IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications > Configure TLS/SSL communication between the load balancing HTTP Server and each portal server's local HTTP server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Configure TLS/SSL communication for the IBM HTTP Server used for load balancing multiple portal servers
To configure TLS/SSL communication for a load balancing environment, add the public signer certificate for each Tivoli Enterprise Portal Server's local HTTP server to the load balancing IBM HTTP Server trust store using the iKeyman graphical interface.
Copy the public signer certificate for each portal server's local HTTP server to the computer system where the load balancing HTTP Server is installed.
Alternatively, you can use the gskcmd command-line interface to complete this task. For detailed information on using the gskcmd command-line interface, see "Managing keys with the gskcmd command line interface (Distributed systems)" in the WebSphere Application Server Information Center.
Procedure
- On the computer system where the load balancing HTTP Server is installed, import a public signer certificate into the key database using the iKeyman graphical interface.
Start the key management utility (iKeyman) using one of these methods:
- Click Start > Programs > IBM HTTP Server V8.5 > Start Key Management Utility.
- From the command-line run <install_dir>/bin/ikeyman or change to the <install_dir>/bin directory and type ikeyman, where <install_dir> is the directory where the WebSphere Plugin is installed (such as /opt/IBM/WebSphere/Plugins). If you start IKEYMAN to create a new key database file, the utility stores the file in the directory where you start IKEYMAN.
- Click Key Database File from the main UI, then click Open.
- Specify the location of the CMS key database file plugin-key.kdb specified in the HTTP server plugin-cfg.xml file.
By default the file is plugin-key.kdb.
When using HTTP server V8.5, the following default locations apply:
C:\Program Files\IBM\WebSphere\Plugins_1\config\webserver1
/opt/IBM/Websphere/Plugins/config/webserver1
- Provide the password for the key database and click OK. The default password is WebAS.
- From the Key database content drop down list, select Signer Certificates.
- For each portal server's local HTTP server signer certificate:
- Click Add.
- Select the signer certificate and click OK.
- Insert a unique label, such as hostname ITM certificate, and click OK.
- Click Save to update the file with your changes.
If you do not have permission to overwrite the plugin-key.kdb file, you can save it as a different name, like plugin-key2.kdb and later update your httpd.conf and plugin-cfg.xml files accordingly.
- Enable SSL for your HTTP server by updating the httpd.conf file. The default location of the httpd.conf file is:
C:\Program Files\IBM\HTTPServer\conf
/opt/IBM/HTTPServer/conf
- Open the httpd.conf file and search for the text string "Example SSL configuration" to view an example configuration.
- Add the following block to your httpd.conf file, changing the directory paths to Windows paths if your HTTP server is on Windows:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 443 <VirtualHost *:443> SSLEnable SSLProtocolDisable SSLv2 ErrorLog "/opt/IBM/HTTPServer/logs/sslerror.log" TransferLog "/opt/IBM/HTTPServer/logs/sslaccess.log" KeyFile "/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb" SSLStashfile "/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth" </VirtualHost> SSLDisable
The plugin-key.kdb file is the one that you saved in step 7.
- Restart the load balancing HTTP Server to implement your changes. See "Starting and stopping IBM HTTP Server" in the WebSphere Application Server Information Center
Parent topic:
Configure TLS/SSL communication between the load balancing HTTP Server and each portal server's local HTTP server