Why and when to perform this task
If you are setting up communication between a Web server running on a distributed platform and the WebSphere Application Server for z/OS produc, and you intend to use the Secure Sockets Layer (SSL) transport (also known as HTTPS), in addition to the distributed platform plug-in file, you must also install the Global Security Kit (GSKit) on the workstation hosting this Web server. This kit helps the Web server connect to your Application Server
A CD-ROM provided with the WebSphere Application Server for z/OS product includes a GSKit installation image for each supported distributed platform. (The GSKit image is the same for all Web servers running on that platform.) Gskit install image files provides a list of the GSKit files by supported operating system.
To Install the GSKit installation image to the workstation on which the Web server is running:
Steps for this task
For an IBM HTTP Server for distributed platforms, you must also add the following lines to the bottom of the Web server httpd.conf file:
LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll Listen port_number Keyfile C:\ssl\http_session\plug-inKeys.kdb <VirtualHost virtual_host_name:port_number> ServerName virtual_host_name SSLEnable SSLClientAuth none </VirtualHost>
These lines cause the Web server to listen on the specified port.
SSLClientAuth none indicates that you do not want to enable client authentication. If you want to use client authentication, change this line to SSLClientAuth enable.
This change causes the HTTP Server to send a request for a certificate to the browser. Your browser might prompt you to choose a certificate to send to the Web server for performing client authentication.
Click OK.
Click OK.
Click OK.
The plug-inKeys.kdb file is the key database file, that contains the public keys, private keys, trusted CAs, and certificates for the Web server plug-ins.
Note: The default password for viewing the plugin-key.kdb using iKeyMan is WebAS.
Example: The ServerCluster definition for cluster Cluster1 with servers SY1_ClusterMember1, and SY1_ClusterMember2 defined, looks like the following:
<ServerCluster CloneSeparatorChange="false" LoadBalance="Round Robin" Name="Cluster1" PostSizeLimit="10000000" RemoveSpecialHeaders="true" RetryInterval="60"> <Server CloneID="BA36BEC1EB243D8B000000E4000000030926301B" ConnectTimeout="0" ExtendedHandshake="false" LoadBalanceWeight="2" MaxConnections="0" Name="SY1_ClusterMember1" WaitForContinue="false"> <Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="9084" Protocol="http"/> <Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="0" Protocol="https"> <Property Name="Keyring" value="/WebSphere/V6R0M0/DeploymentManager/etc/ plugin-key.kdb"/> <Property Name="Stashfile" value=""/WebSphere/V6R0M0/DeploymentManager/etc/ plugin-key.sth"/> <Property Name="certLabel" Value="selfsigned"/> </Transport> </Server> <Server CloneID="BA36BED017FDF40E000000E4000000030926301B" ConnectTimeout="0" ExtendedHandshake="false" LoadBalanceWeight="2" MaxConnections="0" Name="SY1_ClusterMember2" WaitForContinue="false"> <Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="9085" Protocol="http"/> <Transport Hostname="BOSSXXXX.PLEX1.L2.IBM.COM" Port="0" Protocol="https"> <Property Name="Keyring" value="/WebSphere/V6R0M0/DeploymentManager/etc/ plugin-key.kdb"/ <Property Name="Stashfile" value="/WebSphere/V6R0M0/DeploymentManager/etc/ plugin-key.sth"/> <Property Name="certLabel" Value="selfsigned"/> </Transport> </Server> <PrimaryServers> <Server Name="Server Name="SY1_ClusterMember1"/> <Server Name="Server Name="SY1_ClusterMember2"/> </PrimaryServers> </ServerCluster>
where:
Note: The default password for viewing the plugin-key.kdb file using iKeyMan is WebAS.
See your Web server documentation for more information about these files.
The configuration is complete. In order to activate the configuration, stop and restart both the application server and the Web server.