enabling the IBM i\(AS/400 and iSeries\)"
<web400@xxxxxxxxxxxx>
Date: 25/01/2018 11:37 PM
Subject: Re: [WEB400] Multiple http servers for zendphp7
Sent by: "WEB400" <web400-bounces@xxxxxxxxxxxx>



SNI works fine with zendserver on the i. I've been configuring
apache
servers
for so long, that I just do it now, and haven't had to look
around
for
any kind
of instructions lately. Any basic walkthrough for setting up
named
virtual
hosts should work. To answer your other question about multiple
certificates. I'm 90% sure that I had it working, but that was
several
years ago,
and the memory is fuzzy. I could try again real quick to see if
it
works. There
are a couple of directives in the IBM apache implantation that
are
different
from standard, and one of them controls the certificate used.
SSLAppName
points to a name in the DCM which controls which certificate is
used.
As I
recall the only confusing thing was getting the application set
up
in
the DCM.
If you have issues setting it up, I can create a letsencrypt cert
and
try and pop
a new named instance on my box. It would probably be tomorrow
before I can do that however. Here is my current apache config
with
several
named
hosts running different code bases.

#s Configuration originally created by Create HTTP Server wizard
on
Tue Apr
11 01:53:18 CDT 2006 LoadModule proxy_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_http_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_connect_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM
LoadModule proxy_ftp_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule zend_enabler_module
/QSYS.LIB/QHTTPSVR.LIB/QZFAST.SRVPGM
LoadModule ibm_ssl_module
/QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM

Listen *:10081
NameVirtualHost *:10081
Listen *:10080
NameVirtualHost *:10080
DocumentRoot /www/zendsvr6/htdocs

DefaultFsCCSID 37
CGIJobCCSID 37

<VirtualHost *:10080>
Include
/usr/local/zendsvr6/etc/sites.d/zend-default-vhost-10080.conf
</VirtualHost>
Listen *:443
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes
-
IncludesNoExec -Indexes -MultiViews LogFormat "%h %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%{Cookie}n \"%r\" %t" cookie LogFormat
"%{User-agent}i"
agent LogFormat "%{Referer}i -> %U" referer LogFormat "%h %l %u
%t
\"%r\" %>s %b" common CustomLog logs/access_log combined SetEnvIf
"User-Agent" "Mozilla/2" nokeepalive SetEnvIf "User-Agent"
"JDK/1\.0" force-response-1.0 SetEnvIf
"User-Agent"
"Java/1\.0" force-response-1.0 SetEnvIf "User-Agent" "RealPlayer
4\.0"
force-response-1.0 SetEnvIf "User-Agent" "MSIE 4\.0b2;"
nokeepalive
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
DefaultFsCCSID
37
CGIJobCCSID 37

DirectoryIndex index.php index.html CgiConvMode
%%MIXED/MIXED%%
TimeOut 30000 KeepAlive Off HotBackup Off NameVirtualHost *:443

#AddCharset UTF-8 .utf8
#AddCharset utf-8 .utf8
#AddCharset utf-7 .utf7
AddCharset UTF-8 .htm .html .xml

# zend fastcgi
AddType application/x-httpd-php .php AddHandler fastcgi-script
php


RewriteEngine on

<Directory />
Order Deny,Allow
Deny From all
</Directory>

# Allow requests for files in document root

<Directory /www/zendsvr6/htdocs>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /usr/local/zendsvr6/var/apps>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>
<Directory /www/medpmdemo>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/programming>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/kevin_dev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/waynehdev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/jeremyldev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>




<Directory /www/mounika_dev>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>

<Directory /www/medpmweb>
Options FollowSymLinks
order allow,deny
allow from all
AllowOverride all
</Directory>
<VirtualHost *:10081>
RedirectMatch ^/$ /ZendServer/
DocumentRoot /usr/local/zendsvr6/gui/public/ <Directory
/usr/local/zendsvr6/gui>
Options FollowSymLinks
AllowOverride None
order allow,deny
Allow from all
</Directory>

<Location /ZendServer>
order allow,deny
Allow from all
</Location>

Alias /ZendServer "/usr/local/zendsvr6/gui/public"

<Directory "/usr/local/zendsvr6/gui/public">
AllowOverride All
order allow,deny
Allow from all
</Directory>
</VirtualHost>


<Location /Zend5250Demos>
Order deny,allow
Allow from all
</Location>

<Location /Zend5250Login>
Order deny,allow
Allow from all
</Location>

Alias /Zend5250Demos /usr/local/zendsvr6/5250/demos Alias
/Zend5250Login /usr/local/zendsvr6/5250/Generator/Form
Alias /Zend5250Appl /usr/local/zendsvr6/5250/Welcome


<Directory "/www/zendsvr6/htdocs/Zend5250Emulator">
Options FollowSymLinks
AllowOverride All
</Directory>

IncludeOptional /usr/local/zendsvr6/etc/sites.d/globals-*.conf
IncludeOptional /usr/local/zendsvr6/etc/sites.d/vhost_*.conf

Listen 127.0.0.1:10083
NameVirtualHost 127.0.0.1:10083
<VirtualHost 127.0.0.1:10083>
Alias /UserServer /usr/local/zendsvr6/share/UserServer
DocumentRoot /usr/local/zendsvr6/share/UserServer
<Directory /usr/local/zendsvr6/share/UserServer>
AllowOverride All
Allow from all
</Directory>
</VirtualHost>


#XML Toolkit http settings
ScriptAlias /cgi-bin/ /QSYS.LIB/ZENDSVR6.LIB/ <Directory
/QSYS.LIB/ZENDSVR6.LIB/> AllowOverride None order allow,deny
allow
from all SetHandler cgi-script Options +ExecCGI </Directory>
#End
XML
Toolkit http settings


#/* keep access logs 30 days, error logs 30 days, FastCGI logs 30
days
#/LogMaint logs/access_log 30 0 #/LogMaint logs/error_log 30 0
#//LogMaint
logs/error_zfcgi 30 0

#/ Maintain Logs at 3 am (0 = midnight, 23 = 11 pm, etc) #/ Set
for an
hour
when the server is active (i.e. not during an IPL or backup, for
example)
<Location /phpmyadmin>
Order deny,allow
Allow from all
</Location>
<VirtualHost *:443>
ServerName dev.medtronsoftware.com
DocumentRoot /www/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName kevin.dev.medtronsoftware.com
DocumentRoot /www/kevin_dev/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName mounika.dev.medtronsoftware.com
DocumentRoot /www/mounika_dev/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName wayneh.dev.medtronsoftware.com
DocumentRoot /www/waynehdev/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName jeremyldev.medtronsoftware.com
DocumentRoot /www/jeremyldev/medpmweb/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName programming.medtronsoftware.com
DocumentRoot /www/programming/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>
<VirtualHost *:443>
ServerName medpmdemo.medtronsoftware.com
DocumentRoot /www/medpmdemo/public
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_ZENDSVR
SSLCacheEnable
SetEnv HTTPS_PORT 443
</VirtualHost>






Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of
Don
Brown
Sent: Thursday, January 25, 2018 3:20 AM
To: Web400@Midrange. Web400
Subject: [WEB400] Multiple http servers for zendphp7

I am trying to find a cheat sheet or step by step instructions
to
have
multiple
http servers all running php.

Reason being I have 4 different domain names and to enable ssl
on
each
I
need 4 http servers on 4 different ip addresses.

I am also exploring SAN ssl certificates but want to explore
both
options first.

Does anyone have multiple http servers providing php and are
there
any
concerns / problems that I should be aware of ?

Thanks for any assistance

IBMi V7R2 and V7R3

Don Brown


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.



__________________________________________________________
____________
This email has been scanned by the Symantec Email Security.cloud
service.
For more information please visit http://www.symanteccloud.com

__________________________________________________________
____________


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.