This document describes configuration of IBM HTTP Server, although
it is possible to use another supported Web server.
Before you begin
IBM HTTP Server supports Secure Sockets Layer (SSL) Version 2 and
Version 3 and Transport Layer Security (TLS) Version 1. IBM HTTP Server is
based on the Apache Web server, but for SSL configuration it requires the
IBM-supplied SSL modules, rather than the OpenSSL modules.
SSL is disabled
by default and it is necessary to modify a configuration file and generate
a server-side certificate using the key management utility (iKeyman) provided
with IBM HTTP Server to enable SSL.
Procedure
- For a single server, enable SSL on IBM HTTP Server (port 443, for
example).
- To set up certificates complete the following steps: Start
the key management utility by clicking Start > Programs > IBM HTTP Server
> Start Key Management Utility. Refer to Requesting a CA-signed personal certificate, Creating a certificate
signing request (CSR), Receiving a CA-signed personal certificate, and Extracting a public certificate for use
in a truststore file
- Create a key database and click Key Database File > New.
- Type a file name, serverkey.kdb, for example, and the
location path. Click OK.
- Type a password, select the Stash the password to a file check
box and click OK.
- Obtain a personal certificate for IBM HTTP Server: Click Personal
Certificate in the key management utility menu. Click Create > New
Certificate Request. The Create New Key and Certificate Request panel
is displayed. Complete the following information:
- Key label
- Server_Cert
- Key size
- Select either a 512 or a 1024 bit size for your key.
- Common name
- droplet.austin.ibm.com
- Organization
- IBM
- Organization unit
- WebSphere
- Locality
- Austin
- State
- Texas
- Zip code
- 76758
- Country
- US
- File name
- Server_certreq.arm
The Verisign Test CA Root Certificate is in the set of signer
certificates that ship with the IKeyMan utility for IBM HTTP Server.
- Go to http://www.verisign.com, click Free SSL Trial.
Complete the profile information, click Submit, and click Continue twice.
- Use your favorite text editor to edit the request file Server_certreq.arm,
and copy the entire contents of the file into the browser request panel. Click Continue.
VeriSign sends the signed personal certificate to your e-mail.
- Copy and paste this certificate into a file, for example Server_Cert.arm.
Click Personal Certificate from the menu in the key management utility.
Click Receive. Specify the file name, Server_Cert.arm, and
click OK. You might need to add VeriSign test root certificate to the
signer certificates for the receive to be successful. Close the serverkey.kdb file.
- To allow IBM HTTP Server to support HTTPS, port 443, for example,
enable SSL on IBM HTTP Server. Modify the configuration file of IBM HTTP Server, IHS_HOME/conf/httpd.conf.
You also can enable SSL through the IBM HTTP Server administrative console.
Open the IHS_HOME/conf/httpd.conffile and add the following lines
to the bottom of the file:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost droplet.austin.ibm.com:443>
ServerName droplet.austin.ibm.com
DocumentRoot <install_root>\htdocs
SSLEnable
#SSLClientAuth required
</VirtualHost>
SSLDisable
Keyfile <IHS_HOME>/serverkey.kdb
Note: Change the
host name and the path for the key file accordingly. Modify the Web server
to support client certificates by uncommenting the SSLClientAuth directive
shown in the httpd.conf file.
SSLClientAuth required
- Restart IBM HTTP Server.
- Test SSL between a browser and IBM HTTP Server. For
more information on the default IBM HTTP Server port number, see .
- Follow the prompts to select a personal certificate if the SSLClientAuth
directive is set to required.
- To enable the application server to communicate with IBM HTTP Server
using port 443, add the host alias on the default_host. In the administrative
console, click Environment > Virtual Hosts > default_host. Under
Additional properties, click Host Aliases > New. Enter the
following information in the appropriate fields:
- Host name
- *
- Port
- 443
- Click Apply and Save When you click Save,
the information is written to the security.xml file and the Web server
plug-in is automatically updated.
- Restart WebSphere Application Server.
- Test your connection.
Results
You can connect to the Snoop servlet.
Example
Enable Secure Sockets Layer communication between IBM HTTP Server
and WebSphere Application Server.