Configuring SSL for WebSphere and IBM Http Server : part1

The setup is as follows:

The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.

This involves setting SSL for two different communications.

• 1. Between Browser and IBM http server [IHS]
• 2. Between IBM http server [IHS] and Websphere Application Server

In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.

Creating new SSL digital Certificate using iKeyman:

For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate.  Before creating a new certificate, you need to create a certificate store or Key Database.

• start the iKeyman utility: /IHS root/bin/ikeyman.sh
• From the Menu Bar select Key Database File > New.
• Choose the key database type as CMS
• Enter a file name for the new Key Database file you are creating
• Enter a Location for the location where you want to store the .kdb file
• Click OK
• After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
• make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.
• Now Click OK

Your Key Database file is Ready.

Now lets create a certificate request. Iam using this URL for my site www.josephamrithraj.mp

• First, Open the KDB using ikeyman. This will show the key database contents.
• Click on the “down arrow” to the right, to display a list of three choices.

Select Personal Certificate Requests and click New.

Now, a new window will pop up. here you need to input details about the certificate and your organization.

Options:

• Key Size= 1024 for 128bit and 512 for 56bit
• Common Name= SiteName, [This is the name that the CA will register]
• Organization= Company Name
• Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request

Once you save the file (.arm) you are done with creating the request

You must now choose a CA and send them a the “Certificate Request”

Once the CA has signed your certificate, generally they send you back the signed certificate through email.

• Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
• Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
• From the Personal Certificates section, click Receive, a pop-up window will come

Input the required data. Like  certificate name and location and click OK

Preparing IHS for SSL:

Open the httpd.conf file for editing and modify it to implement the follwoing:

• For the host_name.domain, use the virtual host IP address or fully qualified domain name.
• Typically, port 443 is used for HTTPS protocol.
• The timeout values are given in seconds. Your values might be different.

Sample httpd.conf file for a UNIX computer:

    LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443

<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot “IHS_Root\docs”
SSLEnable
SSLClientAuth none
<\VirtualHost>

SSLDisable
Keyfile “path_to_keyfile_created”
SSLV2Timeout 100
SSLV3Timeout 1000

Restart IBM HTTP Server for the changes take effect.

Example SSL virtualhost stanza:

<VirtualHost xxx.xxx.xx.xx:443>
ServerName http://www.josephamrithraj.mp
SSLEnable
SSLClientAuth None
SSLServerCert mywebsite
<Directory “/home/joseph/website”>
Options Indexes
AllowOverride None
order allow,deny
allow from all
</Directory>
DocumentRoot “/home/joseph/website”
</VirtualHost>

in the next part. let us see how to secure the communication between IHS and Websphere