Configure IBM HTTP Server for SSL mutual authentication


IBM HTTP Server supports Secure Socket Layer and Transport Layer Security. IBM HTTP Server requires the IBM-supplied SSL modules, rather than OpenSSL modules. SSL is disabled by default.

  1. Start the key management utility.

  2. Create a key database and click Key Database File | New.

  3. Type a file name, serverkey.kdb, for example, and the location path. Click OK.

  4. Type a password, select the "Stash the password to a file" check box and click OK.

  5. Obtain a personal certificate for IBM HTTP Server by clicking "Personal Certificate Requests". Click New. The Create New Key and Certificate Request panel appears. Complete the following information...

    Key label: Server_Cert
    Common name:
    Organization: IBM
    Country: US
    File name: Server_certreq.arm

    The Verisign Test CA Root Certificate is in the set of signer certificates shipped with the IKeyMan for IBM HTTP Server.

  6. Go to and click Get Free Trial SSL ID. Complete the profile information, click Submit, and click Continue twice.

  7. Edit the request file Server_certreq.arm, and copy the entire contents of the file into the browser request panel. Click Continue. VeriSign displays the Personal Certificate in the browser.

  8. Copy and paste this certificate into a file, for example Server_Cert.arm. Click Personal Certificate from the menu in the key management utility. Click Receive. Specify the file name, Server_Cert.arm, and click OK. Close the serverkey.kdb file.

  9. To allow IBM HTTP Server to support SSL (https), edit...


    ...and add the following lines above the line Alias /IBMWebAS/ "$WAS_HOME/web"...

    LoadModule  ibm_ssl_module   modules/IBMModuleSSL128.dll
    Listen 443
    DocumentRoot  $WAS_HOME\htdocs
    #SSLClientAuth  required
    Keyfile <IHS_HOME>/serverkey.kdb

    Note that Change the host name and the path for the key file accordingly. Modify the Web server to support client certificates by uncommenting the SSLClientAuth directive shown in the httpd.conf file.

    SSLClientAuth required

  10. Restart IBM HTTP Server.

  11. Test SSL between a browser and IBM HTTP Server.For more information on the default IBM HTTP Server port number, see Port number settings in WAS versions.

  12. Follow the prompts to select a personal certificate if the SSLClientAuth directive is set to required.

  13. To enable the appserver to communicate with IBM HTTP Server using port 443, add the host alias on the default_host. Click Environment > Virtual Hosts > default host > Host Aliases > New. Enter the following information in the appropriate fields...

    Host name *

    Port type 443

  14. Click Apply and Save to write to the security.xml file.

  15. Click Update Web Server Plugin, and then click OK.

  16. Restart WAS.

  17. Test your connection.

You can connect to the Snoop servlet.


Usage Scenario


See Also

  1. Requesting certificate authority-signed personal certificates
  2. Receiving certificate authority-signed personal certificates
  3. Extracting public certificates for truststore files
  4. Managing digital certificates
  5. Creating a SSL repertoire configuration entry
  6. Port number settings in WAS versions
  7. Requesting a CA-signed personal certificate
  8. Creating a certificate signing request (CSR)
  9. Receiving a CA-signed personal certificate
  10. Extracting a public certificate for use in a truststore file