Configure IBM HTTP Server for SSL 

Configure IBM® HTTP Server to use the SSL protocol.

About this task

To support SSL, create a self-signed certificate and then configure IBM HTTP Server for SSL traffic. If you use this certificate in production, users might receiver warning messages from their browsers. In a typical production deployment, you would use a certificate from a trusted certificate authority.

To configure IBM HTTP Server for SSL...


  1. Create a key file.

    1. Start the iKeyman user interface. For more information, go to the Starting the Key Management utility page in the IBM HTTP Server information center.

    2. Click key database file in the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.

    3. Enter a name for the new key file. For example, hostname-key.kdb. Click OK.

    4. Enter your password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file and then click OK. The new key database should display in the iKeyman utility with default signer certificates. Ensure that there is a functional, non-expiring signer certificate for each of your personal certificates.

  2. Create a self-signed certificate:

    1. Start the iKeyman user interface.

    2. Click Key Database File and then click Open.

    3. Enter your key file name in the Open dialog box and click OK.

    4. In the Password Prompt dialog box, enter your password and click OK.

    5. Click Personal Certificates in the Key Database content frame, and then click the New Self-Signed radio button.

    6. Enter the required information about the key file, your webserver, and organization in the dialog box.

    7. Click OK.

      Note: Save the new self-signed certificate with a unique file name; do not overwrite the default Plugin-key.kdb file because that file might be accessed by other applications.

  3. Stop IBM HTTP Server.

  4. Log in to the WebSphere® Application Server Integrated Solutions Console for the dmgr and select Servers -> Server types -> Web servers.

  5. From the list of web servers, click the web server that you defined for this profile.

  6. On the Configuration page for this web server, click Edit beside the Configuration file name field. This action opens the httpd.conf configuration file on the dmgr.

  7. Add the following text to the end of the configuration file:

      LoadModule ibm_ssl_module modules/

      <IfModule mod_ibm_ssl.c>


      <VirtualHost *:443>

      ServerName <server_name>

      #DocumentRoot C:\IBM\HTTPServer\htdocs





      Keyfile "<path_to_key_file>"

      SSLStashFile "<path_to_stash_file>"


      • <server_name> is the host name of the IBM HTTP Server.

      • <path_to_key_file> is the path to the key file that you created with the iKeyman utility.

      • <path_to_stash_file> is the path to the associated stash file.

      For example:

      • AIX®:

        • Keyfile: /usr/IBM/keyfiles/<key_file>.kdb

        • SSLStashFile: /usr/IBM/keyfiles/<key_file>.sth

      • Linux™:

        • Keyfile: /opt/IBM/keyfiles/<key_file>.kdb

        • SSLStashFile: /opt/IBM/keyfiles/<key_file>.sth

      • Microsoft™ Windows™:

        • Keyfile: C:\IBM\keyfiles\<key_file>.kdb

        • SSLStashFile: C:\IBM\keyfiles\<key_file>.sth

      where <key_file> is the name that you have given to your key file and stash file.

  8. Click Apply and then click OK.

  9. Restart IBM HTTP Server to apply the changes.

  10. Test the new configuration: Open a web browser and ensure that you can successfully reach https://<server_name>. You might be prompted to accept the self-signed certificate on your browser.


IBM Connections users can access applications through the SSL protocol.

Attention: If you receive an error message about failing to load a GSK library (, install the GSK library. For more information, go to the following Support page: Failure attempting to load GSK library when using SSL with IBM HTTP Server.

What to do next

For more information about securing web communications, go to the IBM WAS Information Center or read the IBM WAS V7.0 Security Handbook.

For more information about the key store and setting up the IBM HTTP Server, see the Securing communications topic in the WAS Information Center.

The key file can be shared between two webservers, thus providing failover capability.

Parent topic

Configure IBM HTTP Server
Previous topic: Define IBM HTTP Server
Next topic: Add certificates to the WebSphere trust store

Related tasks
Add certificates to the WebSphere trust store
Update web addresses in IBM HTTP Server
Forcing traffic to be sent over SSL

January 6, 2012 11:35:06 AM


Jan 6, 2012 11:35:06 AM Fixed link to Support page about loading the GSK library. 6 Dec 21, 2011 6:42:58 AM Added note about GSK library ( 5 Sep 16, 2011 12:19:04 PM Removed obsolete link. 4 Aug 18, 2011 11:36:54 AM Corrected UI instructions in Step 6. 3 Aug 17, 2011 8:03:30 PM Removed empty "Before you begin" section 2 Aug 17, 2011 8:02:24 PM Clarified in Step 7 that the <server_name> variable is the host name o... 1