The setup is as follows:
The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.
This involves setting SSL for two different communications.
- 1. Between Browser and IBM http server [IHS]
- 2. Between IBM http server [IHS] and Websphere Application Server
In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.
Creating new SSL digital Certificate using iKeyman:
For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate. Before creating a new certificate, you need to create a certificate store or Key Database.
- start the iKeyman utility: /IHS root/bin/ikeyman.sh
- From the Menu Bar select Key Database File > New.
- Choose the key database type as CMS
- Enter a file name for the new Key Database file you are creating
- Enter a Location for the location where you want to store the .kdb file
- Click OK
- After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
- make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.
- Now Click OK
- Your Key Database file is Ready.
Now lets create a certificate request. Iam using this URL for my site www.josephamrithraj.mp
- First, Open the KDB using ikeyman. This will show the key database contents.
- Click on the “down arrow” to the right, to display a list of three choices.
Select Personal Certificate Requests and click New.
Now, a new window will pop up. here you need to input details about the certificate and your organization.
Options:
- Key Size= 1024 for 128bit and 512 for 56bit
- Common Name= SiteName, [This is the name that the CA will register]
- Organization= Company Name
- Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request
Once you save the file (.arm) you are done with creating the request
You must now choose a CA and send them a the “Certificate Request”
Once the CA has signed your certificate, generally they send you back the signed certificate through email.
- Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
- Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
- From the Personal Certificates section, click Receive, a pop-up window will come
Input the required data. Like certificate name and location and click OK
Open the httpd.conf file for editing and modify it to implement the follwoing:
- For the host_name.domain, use the virtual host IP address or fully qualified domain name.
- Typically, port 443 is used for HTTPS protocol.
- The timeout values are given in seconds. Your values might be different.
Sample httpd.conf file for a UNIX computer:
LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot “IHS_Root\docs”
SSLEnable
SSLClientAuth none
<\VirtualHost>SSLDisable
Keyfile “path_to_keyfile_created”
SSLV2Timeout 100
SSLV3Timeout 1000
Restart IBM HTTP Server for the changes take effect.
Example SSL virtualhost stanza:
<VirtualHost xxx.xxx.xx.xx:443>
ServerName http://www.josephamrithraj.mp
SSLEnable
SSLClientAuth None
SSLServerCert mywebsite
<Directory “/home/joseph/website”>
Options Indexes
AllowOverride None
order allow,deny
allow from all
</Directory>
DocumentRoot “/home/joseph/website”
</VirtualHost>
in the next part. let us see how to secure the communication between IHS and Websphere
Hi Jospeh it was nice reading and understanding this article. Can i know when will you post part 2 i.e SSL between IHS and Websphere
Hello Joseph,,, Very Nice Post.. Waiting for u part2 SSL between IHS and WebSphere Post..
Nice Documents …..awaiting for part2
Awesome brother … thanks for helping us with all your beautiful posts. Still waiting for more documents from you.
Thank you
Subscribe to the blog for all future updates.
Article is good and easy understandable to everyone who are new to learn abt ssl configuration.
Nice document it is vey usefull. Thanks for the update.
it is very easy to understand and implement SSL I’m waiting for your beutifull posts
Thanks Ramesh
most welcome Joseph
VERY VERY NICE SIR……….WHAT AOUT PART2
where is part 2?
Please provide the steps for WMQ also
connecting to mq via ssl?
How can I enable option for logging POST body on IBM HTTP server ?
there must we some settings to enable post body logging.
We need to log the Body for POST request into the Log file from where we can read the Body and send it to the request on IBM HTTP Server. IBM HTTP Server was installed on Ubuntu Linux Server.
Nice Article, I am following you bro
Good
nice article
where is part2 ?
excellent and what abt the part-2
Thanks Joseph for providing best article about SSL configuration on WAS.