Tuesday, November 11, 2008

Enable SSL (HTTPs) for IBM HTTP Server

To enable SSL on a IBM HTTP Server (Client -> IHS), you need to generate a proper certificate first.

Steps to generate self-signed-certificate for https traffic:

1. Open /<ihs-root>/bin/ikeyman

2. Select CMS as type and specify a file name and a location for the certificate file

3. When prompted for a password type in your desired password.

4. Click Create > New Self-Signed Certificate in iKeyman. Type in your desired values.


5. Exit iKeymen.

6. Verify that all needed files (3-4 files) are generated in your certificate location.

After generating a self-signed-certificate the IHS needs to be configured to use SSL.

1. Open /<ihs-root>/conf/httpd.conf

2. Add following line to load the SSL module. Add these line add the end of the Load Modules section.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

3. Add a virtual host to enable SSL.

Link to example file

4. Save and restart the HTTPs Server (/<ihs-root>/bin/apachectl)

Troubleshooting 1:

If SSL isnt working check the Virtual Host defined in your WebSphere Server.

1. In Administrative Console go to Virtual > default host > Host Aliases and check if port 433 is defined.

To setup SSL between IHS and a WebSphere-Server see:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_httpserv.html

Troubleshooting 2:

Perhaps you need to update the default plugin key files.

1. In Administrative Console go to WebServer > <webserver-name> > Plugin properties

2. Click "Copy to Web server key store directory" to override the old default certificates.

3. Restart the IHS and try again

Gepostet von eichelgartenweg unter 12:47 AM
Labels: , , , , , , ,

4 Kommentare:

od said...

For which version of WAS is this? I use the similar steps that you described for WAS 5. As for WAS 6.1 there are additional steps involved though.

November 19, 2008 6:24 AM
eichelgartenweg said...

hi od,
i used version 6.1.0.11 of IBM HTTP Server.
Setting up SSL for IHS doesnt involve WAS.
The connection to your WebSphere server is typically made during installation of IHS.

establish a secure connection between IHS and WAS is a different thing :-)

If you mean Troubleshooting 2:
i do not have a WAS 5 to test it.

November 26, 2008 5:24 AM
sAndeep said...

Hi,
Good job.
One question. I want to avoid HTTPS communication between HTTP Server and App Server since AppServer is already in the DMZ. Browser Client to HTTP Server will always be HTTPS.
Is it enough to remove the HTTPS Transport entry from the Server definition in plugin-cfg.xml, keeping only the http transport entry. It seems to be working, but just wanted an expert opinion. Thank you.

December 2, 2008 11:53 AM
eichelgartenweg said...

Hi sAndeep,
yes you are right.
removing the the <transport>-Tag for https is enough.

In our prod. enviroment we use the same setup.

But our AppServers are not in a DMZ.
Maybe you should additionally setup your firewall to block https-traffic.

December 11, 2008 12:22 AM

Post a Comment

Subscribe to: Post Comments (Atom)