Configuring SSL for WebSphere and IBM Http Server : part1


The setup is as follows:

The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.

websphere SSLThis involves setting SSL for two different communications.

  • 1. Between Browser and IBM http server [IHS]
  • 2. Between IBM http server [IHS] and Websphere Application Server

In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.

Creating new SSL digital Certificate using iKeyman:

For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate.  Before creating a new certificate, you need to create a certificate store or Key Database.

  • start the iKeyman utility: /IHS root/bin/ikeyman.sh
  • From the Menu Bar select Key Database File > New.
  • Choose the key database type as CMS
  • Enter a file name for the new Key Database file you are creating
  • Enter a Location for the location where you want to store the .kdb file
  • Click OKimage
  • After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
  • make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.image
  • Now Click OK
    Your Key Database file is Ready.

Now lets create a certificate request. Iam using this URL for my site www.josephamrithraj.mp

  • First, Open the KDB using ikeyman. This will show the key database contents.
  • Click on the “down arrow” to the right, to display a list of three choices.

imageSelect Personal Certificate Requests and click New.

imageNow, a new window will pop up. here you need to input details about the certificate and your organization.

image

Options:

  • Key Size= 1024 for 128bit and 512 for 56bit
  • Common Name= SiteName, [This is the name that the CA will register]
  • Organization= Company Name
  • Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request

Once you save the file (.arm) you are done with creating the request

You must now choose a CA and send them a the “Certificate Request”

Once the CA has signed your certificate, generally they send you back the signed certificate through email.

  • Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
  • Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
  • From the Personal Certificates section, click Receive, a pop-up window will come

imageInput the required data. Like  certificate name and location and click OK

imagePreparing IHS for SSL:

Open the httpd.conf file for editing and modify it to implement the follwoing:

  • For the host_name.domain, use the virtual host IP address or fully qualified domain name.
  • Typically, port 443 is used for HTTPS protocol.
  • The timeout values are given in seconds. Your values might be different.

Sample httpd.conf file for a UNIX computer:

    LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443

<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot “IHS_Root\docs”
SSLEnable
SSLClientAuth none
<\VirtualHost>

SSLDisable
Keyfile “path_to_keyfile_created”
SSLV2Timeout 100
SSLV3Timeout 1000

Restart IBM HTTP Server for the changes take effect.

Example SSL virtualhost stanza:

<VirtualHost xxx.xxx.xx.xx:443>
ServerName http://www.josephamrithraj.mp
SSLEnable
SSLClientAuth None
SSLServerCert mywebsite
<Directory “/home/joseph/website”>
Options Indexes
AllowOverride None
order allow,deny
allow from all
</Directory>
DocumentRoot “/home/joseph/website”
</VirtualHost>

in the next part. let us see how to secure the communication between IHS and Websphere

Advertisements

20 thoughts on “Configuring SSL for WebSphere and IBM Http Server : part1

  1. Atul says:

    Hi Jospeh it was nice reading and understanding this article. Can i know when will you post part 2 i.e SSL between IHS and Websphere

  2. Jaffer sharief shaik says:

    Awesome brother … thanks for helping us with all your beautiful posts. Still waiting for more documents from you.

  3. Anonymous says:

    How can I enable option for logging POST body on IBM HTTP server ?

    there must we some settings to enable post body logging.

    We need to log the Body for POST request into the Log file from where we can read the Body and send it to the request on IBM HTTP Server. IBM HTTP Server was installed on Ubuntu Linux Server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s