Liferay 6.0.3 in WebSphere Application Server

Install-Instructions for Liferay 6.0.3. deployed in WebSphere Application Server 6.1.0.31:

1. Download liferay 6 war file from sourceforge (Link)
2. Download liferay 6 dependency files from sourceforge (Link)
[3. Setup portal-ext.properties within the war-File (e.g. for JDBC-Settings or Context)]
4. Deploy the liferay 6 war in WebSphere Application
5. Copy hsql.jar and portal-service.jar to /WEB-INF/lib
6. Copy portlet.jar to any location on the Application Server
7. In WebSphere Administrative Console go to "Enviroment > Shared Libraries"
8. Create a new Shared Library which points to the portlet.jar from the dependencies of liferay (copied to server in step 6)
9. In Administrative Console goto "Servers > Application Servers > > Java and Process Management > Class Loader
10. Create a new Class Loader with Class Load Order "Classes loaded with application class loader first"
11. After creating the Class Loader click on it and create a "Shared library references "
12. Click "Add" and chose the newly created Shared Library
13. Save and Synchronize changes
14. Restart

Increase LTPA Timeout

New web techniques like RAP or AJAX are designed for "long user sessions".

In WebSphere a user session is limited by several timeouts like:

-JSession-Timeout
-LTPA-Timeout

If you need to increase the Session-Timeout to very large values (like 8 h) you maybe suffer on some side effects of the LTPA-Token Security technologie.

A LTPA-Session has a fixed timeout which is defined in Security > Secure administration, applications, and infrastructure >Authentication mechanisms and expiration.

Every time a user is logging in, in a web app the LTPA Token timeout is extended or reused.
The desision if a LTPA timeout is reused ore renewed can be influenced by setting a cacheMaxTimeout-Value for the JVM.
If the LTPA-Timeout is lower than this cacheCushionMax-Value a new LTPA-Session (with new Timeout) is created. If the LTPA-Timeout is higher than the cacheCushionMax-Value a "old" LTPA-Session (with "old" LTPA-Timeout) will be reused.




For more information see this link:
http://www-01.ibm.com/support/docview.wss?fdoc=aimwps&rs=2307&uid=swg21320747

Web-Form-Portlet for Liferay (5.2.3) deployed in WebSphere 6.1

To deploy the external "offical" plugin "web-form-portlet" several steps need to be done first.

1. Create a web-form-portlet.war
1.1 Extract the web-form-portlet content (jars, jsps,...) from a tomcat-bundle of liferay (located in: "Liferay-Root\tomcat-6.0.18\webapps\web-form-portlet)
1.2 Create a new Dynamic Web Project in Eclipse and add the extraced content to it (tutorial here).
1.3. Create the folder /WEB-INF/classes/META-INF and add the ext-spring.xml.
1.4 Add the ibm binding files ibm-web-bnd.xmi and ibm-web-ext.xmi to /WEB-INF/
1.5 Extract the portlet-container.jar from your liferay-installation (/lib/ext) and add it to /WEB-INF/lib.
1.6 Edit the /WEB-INF/web.xml and add

<context-param>
<param-name>com.ibm.websphere.portletcontainer.PortletDeploymentEnabled</param-name>
<param-value>false</param-value>
</context-param>

below the </display-name>-Tags.
1.7 Export the web-form-portlet-application as a war-file

2. Deploy the web-form-portlet
2.1 go to the administrative console of websphere and navigate to "Applications > Enterprise Applications"
2.2 Deploy the web-form-portlet as an normal web-applicaton or as a module of your liferay-application (tutorial included in this post). Use the context-root web-form-portlet.
2.3 Start the web-form-portlet-application
2.4 Wait for liferay to detect the portlet (sometimes a restart is needed)

3. Add the web-form-portlet with the "Add application"-menu.


Hints:
1. Download a working web-form-portlet.war here (working on my installation :-).

2. If there are any problems, you can try to
2.1 Upload the war-file into the plugin installer portlet (control panel)
2.2 Get the generated WAR-File (generated from plugin installer portlet/hot deployment routine) and try the deployment again.

3. My /"WebSphere-System-Root"/lib/ext contains
xml-apis.jar 194.205 19.05.2009 21:00 -a--
xalan.jar 3.078.601 19.05.2009 21:00 -a--
postgresql.jar 448.141 19.05.2009 21:00 -a--
portal-service.jar 1.786.637 19.05.2009 20:58 -a--
portal-kernel.jar 525.263 19.05.2009 20:58 -a--
mysql-connector-java-5.1.6-bin.jar 703.265 05.03.2008 17:27 -a--
mysql.jar 536.609 19.05.2009 21:00 -a--
mail.jar 356.519 19.05.2009 21:00 -a--
liferay-icu4j.jar 5.671.439 19.05.2009 20:18 -a--
jutf7.jar 12.299 19.05.2009 21:00 -a--
jtds.jar 294.726 19.05.2009 21:00 -a--
jta.jar 13.236 19.05.2009 21:00 -a--
jms.jar 25.998 19.05.2009 21:00 -a--
hsql.jar 643.806 19.05.2009 21:00 -a--
container.jar 98.372 19.05.2009 21:00 -a--
activation.jar 55.932 19.05.2009 21:00 -a--

4. My /"WebSphere-System-Root"/java/jre/lib/ext contains
portlet.jar 48.725 19.05.2009 21:00 -a--
PD.jar 1.148.187 29.06.2009 11:44 -a--
jdmpview.jar 251.574 29.06.2009 11:53 -a--
JawBridge.jar 15.661 29.06.2009 11:53 -a--
jaccess.jar 50.129 26.06.2009 14:46 -a--
iwsorbutil.jar 8.289 29.06.2009 11:53 -a--
indicim.jar 65.709 29.06.2009 11:53 -a--
ibmspnego.jar 41.146 26.06.2009 14:46 -a--
ibmsaslprovider.jar 64.506 26.06.2009 14:46 -a--
ibmpkcs11impl.jar 261.848 29.06.2009 11:53 -a--
ibmpkcs11.jar 83.819 29.06.2009 11:53 -a--
IBMKeyManagementServer.jar 475.560 29.06.2009 11:53 -a--
ibmkeycert.jar 232.590 29.06.2009 11:53 -a--
ibmjceprovider.jar 903.078 29.06.2009 11:53 -a--
ibmjcefips.jar 240.130 29.06.2009 11:53 -a--
ibmcmsprovider.jar 206.636 29.06.2009 11:53 -a--
healthcenter.jar 18.812 29.06.2009 11:53 -a--
gskikm.jar 1.110.163 29.06.2009 11:53 -a--
dtfj-interface.jar 16.696 29.06.2009 11:53 -a--
dtfj.jar 347.872 29.06.2009 11:53 -a--
CmpCrmf.jar 183.719 26.06.2009 14:46 -a--

Oracle 11 g with WebSphere 6.0

Officially the Oracle 11g JDBC driver no longer support Java 1.4 (which is used by WebSphere 6.0).
But you can use an Oracle 10g driver to access databases on an Oracle 11g database server from WebSphere Application Server 6.0.2 .
But some prerequisite need to be fullfiled:

• WebSphere Fixlevel 6.0.2.29 or above needs to be installed
• The datasource custom property oracle9iLogTraceLevel needs to be "null" or blank

Link:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21314477

Examples for security vulnerabilities of web applications

Last week i found a quite good PDF about security vulnerabilities of web applications .
Its a Document from IBM for their software AppScan. Which is a security-scanner for web-apps.
The doc contains several examples (e.g.: for cross-site-scripting, SQL Injection, Failure to Restrict URL Access, Improper Error Handling, ...).

Download it here:
http://eichelgartenweg.googlepages.com/107647_may_06appscan_final.pdf
[or google for it]

Generate a (new) SSL Certificate for https [IBM HTTP Server]

[FOR HTTPS/SSL BETWEEN CLIENT AND WEBSERVER]
To generate a new CA-Signed SSL-Certificate for use with the IBM HTTP Server you need to start the iKeyman-Utility first. The iKeyman is the Key Management Tool from IBM.

1. Navigate to the /bin-directory of your IHS-Installation
2. execute

./ikeyman

to open the Key Management Tool
3. Use "Key Database File > Open" to open your password-protected Key-Database

4. After the Key-Database is loaded switch to "Personal Certificate Requests" (under "Key database content").
5. Click New and fill out the certificate request dialog. Depending on your CA-Provider (VeriSign,...) you may need to fill out the dialog in a special way (VeriSign demands the common name to be the domain)

6. Click "OK" to save the certificate request in a file.
7. now you need to provide the content of the certificate request file to your Ceritifcate Authority (e.g.: VeriSign). You will receiving a new certificate file from them.
8. If you received the certificate switch back to "Personal Certificates" (under "Key database content").
9. Click Receive and navigate to the certificate file. Click Ok to import the certificate file.

10. Open the httdp.conf-File of your IHS and replace the SSL-Cert-Name (new one will be displayed after the import of the new certificate in iKeyman). Usally the SSL-Cert is definded within a virtual host:
Example:

<VirtualHost "ip-adress":443>
ServerName www.test.com
SSLEnable
SSLClientAuth 0
SSLServerCert ihssslcert
AllowEncodedSlashes On
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all

</Directory>

DocumentRoot /usr/IBM/HTTPServer/www-doc-root/
</VirtualHost>

11. Restart the IHS-Server (/bin/apachectl stop --> /bin/apachectl start)

WebDAV Access for Liferay deyployed in a WebSphere Server

Enable WebDAV-Access to Liferay 5.2.2 deployed in WebSphere is quite easy.
1. Deploy Liferay 5.2.2
2. Download the liferay-portal-tunnel-web-5.2.2.war from Liferay's Sourceforge Folder.
3. After downloading the war-File you need to deploy it into the SAME JVM with Liferay 5.
4. Restart the JVM
5. Create a new Folder in a Document Library-Portlet and click "Access from my desktop"
6. Copy the URL


7. Create a new network resource in Windows. Use this Tutorial http://jakarta.apache.org/slide/xp.html
Hint:
You can also use JackRabbit without Liferay in order to enable WebDAV with WebSphere.

Enable Client certificate authentication with IBM HTTP Server and WebSphere

If you want to provide client cert autentication for web apps deployed in WebSphere Application Server 6.1 you first need to edit the web.xml of the application.
You need to add a security-constraint:

<security-constraint id="SecurityConstraint_Test01">
<web-resource-collection id="WebResourceCollection_TestOZ01">
<web-resource-name>Test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_CognosOZ02">
<description/>
<role-name>Tester</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Testrealm</realm-name>
</login-config>
<security-role id="SecurityRole_MIS01">
<description/>
<role-name>Tester</role-name>
</security-role>

After that you need to create a new virtual host in your ibm http server config.
To do that edit the httpd.conf

<VirtualHost <ip-adresse>:443>
ServerName www.yourvh.host.com
SSLEnable
SSLClientAuth 2
SSLServerCert <name of cert in key-db>
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire o="<needed dn>"
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Then you need to add the root-cert of the certificate you want to use for authentification to the key-database of your ibm http server.
1. Open the IBM Key Management utility ((i)keyman) and add the root-cert (e.g. o=host.com). Use the same name like in the httpd.conf (<name of cert in key-db>)
2. Save the changes to the key-database
3. Restart your IBM HTTP Server

After that edit the virtual host settings in WebSphere. In the administrative console go to Enviroment > Virtual Hosts and add the new Virtual Host (e.g.: Certificate Host) with its Host aliases.

The plugin-cfg.xml of your IBM HTTP Server should now be automatically updated with a new Virtual Host entry.

<VirtualHostGroup Name="Certificate Host">
<VirtualHost Name="<host-alias1>:*" />
<VirtualHost Name="<host-alias1>:*" />
</VirtualHostGroup>

Web service cache [client sided]

To enable a client side cache for web service requests (in a WebSphere client) you need first to activate the dynamic cache service and servlet caching (see post before).
Then you need to create a cachespec.xml

<cache>
<cache-entry>
<class>JAXRPCClient</class>
<name>http://"your-url":9080/service/"your service"</name>
<cache-id>
<component id="hash" type="SOAPEnvelope"/>
<timeout>60</timeout>
</cache-id>
</cache-entry>
</cache>

and place it into the WEB-INF-Folder of your client app.
The cachespec.xml above is configured to compare the different requests through a HASH-Value (which is calculated for every request).
This is the easiest way to implement a client web service cache.
For more infos visit this site.

Setup Web service cache [server sided]

In this post i will explain how to use the web service server cache in WebSphere Application Server 6.1.

1. First you need to active the dynamic cache service and servlet caching in WebSphere via the administrative console
1.1. Navigate to Servers > Application servers > "your server" > Container services > Dynamic cache service
1.2 Activate "Enable service at startup" and click "OK" and "Save" to apply this setting.
1.3 Navigate to Servers > Application serves > "your server" > Web Container Settings > Web container
1.4 Activate "Enable servlet caching" and click "OK" and "Save" to apply this setting.
1.3 Restart server

2. Deploy the dynamic cache monitor to get a view of current state of the dynamic cache service
2.1 Locate the CacheMonitor.ear under "WebSphere-System-Root"\installableApps\
2.2 Deploy the ear-File (standard context root: cachemonitor)

3. Add a cachespec.xml (and the cachespec.dtd (located at /"websphere-sys-root"/properties) to your webservice project (Folder WEB-INF/)
3.1 The cachespec.xml should look like this:

<cache>
<cache-entry>
<class>webservice</class>
<name>"service name"</name>
<sharing-policy>not-shared</sharing-policy>
<cache-id>
<component id="Hash" type="SOAPEnvelope" />
<timeout>420</timeout>
</cache-id>
</cache-entry>
</cache>

"service name" = e.g. /services/Repository
3.2 (Re-)deploy the Web service application

Hint:
A sample cachespec-file can be found at "WebSphere-System-Root"/properties

Hint 2:
To enable web service cache through a Web services gateway (WSGW) see this link.

Generate a .NET Web service client for a Java EE Web service

[BETA] :-)
One of the advantages of Web services is the interoperability.
Thus its possible to use a .NET-Client for a Web services written in Java.
Just the WSDL is needed.

1. Install the newest Mircosoft .NET SDK
2. Locate the wsdl.exe in the .NET SDK-Installation (e.g. C:\PROGRA~1\Microsoft.NET\SDK\v2.0\Bin)
3. Execute

"SDK-Location (bin)"\wsdl.exe "Your WSDL-File"

4. You should now see a "your service"Client.cs - File. The .cs-File is the source code for the web service client proxy. These code/methods is/are used to access the web service.
5. To access the web service you need to instantiate the proxy client in your client code

YourService proxy = new YourService ();

To call the needed methode use something like

String result = proxy.findItem("123454");

5. To compile the C-Sourcecode without your IDE locate csc.exe in of the .NET SDK-Installation (e.g. C:\PROGRA~1\Microsoft.NET\SDK\v2.0.50727)
6. Execute

"SDK-Location"\csc.exe /t:exe /r:System.Web.dll,System.XML.dll,System.Web.Services.dll "your client code file" "proxy client code file"

7. You should now have a EXE-File of the client.

8. Test IT!

Enable SSL between WebServer (plugin-in) and the WebSphere Application Server

To setup a new SSL-Connection between a IBM HTTP Server (IHS) and your WebSphere Application Server (6.1) a (self-signed) CA SSL certificate has to be propageted to all involved servers.

When setting up a IHS via the administrative console SSL between IHS and WebSphere AppServer should be enabled by default.

1. First take a look at your plugin-cfg.xml of your IHS installation and search for the entry <Property Name="keyring"...>

<ServerCluster CloneSeparatorChange="false" GetDWLMTable="false" IgnoreAffinityRequests="true" LoadBalance="Round Robin" Name="server1_testNodeoglxanclatest32Bit_Cluster" PostBufferSize="64" PostSizeLimit="-1" RemoveSpecialHeaders="true" RetryInterval="60">
<Server ConnectTimeout="0" ExtendedHandshake="false" MaxConnections="-1" Name="testNodeoglxanclatest32Bit_server1" ServerIOTimeout="0" WaitForContinue="false">
<Transport Hostname="oglxanclatest" Port="9080" Protocol="http"/>
<Transport Hostname="oglxanclatest" Port="9443" Protocol="https">
<Property Name="keyring" Value="/opt/HTTP/Plugins/config/test-webserver/plugin-key.kdb"/>
<Property Name="stashfile" Value="/opt/HTTP/Plugins/config/test-webserver/plugin-key.sth"/>
</Transport>
</Server>
</ServerCluster>

This tags defines the location of the Key-Database for the secure connection between your IHS and your AppServer.

2. In administrative console of WebSphere go to Servers > WebServers > "your webserver" > Plugin-in properties

On this page all necessary entries should be done automatically. To re-copy the default plugin-in.key to your IHS press "Copy to Webserver key store directory".

3. Restart your IHS

###############################################################

To manually setup SSL between IHS and WebSphere first locate the plugin-key.kdb on your AppServer. Than copy over the plugin-key.kdb to the IHS into the specified location (get location form picture above). Then edit the plugin-cfg.xml of the IHS (see tag from step 1). Then restart your IHS and your WebSphere instance.

Setup a CMS workflow in Liferay 5.2.1

Sometimes there is a need to sperate/limit the cms permissions for some users.

These users can be an article editor or an article approver.

Create editor role:

1. Sign in as administrator (e.g. test@liferay.com/test)

2. Go to Control panel > Roles

3. Create a regular editor role

4. Click Action > Define permissions > Add Portlet Permission


5. Select Web Content

6. You will get a complete list of all avaiable permissions. Select the permissions you want to assign to the editor role.

Create approver role:

1. Sign in as administrator (e.g. test@liferay.com/test)

2. Go to Control panel > Roles

3. Create a regular editor role

4. Click Action > Define permissions > Add Portlet Permission

5. Select Web Content

6. You will get a complete list of all avaiable permissions. Select the permissions you want to assign to the editor role.

Assign members to roles

1. Sign in as administrator

2. Go to Control panel > Roles

3. Click Action > Assign member on the role you want to edit

4. Select the users and click "Update Associations" (->Avaiable)

Activate Versioning

1. Add to portal-ext.properties:

journal.article.force.increment.version=true

2. Restart Liferay/server

3. Test IT!

Mail settings

1. Edit portal-ext.properties

#
# Configure email notification settings.
#

#These adress should be a approver mail box

#If a article is created a mail will be send to this adress (from article creators address)

#If the article is approved a mail will be send from these address to the article creator)
journal.email.from.name=Web Content Workflow
journal.email.from.address=
journal.email.article.approval.denied.enabled=true
journal.email.article.approval.denied.subject=com/liferay/portlet/journal/dependencies/email_article_approval_denied_subject.tmpl
journal.email.article.approval.denied.body=com/liferay/portlet/journal/dependencies/email_article_approval_denied_body.tmpl
journal.email.article.approval.granted.enabled=true
journal.email.article.approval.granted.subject=com/liferay/portlet/journal/dependencies/email_article_approval_granted_subject.tmpl
journal.email.article.approval.granted.body=com/liferay/portlet/journal/dependencies/email_article_approval_granted_body.tmpl
journal.email.article.approval.requested.enabled=true
journal.email.article.approval.requested.subject=com/liferay/portlet/journal/dependencies/email_article_approval_requested_subject.tmpl
journal.email.article.approval.requested.body=com/liferay/portlet/journal/dependencies/email_article_approval_requested_body.tmpl
journal.email.article.review.enabled=true
journal.email.article.review.subject=com/liferay/portlet/journal/dependencies/email_article_review_subject.tmpl
journal.email.article.review.body=com/liferay/portlet/journal/dependencies/email_article_review_body.tmpl

2. Restart Liferay/server

Liferay 5.2.0/5.2.1/5.2.2/5.2.3 on WebSphere 6.1

(Should work with WebSphere 7 too)

The new Liferay-Versions 5.2.x can be downloaded here.

But deployment in WebSphere 6.1 is still a bit tricky.

Steps:
1. Deploy the Liferay 5.2.x war-File (with dependencies)
2. Move portal-kernel.jar and container.jar to "WebSphere-System-root"/lib/ext
3. Move icu4j.jar (not needed in 5.2.2./5.2.3 - new file name: liferay-icu4j.jar) and portlet.jar to "WebSphere-System-root"/java/jre/lib/ext
4. Download the sun saw-api (saw-api.jar) or extract it from the dependencies (can be downloaded seperatly) and move it to /WEB-INF/lib
5. Setup Database-Connection either in portal-ext.properties or in ext-spring.xml
5.1 To setup the database in portal-ext.properties take a look at portal-impl.jar//portal.properties (chapter JDBC). With this setup Liferay 5.2 will use the apache common connection pool.
5.2 To use the connection pool of WebSphere you need to create a file called ext-spring.xml and place it into /WEB-INF/classes/META-INF. Download a sample ext-spring.xml file here.

########Liferay 5.2.0 only##########

6. For Liferay 5.2.0 only: deactivate the javascript fast load option in portal-ext.properties with this value

javascript.fast.load=false

It seems the fast load option (yui compression of JS/CSS files) is NOT correctly implemented (for WebSphere).

WORKAROUND:
Put theses files into /html/js

• everything_unpacked.js
• everything_packed.js
• barebone_packed.js
• barebone_unpacked.js

Edit JavaScript-Settings in portal-ext.properties

##
## JavaScript
##
javascript.barebone.files=\
\
#
# Self-packed files
#
\
barebone_packed.js
#
# Specify the list of everything files (everything else not already in the
# list of barebone files).
#
javascript.everything.files=\
\
#
# Self-packed files
#
\
everything_packed.js
JavaScript files.

javascript.barebone.enabled=true

javascript.fast.load=false

javascript.log.enabled=false

###############################################################

7. Restart your server.

Hint:
Its also possible to download the dependencies seperatly and then copy them to the lib-Folders of WebSphere.
Probably a change in class loader order will have same effect (Applications > Enterprise Applications > "your app" > Class loading and update detection)

MySQL and WebSphere Application Server

WebSphere doesnt have a template for connections to MySQL-Databases.

To setup one, you need to create a JDBC-Provider first:
1. Go to Resources > JBDC > JDBC Provider > New to create a new Provider (Driver)
Enter in Step 1:
Database type: User-defindedImplementation class name: com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource



Enter in Step 2:
Path to MySQL-Driver-File (can be downloaded here)


Finish the creation in Step 3 (Summary) with "Finish".

Data source:
1. To create a data source for this JDBC Provider go to Resources > JDBC > JDBC Provider > "YOUR JDBC PROVIDER" > Data sources > New

Enter in Step 1:
Your desired Data source name
Your desired JNDI-Name (e.g. jdbc/LiferayPool)

Enter in Step 2:
No changes

Finish the creation in Step 3 with "Finish"

2. Go to Resources > JDBC > data sources > "your data source" > custom properties
Create these properties:
user = "database user"
password = "database user password"
serverName = "database server name/ip"
databaseName = "name of database"


Save and synchronize to finish the setup.

Client Authentication with User Certificates

If you are creating your own self signed user certificates (with you own CA) you can easily edit the httpd.conf of your IBM HTTP Server to use these certificates for a restriced access.
After adding a prober CA root cert (see this post)

open the httpd.conf and edit (one) your virtual host(s)

<VirtualHost <ip-adress>:< port>
ServerName <server name>
SSLEnable
SSLClientAuth 2
SSLServerCert <ssl server cert>
<Directory "/" >
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire <your ca root dn>
</Directory>

RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e

DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>

Add SSLClientAuth 2 for a required client authentification.
Add SSLClientAuthRequire <your ca root dn> to a directory (/ for all directories).
Example: SSLClientAuthRequire o="ibm.com"

Set HTTP Response Header Cache-Control and enable mod_cache for higher performance

To enable the ability of caching of pictures open the httpd.conf of your IBM HTTP Server and add following lines

LoadModule headers_module modules/mod_headers.so

<Location ~ "\.(jsgifjpgjpegpngjpe)$">

Header add Cache-Control "public, max-age=432000, post-check=172000"

</Location>

These lines enable the module mod_headers.so and are setting a Cache-Control header. A Cache-Control header enables clients, webservers and proxys to cache pictures.

Adding the Cache-Control-Header is very useful for older Liferay-Versions.

To enable a IBM HTTP Server to cache those pictures add additionally these lines:

LoadModule cache_module modules/mod_cache.so

LoadModule mem_cache_module modules/mod_mem_cache.so

<IfModule mod_mem_cache.c>

CacheEnable mem /

MCacheSize 4096

MCacheMaxObjectCount 100

MCacheMinObjectSize 1M

CacheMaxObjectSize 2048

</IfModule>

Link to sample httpd.conf

Enable g-zip for IBM HTTP Server

In order to deflate the content served form a IBM HTTP Server (IHS) it is possible to enable the g-zip-option in httpd.conf to compress the traffic between a client and a IHS.

To enable g-zip add this lines at the bottom of httpd.conf:

# compress everything but images
LoadModule deflate_module modules/mod_deflate.so
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
# log some info
#LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
#CustomLog logs/deflate_log deflate
# Insert filter
SetOutputFilter DEFLATE
# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
SetEnvIfNoCase Request_URI \
\.(?:gifjpe?gpngexe)$ no-gzip dont-vary

Link to sample httpd.conf

To enable mime-types exiplict look at this sample file

Link to sample httpd.conf (Version 2)

Links:

http://www.redbooks.ibm.com/abstracts/TIPS0288.html?Open

Form Login for WebSphere Application Server 6.1

To enable a form based login (instead of a Basic Authentification) edit the web.xml of the application and add a login configuration:

<login-config id="LoginConfig_1"><auth-method>FORM</auth-method><realm-name>Example Form-Based Authentication Area</realm-name><form-login-config id="FormLoginConfig_1"><form-login-page>/login.jsp</form-login-page><form-error-page>/error.jsp</form-error-page></form-login-config></login-config>

The login.jsp contains the login form (ibm example):

<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN"><html><META HTTP-EQUIV = "Pragma" CONTENT="no-cache"><title> Security FVT Login Page </title><body><h2>Form Login</h2><FORM METHOD=POST ACTION="j_security_check"><p><font size="2"> <strong> Enter user ID and password: </strong></font><BR><strong> User ID</strong> <input type="text" size="20" name="j_username"><strong> Password </strong> <input type="password" size="20" name="j_password"><BR><BR><font size="2"> <strong> And then click this button: </strong></font><input type="submit" name="login" value="Login"></p>
</form></body></html>

the error.jsp contains an error message (ibm example):

<!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN"><html><head><title>A Form login authentication failure occurred</head></title><body><h1><b>A Form login authentication failure occurred</h1></b><p>Authentication may fail for one of many reasons. Some possibilities include:<ol><li>The user-id or password may be entered incorrectly; either misspelled or thewrong case was used.<li>The user-id or password does not exist, has expired, or has been disabled.</ol></p></body></html>

So whats going on (example):

1. User is trying to access http://example.com/app/index.html

2. User get redirected to http://example.com/app/login.jsp

2.1 WAS creates a cookie called WASReqURL which contains the whished path (Value: http[s]://[:Port]/app/index.jsp)

3. User types in user-id and passwort and submits the login credentials

3.1 WAS reads the WASReqURL-Cookie and redirects the the requested path (http://example.com/app/index.html).

3.2 If the credentials are wrong WAS redirects the user to http://example.com/app/error.jsp

It is possible to edit the WASReqURL-Cookie to change the redirect path after a successful login.

Steps:

1. Read cookie Value:

1. String url ="";
2. String text = "";
3. String newurl = "";
4. //Get all cookies
5. Cookie[] cookies = request.getCookies();
   for (int index=0; index <= cookies.length; index++) {
6. String cookieName = cookies[index].getName();
7. if ("WASReqURL".equals(cookieName)) {
8. //If WASReqURL-Cookie is found, get the value and cancel for-loop urlwithoutlogging = cookies[index].getValue();
9. break;
10. }
11. }

2. Set a new WASReqURL-Cookie

1. Cookie wasrequrlcookie = new Cookie("WASReqURL",newurl));
2. response.addCookie(wasrequrlcookie);

Links:

IBM Info Center

Enable SSL (HTTPs) for IBM HTTP Server

To enable SSL on a IBM HTTP Server (Client -> IHS), you need to generate a proper certificate first.

Steps to generate self-signed-certificate for https traffic:

1. Open /<ihs-root>/bin/ikeyman

2. Select CMS as type and specify a file name and a location for the certificate file

3. When prompted for a password type in your desired password.

4. Click Create > New Self-Signed Certificate in iKeyman. Type in your desired values.

5. Exit iKeymen.

6. Verify that all needed files (3-4 files) are generated in your certificate location.

After generating a self-signed-certificate the IHS needs to be configured to use SSL.

1. Open /<ihs-root>/conf/httpd.conf

2. Add following line to load the SSL module. Add these line add the end of the Load Modules section.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

3. Add a virtual host to enable SSL.

Link to example file

4. Save and restart the HTTPs Server (/<ihs-root>/bin/apachectl)

Troubleshooting 1:

If SSL isnt working check the Virtual Host defined in your WebSphere Server.

1. In Administrative Console go to Virtual > default host > Host Aliases and check if port 433 is defined.

To setup SSL between IHS and a WebSphere-Server see:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_httpserv.html

Troubleshooting 2:

Perhaps you need to update the default plugin key files.

1. In Administrative Console go to WebServer > <webserver-name> > Plugin properties

2. Click "Copy to Web server key store directory" to override the old default certificates.

3. Restart the IHS and try again