Configuring SSL for WebSphere and IBM Http Server : part1


The setup is as follows:

The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.

websphere SSLThis involves setting SSL for two different communications.

  • 1. Between Browser and IBM http server [IHS]
  • 2. Between IBM http server [IHS] and Websphere Application Server

In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.

Creating new SSL digital Certificate using iKeyman:

For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate.  Before creating a new certificate, you need to create a certificate store or Key Database.

  • start the iKeyman utility: /IHS root/bin/ikeyman.sh
  • From the Menu Bar select Key Database File > New.
  • Choose the key database type as CMS
  • Enter a file name for the new Key Database file you are creating
  • Enter a Location for the location where you want to store the .kdb file
  • Click OKimage
  • After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
  • make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.image
  • Now Click OK
    Your Key Database file is Ready.

Now lets create a certificate request. Iam using this URL for my site www.josephamrithraj.mp

  • First, Open the KDB using ikeyman. This will show the key database contents.
  • Click on the “down arrow” to the right, to display a list of three choices.

imageSelect Personal Certificate Requests and click New.

imageNow, a new window will pop up. here you need to input details about the certificate and your organization.

image

Options:

  • Key Size= 1024 for 128bit and 512 for 56bit
  • Common Name= SiteName, [This is the name that the CA will register]
  • Organization= Company Name
  • Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request

Once you save the file (.arm) you are done with creating the request

You must now choose a CA and send them a the “Certificate Request”

Once the CA has signed your certificate, generally they send you back the signed certificate through email.

  • Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
  • Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
  • From the Personal Certificates section, click Receive, a pop-up window will come

imageInput the required data. Like  certificate name and location and click OK

imagePreparing IHS for SSL:

Open the httpd.conf file for editing and modify it to implement the follwoing:

  • For the host_name.domain, use the virtual host IP address or fully qualified domain name.
  • Typically, port 443 is used for HTTPS protocol.
  • The timeout values are given in seconds. Your values might be different.

Sample httpd.conf file for a UNIX computer:

    LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443

<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot “IHS_Root\docs”
SSLEnable
SSLClientAuth none
<\VirtualHost>

SSLDisable
Keyfile “path_to_keyfile_created”
SSLV2Timeout 100
SSLV3Timeout 1000

Restart IBM HTTP Server for the changes take effect.

Example SSL virtualhost stanza:

<VirtualHost xxx.xxx.xx.xx:443>
ServerName http://www.josephamrithraj.mp
SSLEnable
SSLClientAuth None
SSLServerCert mywebsite
<Directory “/home/joseph/website”>
Options Indexes
AllowOverride None
order allow,deny
allow from all
</Directory>
DocumentRoot “/home/joseph/website”
</VirtualHost>

in the next part. let us see how to secure the communication between IHS and Websphere