The setup is as follows:
The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.
- 1. Between Browser and IBM http server [IHS]
- 2. Between IBM http server [IHS] and Websphere Application Server
In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.
Creating new SSL digital Certificate using iKeyman:
For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate. Before creating a new certificate, you need to create a certificate store or Key Database.
- start the iKeyman utility: /IHS root/bin/ikeyman.sh
- From the Menu Bar select Key Database File > New.
- Choose the key database type as CMS
- Enter a file name for the new Key Database file you are creating
- Enter a Location for the location where you want to store the .kdb file
- Click OK
- After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
- make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.
- Now Click OK
- Your Key Database file is Ready.
Now lets create a certificate request. Iam using this URL for my site www.josephamrithraj.mp
- First, Open the KDB using ikeyman. This will show the key database contents.
- Click on the “down arrow” to the right, to display a list of three choices.
- Key Size= 1024 for 128bit and 512 for 56bit
- Common Name= SiteName, [This is the name that the CA will register]
- Organization= Company Name
- Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request
Once you save the file (.arm) you are done with creating the request
You must now choose a CA and send them a the “Certificate Request”
Once the CA has signed your certificate, generally they send you back the signed certificate through email.
- Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
- Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
- From the Personal Certificates section, click Receive, a pop-up window will come
Open the httpd.conf file for editing and modify it to implement the follwoing:
- For the host_name.domain, use the virtual host IP address or fully qualified domain name.
- Typically, port 443 is used for HTTPS protocol.
- The timeout values are given in seconds. Your values might be different.
Sample httpd.conf file for a UNIX computer:
LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
SSLServerCert certificate name
Restart IBM HTTP Server for the changes take effect.
Example SSL virtualhost stanza:
allow from all
in the next part. let us see how to secure the communication between IHS and Websphere