On Tue, May 31, 2022 at 3:24 PM Stephen Piland <
Stephen@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I apologize in advance if this topic has been covered in ad nauseum... We
have a simple Rest API that is currently running in IWS within the firewall
of the company. We'd like to open it up to outside of the confines and
want to run in a more secure way.

What are the high level steps to make this happen? We are currently on
the latest TL of 7.3 of the OS. Is there a white paper on this?

Other questions that come to mind...


1. Would we create a new Certificate Store in DCM? Can we create a
certificate for client side there? Or do we need to create and purchase
cert from 3rd party?


You'd want to purchase from a reputable place, and not use a self-signed
cert unless you want to explain to everyone using it how to import your own
Certificate Authority.

You could also use from LetsEncrypt for free. You would need to renew it
every 90 days. Otherwise you can get them for about $12 a year from a
place like Namecheap.com. Any place asking more than $40 or so is ripping
you off. :)


2. I believe the suggested method of comms is via TLS 1.2 or higher.
Is that a different setup?


No, just make sure what you have enabled on your system is 1.2 and up.


3. Do we create a new Web Service Server and deploy this web service to
it or can it be 'reconfigured'?


You'll want to have a way to direct it in from the internet to your
firewall, and then to your IBM i's internal IP address. Most likely you'd
set up a subdomain of your host, like

ws.yourcompany.com

This will point to an external IP that will point at your external
firewall. Then that will rout requests once past to a specific internal IP
address.

I normally like to make a separate internal IP on the IBM i for things like
this so that you can easily stop/start it without affecting anything else.
Then you can also block all ports that you don't need to use coming in.
Your network guys would be the best to talk to for this part of it. It's
no different really than pointing to an internal web server running any
other OS.



Thanks for any suggestions!!
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.