Configure IBM HTTP Server for SSL

1. Create a key file.

   1. Start the iKeyman user interface then click...
      Key Database File | New | CMS

      IBM HTTP Server does not support database types other than CMS.

   2. Enter a name for the new key file. For example...
      hostname-key.kdb

      Click OK.

   3. Enter a password in the Password Prompt dialog box, and confirm the password.

   4. Select...
      Stash the password to a file

   5. Click OK.

      The new key database should display in the iKeyman utility with default signer certificates. Ensure there is a functional, non-expiring signer certificate for each of the personal certificates.

2. Create a self-signed certificate:

   1. Start the iKeyman user interface and click...
      Key Database File | Open | the key file name | OK

   2. In the Password Prompt dialog box, enter a password and click OK.

   3. Click...
      Personal Certificates | New Self-Signed

   4. Enter the required information about the key file, the web server, and organization in the dialog box.

   5. Click OK.

   Save the new self-signed certificate with a unique file name; do not overwrite the default Plugin-key.kdb file because that file might be accessed by other applications.

3. Stop IBM HTTP Server.

4. Log on to the dmgr console and select Servers > Server types > Web servers.

5. From the list of web servers, click the web server definedd for this profile.

6. On the Configuration page for this web server, click Edit for the Configuration file name field.

   This action opens the httpd.conf configuration file on the dmgr.

7. Add the following text to the end of the configuration file:

   LoadModule ibm_ssl_module modules/mod_ibm_ssl.so 
   <IfModule mod_ibm_ssl.c> 
       Listen 0.0.0.0:443 
       <VirtualHost *:443> 
       ServerName  server_name 
       #DocumentRoot C:\IBM\HTTPServer\htdocs 
       SSLEnable 
       </VirtualHost> 
   </IfModule> 
   SSLDisable 
   Keyfile "path_to_key_file" 
   SSLStashFile "path_to_stash_file"
   

   where

   • server_name is the host name of the IHS.
   • path_to_key_file is the path to the key file that you created with the iKeyman utility.
   • path_to_stash_file is the path to the associated stash file.

   For example:

   • Keyfile: /usr/IBM/keyfiles/key_file.kdb
   • SSLStashFile: /usr/IBM/keyfiles/key_file.sth

8. Click Apply and then click OK.

9. Restart IBM HTTP Server to apply the changes.

10. Test the new configuration

    Open a web browser and ensure that we can successfully reach...

    https://server_name

    You might be prompted to accept the self-signed certificate on your browser.

Results

IBM Connections users can access applications through the SSL protocol.

If we receive an error message about failing to load a GSK library (libgsk7ssl.so), install the libgsk7ssl.so GSK library. See following Support page: Failure attempting to load GSK library when using SSL with IBM HTTP Server.

What to do next

For more information about securing web communications, go to the WebSphere Application Server information center.

For more information about the key store and setting up the IHS, see the Secure communications.in the WAS information center. The key file can be shared between two web servers, thus providing failover capability.

• Mapping applications to IHS
  Map Connections applications to IHS.

• Verify application mappings
  Verify that Connections applications are mapped to the webserver.

Parent topic:
Configure IBM HTTP Server

Previous topic: Define IBM HTTP Server

Next topic: Add certificates to the WebSphere trust store

Related:

Force traffic to be sent over SSL