+

Search Tips   |   Advanced Search

Example: Set up IHS security SSL

 

Example: Configure SSL key database and certificate


  1. Log on as your user, for example wasadmin

  2. Set environment

    export PATH=/opt/IHS90/bin:$PATH

  3. Verify path 

    myhost:/root # which gsk7cmd
/opt/IHS90/bin/gsk7cmd

  4. Create key directory

    cd /opt/IHS90
    mkdir keys

  5. Create a key database

    gsk7cmd -keydb -create -db /opt/IHS90/keys/env.kdb -pw password -type cms -expire 360 -stash

    myhost example...

    gsk7cmd -keydb -create -db /opt/IHS90/keys/MyHost.kdb -pw password -type cms -expire 720 -stash

  6. Generate self-signed certificate

    gsk7cmd -cert -create -db /opt/IHS90/keys/MyHost.kdb -pw password -size 1024 -dn "CN=s1ad6c.myco.com,O=BigBox,OU=IHS,ST=TX,C=US" -label IHS -default_cert yes -expire 720

  7. Edit /opt/IHS90/conf/httpd.conf

  8. Set SSL stanza. For example... 
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
</VirtualHost>
KeyFile /opt/IHS90/MyHost.kdb
SSLDisable

  9. Restart IHS

    sudo /opt/IHS90/bin/apachectl stop
    sudo /opt/IHS90/bin/apachectl start

  10. Check for errors...

    /opt/IHS90/logs/error_log

  11. Test by pulling up secure page...

    https://myhost.myco.com

Example: Add Verisign certificate

  1. Generate certificate request and submit to VeriSign

  2. Request a secure certificate from a VeriSign

  3. Set the production key file as the current key file.

  4. Receive the certificate and test the production key file.


Generate Web server definition in WAS console

If our web server definition is not in admin console, to create...

  1. Log on to web server and copy definition script from web server to appserver. For example...

    cd /opt/IHS90/Plugins/bin
    scp configureWebServerName.sh wasadmin@AppServerName:/opt/WAS90/AppServer/profiles/MyCo/bin

  2. Log on to appserver and run...

    cd /opt/WAS90/AppServer/profiles/MyCo/bin
    ./configuresMyWebServer.sh

  3. Log on admin console and verify definition

  4. Verify virtual hosts are defined for Web server ports

    Virtual Hosts > default_host > Host Aliases

    If we add a virtual host, cycle the appserver


IHS post-install


  • Web server logs

    • The web server logs directory is...

    /opt/IHS90/logs


  • Log rotation

    • To configure IHS log rotation...

    1. Edit httpd.conf

    2. Comment out existing CustomLog...

      #CustomLog logs/access_log common

    3. Add following directives...

      # Rotate the logfile whenever it reaches a size of 50 megabytes
      CustomLog "| /opt/IHS90/bin/rotatelogs /opt/IHS90/logs/access_log 50M" common
      CustomLog "| /opt/IHS90/bin/rotatelogs /opt/IHS90/logs/error_log 50M" common

    4. Restart IHS

      sudo ../bin/apachectl restart

    If rotatelog does not work, to rotate logs manually while not dropping any user connections...

    mv access_log access_log.old
    mv error_log error_log.old
    apachectl graceful
    sleep 600
    gzip access_log.old error_log.old


  • Configure test page for all web servers

    • Verify location of document root

    cd $REPORTS
    grep DocumentRoot *_httpd.conf | grep -v \#

    Sample output...

    myhost_httpd.conf:DocumentRoot "/opt/IHS90/htdocs"

    To test...