Configuring SSL for IHS WebServer
Content
Configuring SSL for IHS WebServer
The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere
Plug-in –> WebSphere Application Server.
This involves setting SSL for two different communications.
1. Between Browser and IBM http server [IHS]
2. Between IBM http server [IHS] and Websphere Application Server
In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing
httpd.conf file and creating a new SSL certificate.
Creating new SSL digital Certificate using iKeyman:
For the certificate you can use either a certificate that is signed by a certificate authority or you
can also use a self-signed certificate. Before creating a new certificate, you need to create a
certificate store or Key Database.
start the iKeyman utility: /IHS root/bin/ikeyman.sh
From the Menu Bar select Key Database File > New.
Choose the key database type as CMS
Enter a file name for the new Key Database file you are creating
Enter a Location for the location where you want to store the .kdb file
Click OK
After saving the key database file to the location specified, you are prompted to enter a
password. This is the password that will be used to open the key database file in iKeyman in the
future.
make sure checkbox Stash the password to a file is enabled. this saves the encrypted
password file as a .sth file in the same directory as the key database file.
Now Click OK
Your Key Database file is Ready.
Now lets create a certificate request. Iam using this URL for my site
www.bhikshuwebsphere.com(this site name is differ based on your organization enveronment)
First, Open the KDB using ikeyman. This will show the key database contents.
Click on the "down arrow" to the right, to display a list of three choices.
Select Personal Certificate Requests and click New.
Now, a new window will pop up. here you need to input details about the certificate and your
organization.
Options:
Key Size= 1024 for 128bit and 512 for 56bit
Common Name= SiteName, [This is the name that the CA will register]
Organization= Company Name
Enter the name of a file in which to store the certificate request = This is the file (.arm)
that will contain your request
Once you save the file (.arm) you are done with creating the request
You must now choose a CA and send them a the "Certificate Request"
Once the CA has signed your certificate, generally they send you back the signed certificate
through email.
Take the information provided in the CAs email and copy it to a text file (notepad) and
save it as IHS_Root/SSL/CertRcvd.arm
Open the KDB file and choose Personal Certificates from the drop down options [ check
image3 for how-to]
From the Personal Certificates section, click Receive, a pop-up window will come
Input the required data. Like certificate name and location and click OK
Extracting public certificates for truststore files
Extracting a certificate from one keystore file and adding it to a truststore file is not the same as
exporting the certificate and then importing it. Exporting a certificate copies all the certificate
information, including its private key, and is normally only used if you want to copy a personal
certificate into another keystore file as a personal certificate.
If a certificate is self-signed, extract the certificate and its public key from the keystore file and
add it to the target truststore file.
If a certificate is CA-signed, verify that the CA certificate used to sign the certificate is listed as a
signer certificate in the target truststore file. The keystore file must already exist and contain the
certificate to be extracted.
Read the http://www.ibm.com/developerworks/java/jdk/security/iKeymanDocs.zip file for
further information about how to extract a public certificate from a key database file.
Steps for this task
1. Start the key management utility (iKeyman), if it is not already running.
2. Open the keystore file from which the public certificate will be extracted.
3. Select Personal Certificates.
4. Click Extract Certificate.
5. Click Base64-encoded ASCII data under Data type.
6. Enter the Certificate File Name and Location.
7. Click OK to export the public certificate into the specified file.
Result
A certificate file that contains the public key of the signed personal certificate is now available
for the target truststore file.
What to do next
1. Open the keystore file from which the public certificate will be extracted.
Select signer Certificates and alick Add button
Enter the Certificate File Name and Location.
Click OK
Now the signer certificate is added .
Open the httpd.conf file for editing and modify it to implement the follwoing:
1. To allow IBM HTTP Server to support HTTPS, port 443, for example, enable
SSL on IBM HTTP Server. Modify the configuration file of IBM HTTP
Server,IHS_HOME/conf/httpd.conf. You also can enable SSL through the IBM HTTP
Server administrative console. Open the IHS_HOME/conf/httpd.conffile and add the
following lines to the bottom of the file:
LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443
<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot "IHS_Root\docs"
SSLEnable
SSLClientAuth none
<\VirtualHost>
SSLDisable
Keyfile "path_to_keyfile_created"
SSLV2Timeout 100
SSLV3Timeout 1000
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost XXXXXXX:443>
ServerName www.bhikshuwebsphere.com
DocumentRoot <install_root>\htdocs
SSLEnable
#SSLClientAuth required
</VirtualHost>
SSLDisable
Keyfile <IHS_HOME>/serverkey.kdb
Note: Change the host name and the path for the key file accordingly. Modify the Web server to
support client certificates by uncommenting the SSLClientAuth directive shown in
the httpd.conf file.
For the host_name.domain, use the virtual host IP address or fully qualified domain
name.
Typically, port 443 is used for HTTPS protocol.
The timeout values are given in seconds. Your values might be different.
Note: Change the host name and the path for the key file accordingly. Modify the Web server to
support client certificates by uncommenting the SSLClientAuth directive shown in
the httpd.conf file.
SSLClientAuth required
2. Restart IBM HTTP Server.
3. Test SSL between a browser and IBM HTTP Server. For more information on the
default IBM HTTP Server port number, see Port number settings in WebSphere
Application Server versions.
4. Follow the prompts to select a personal certificate if the SSLClientAuth directive
is set to required.
5. To enable the application server to communicate with IBM HTTP Server using
port 443, add the host alias on the default_host. In the administrative console,
click Environment > Virtual Hosts > default_host. Under Additional properties,
click Host Aliases > New. Enter the following information in the appropriate fields:
Host name
*
Port
443
6. Click Apply and Save When you click Save, the information is written to
thesecurity.xml file and the Web server plug-in is automatically updated.
7. Restart WebSphere Application Server.
8. Test your connection.
