The request flows in the following order: Web Browser –> IBM Http Server –> WebSphere Plug-in –> WebSphere Application Server.
This involves setting SSL for two different communications.
1. Between Browser and IBM http server [IHS]
2. Between IBM http server [IHS] and Websphere Application Server
In this part, let us take the, SSL setup for IHS. [between browser and IHS]. This involves, editing httpd.conf file and creating a new SSL certificate.
Creating new SSL digital Certificate using iKeyman:
For the certificate you can use either a certificate that is signed by a certificate authority or you can also use a self-signed certificate. Before creating a new certificate, you need to create a certificate store or Key Database.
- start the iKeyman utility: /IHS root/bin/ikeyman.sh
- From the Menu Bar select Key Database File > New.
- Choose the key database type as CMS
- Enter a file name for the new Key Database file you are creating
- Enter a Location for the location where you want to store the .kdb file
- Click OK
- After saving the key database file to the location specified, you are prompted to enter a password. This is the password that will be used to open the key database file in iKeyman in the future.
- make sure checkbox Stash the password to a file is enabled. this saves the encrypted password file as a .sth file in the same directory as the key database file.
- Now Click OK
Your Key Database file is Ready.
Now lets create a certificate request. Iam using this URL for my site
www.bhikshuwebsphere.com(this site name is differ based on your organization enveronment)
- First, Open the KDB using ikeyman. This will show the key database contents.
- Click on the "down arrow" to the right, to display a list of three choices.
Options:
- Key Size= 1024 for 128bit and 512 for 56bit
- Common Name= SiteName, [This is the name that the CA will register]
- Organization= Company Name
- Enter the name of a file in which to store the certificate request = This is the file (.arm) that will contain your request
Once you save the file (.arm) you are done with creating the request
You must now choose a CA and send them a the "Certificate Request"
Once the CA has signed your certificate, generally they send you back the signed certificate through email.
- Take the information provided in the CAs email and copy it to a text file (notepad) and save it as IHS_Root/SSL/CertRcvd.arm
- Open the KDB file and choose Personal Certificates from the drop down options [ check image3 for how-to]
- From the Personal Certificates section, click Receive, a pop-up window will come
Extracting public certificates for truststore files
Extracting a certificate from one keystore file and adding it to a truststore file is not the same as exporting the certificate and then importing it. Exporting a certificate copies all the certificate information, including its private key, and is normally only used if you want to copy a personal certificate into another keystore file as a personal certificate.
If a certificate is self-signed, extract the certificate and its public key from the keystore file and add it to the target truststore file.
If a certificate is CA-signed, verify that the CA certificate used to sign the certificate is listed as a signer certificate in the target truststore file. The keystore file must already exist and contain the certificate to be extracted.
Read the http://www.ibm.com/developerworks/java/jdk/security/iKeymanDocs.zip file for further information about how to extract a public certificate from a key database file.
Steps for this task
- Start the key management utility (iKeyman), if it is not already running.
- Open the keystore file from which the public certificate will be extracted.
- Select Personal Certificates.
- Click Extract Certificate.
- Click Base64-encoded ASCII data under Data type.
- Enter the Certificate File Name and Location.
- Click OK to export the public certificate into the specified file.
Result
A certificate file that contains the public key of the signed personal certificate is now available for the target truststore file.
What to do next
- Open the keystore file from which the public certificate will be extracted.
Select signer Certificates and alick Add button
Enter the Certificate File Name and Location.
Click OK
Now the signer certificate is added .
Open the httpd.conf file for editing and modify it to implement the follwoing:
- To allow IBM HTTP Server to support HTTPS, port 443, for example, enable SSL on IBM HTTP Server. Modify the configuration file of IBM HTTP Server, IHS_HOME/conf/httpd.conf. You also can enable SSL through the IBM HTTP Server administrative console. Open the IHS_HOME/conf/httpd.conffile and add the following lines to the bottom of the file:
LoadModule ibm_ssl_module libexec/mod_ibm_ssl.so
AddModule mod_ibm_ssl.c
Listen 443
AddModule mod_ibm_ssl.c
Listen 443
<VirtualHost host_name.domain:443>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot "IHS_Root\docs"
SSLEnable
SSLClientAuth none
<\VirtualHost>
ServerName host_name.domain
SSLServerCert certificate name
DocumentRoot "IHS_Root\docs"
SSLEnable
SSLClientAuth none
<\VirtualHost>
SSLDisable
Keyfile "path_to_keyfile_created"
SSLV2Timeout 100
SSLV3Timeout 1000
Keyfile "path_to_keyfile_created"
SSLV2Timeout 100
SSLV3Timeout 1000
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost XXXXXXX:443>
ServerName www.bhikshuwebsphere.com
DocumentRoot <install_root>\htdocs
SSLEnable
#SSLClientAuth required
</VirtualHost>
SSLDisable
Keyfile <IHS_HOME>/serverkey.kdb
Listen 443
<VirtualHost XXXXXXX:443>
ServerName www.bhikshuwebsphere.com
DocumentRoot <install_root>\htdocs
SSLEnable
#SSLClientAuth required
</VirtualHost>
SSLDisable
Keyfile <IHS_HOME>/serverkey.kdb
Note: Change the host name and the path for the key file accordingly. Modify the Web server to support client certificates by uncommenting the SSLClientAuth directive shown in the httpd.conf file.
- For the host_name.domain, use the virtual host IP address or fully qualified domain name.
- Typically, port 443 is used for HTTPS protocol.
- The timeout values are given in seconds. Your values might be different.
Note: Change the host name and the path for the key file accordingly. Modify the Web server to support client certificates by uncommenting the SSLClientAuth directive shown in the httpd.conf file.
SSLClientAuth required
- Restart IBM HTTP Server.
- Test SSL between a browser and IBM HTTP Server. For more information on the default IBM HTTP Server port number, see Port number settings in WebSphere Application Server versions.
- Follow the prompts to select a personal certificate if the SSLClientAuth directive is set to required.
- To enable the application server to communicate with IBM HTTP Server using port 443, add the host alias on the default_host. In the administrative console, click Environment > Virtual Hosts > default_host. Under Additional properties, click Host Aliases > New. Enter the following information in the appropriate fields:
Host name
*
Port
443
- Click Apply and Save When you click Save, the information is written to the security.xml file and the Web server plug-in is automatically updated.
- Restart WebSphere Application Server.
- Test your connection.
it's pretty good
ReplyDeletethis blog is really helpful..Thanks :)
ReplyDeleteI am looking at this now, I can't see the WAS to IHS ssl part. Where would that be
ReplyDeletewhere is IHS to WAS ...this you can copy it from google it self, copy and paste does not make you great...
ReplyDelete