Tivoli Header

User's Guide

Enabling Secure Socket Layer Support

The Web Health Console installation inserts configuration parameters for Secure Socket Layer (SSL) support, but does not enable SSL. To enable SSL, you must first provide a key database containing the site specific keys and certificates, then uncomment the inserted configuration information.

This section shows you the steps to enable SSL.

Note:

In the following directions, replace IBM HTTP Server Location with:

AIX: /usr/HTTPServer
Sun Solaris: /opt/IBMHTTPD
Linux: /opt/IBMHTTPServer
HP: /opt/HTTPServer
UNIX: /opt/HTTPServer
Windows: Web Health Console Server Location/HTTP_Server

Follow these steps to enable SSL:

Create a directory on the server to hold your SSL key database files and certificates. In the following steps, this directory is referred to as key_db_dir.
For Windows NT: start the IBM Key Management utility by invoking gsk5ikm.exe from [WEB_HEALTH_CONSOLE_INSTALL_DRIVE]\Program Files\ibm\gsk5\bin or by selecting Start>Programs>IBM HTTP Server>Start Key Management Utility.
For AIX, Sun Solaris, HP/UX, and Linux: start the IBM Key Management utility by invoking gsk5ikm from:
- AIX: /usr/ibm/gsk5/bin
- Linux: /usr/local/ibm/gsk5/bin
- Sun Solaris: /opt/ibm/gsk5/bin
- HP/UX: /opt/ibm/gsk5/bin
Within IBM Key Management, select Key Database File>New.
Complete the fields in the New dialog box, making the following selection entries:
- Key Database Type: Select the CMS Key database file
- File Name: Enter a base filename for the new key database files. Several files will be created using this base filename, including:
  [key_database_name].kdb, [key_database_name].rdb,
  [key_database_name].sth, and [key_database_name].crl.
  To use the default Web Health Console configuration, use IBM HTTP SERVER LOCATION/key_db for the Location.
Click OK.
Complete the fields in the Password Prompt dialog box, making the following selection and entries:
- Enter the password which will be used to encrypt and decrypt the key database
- Reenter the password to confirm that it is typed correctly
- Select Stash the password to a file
If you have a server certificate from a Certificate Authority (for example, Verisign), you can click Import to import this certificate into your SSL key file. If not, create a new one by selecting Create>New Self-Signed Certificate.
Complete the fields in the Create New Self-Signed Certificate dialog box, making the following selection and entries:
- Key Label: A label by which the key and certificate in the database will be identified.
- Common Name: The fully qualified hostname of the server on which the Web Health Console is installed.
- Organization: Enter an organization name. This information will be presented to the client as part of the credentials of the server.
Leave the remaining parameters at their default value, and click OK.
Generally speaking, SSL communication is run on a different port than the standard unencrypted communication typically used on port 80. By convention, the port used for SSL is port 443.
Edit the file IBM HTTP Server Location/conf/httpd.conf. At the end of this file, you will find the lines described hereafter. Uncomment these lines.If you did not use the default location and name for the key database, insert the appropriate information.
For Windows NT:
#LoadModule ibm_ssl_module
modules/IBMMOduleSSL128.dll
#Listen 443
#SSLEnable
#Keyfile "IBM HTTP SERVER LOCATION\key_db\key.db"
For AIX, Sun Solaris, HP/UX, and Linux:
#LoadModule ibm_ssl_module
libexec/mod_ibm_ssl_128.so
#Listen 443
#SSLEnable
#Keyfile "IBM HTTP SERVER LOCATION\key_db\key.db"
On Windows:
Restart the IBM HTTP Server by selecting IBM HTTP Server in the Windows NT Services control panel, clicking Stop, and then clicking Start
On UNIX:
Restart the IBM HTTP Server by running IBM HTTP Server Location/bin/apachectl restart.

The IBM HTTP Web Server is now configured for SSL.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]