(Dist) Configure the web server plug-in for Secure Sockets Layer
This topic documents the configuration necessary to instantiate a secure connection between the web server plug-in and the internal HTTP transport in the web container for the Application Server.
WebSphere Application Server has an internal HTTP transport that accepts HTTP requests. If we install an external HTTP server, the web server plug-in must forward requests from the external HTTP server to Application Server internal HTTP transport. Follow instructions provided by the HTTP vendor to install and configure the HTTP server. Test the HTTP server by accessing http://your-host-URL and https://your-host-URL. We should also have a web server plug-in installed. See the instructions for installing the HTTP Server and the web server plug-ins. They also describe how to enable the plug-in to load the correct libraries for Secure Socket layers (SSL) on Solaris x64.
Tasks
- Create a directory on the web server host for storing the key ring file referenced by the plug-in and associated files, for example:
plugin_install_root/etc/keys
- From the administrative console, access configuration options for our keys and certificates...
Servers | Web servers | web server name | Plug-in properties | Manage keys and certificates
By default, we can change your password used to protect the keystore.
- Click OK.
- To copy the keystore and to stash files to a managed web server...
Copy to web server keystore directory
For non-managed web servers, use FTP to copy them.
We must copy the keystore file to the web server for the web server to function properly.
- Optional: Under Additional Properties, we can also select one of the following:
- Signer certificates
Use to add new certificates, delete certificates, extract certificates, and to retrieve certificates from a port.
- Personal certificates
Use to create a new chained or self-signed certificate, delete a certificate, or to import and export a personal certificate.
- Personal certificate requests
Use to manage personal certificate requests.
- Custom properties
Use to define custom properties for the keystore.
- (iSeries) Manually stash the password for the plugin-key.kdb file. If the password is not manually stashed, then the following error appears in the http_plugin.log file:
ERROR: lib_security: logSSLError: str_security (gsk error 201): Object containing the password for the certificate store file not found.
The default path of the plugin-key.kdb file is...
<profile_root>/config/<webserver_definition_name>/plugin-key.kdb
The web server must be restarted after stashing the password
The IBM HTTP Server plug-in and the internal Web server are configured for SSL.
Subtopics
- Use the z/OS hardware cryptography leveraging ICSF and RACF keystores
Integrated Cryptographic Service Facility (ICSF) is the software on a z/OS system that serves as an interface with the hardware where keys can be stored. IBMJCECCARACFKS keystores handle certificates and keys managed in Resource Access Control Facility (RACF). The certificates are stored in RACF, but we can store keys in ICSF or RACF. The IBMJCECCARACFKS keystore will achieve hardware crypto exploitation, such as encryption, decryption and signing, regardless if the keys are in stored in RACF or in ICSF.- Web server plug-in default configuration in SSL
When we create a new web server definition, WAS associates the web server plug-in with a Certificate Management Services (CMS) keystore for a specific node. The keystore contains all of the signers for the current cell with the self-signed or chained certificate, which belongs to the node. The plug-in can communicate securely to WAS, even when the plug-in is configured with SSL client authentication enabled.
Related:
Web server plug-in default configuration in SSL Certificate management in SSL Install IBM HTTP Server Create a self-signed certificate Add the correct SSL Signer certificates to the plug-in keystore