Secure with SSL communications

Set up Secure Sockets Layer (SSL) by using the default httpd.conf configuration file.


About this task

For each virtual host, set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client.

IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL).  The actual cipher specification that is used for a particular client connection is selected from those cipher specifications that both IBM HTTP Server and the client support.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. We can use the SSLCipherSpec directive to provide a customized list of cipher specifications that are supported by the Web server in order to avoid the selection of cipher specifications that are considered too weak or too computationally intensive.

If you do not specify cipher specifications using the SSLCipherSpec directive, IBM HTTP Server Version 8.0 and later uses a conservative set of default ciphers. The default set of ciphers excludes SSL Version 2, null ciphers, and weak ciphers. The weak ciphers include export-grade ciphers. These defaults can be viewed at runtime in the error log by enabling LogLevel debug and SSLTrace.


Procedure

  1. Use the IBM HTTP Server IKEYMAN utility (graphical user interface) or IKEYMAN utility (command line) to create a CMS key database file and server certificate.

  2. IBM HTTP Server uses the z/OSĀ® gskkyman tool for key management to create a CMS key database file, public and private key pairs, and server certificates. Or, we can create a SAF keyring in place of a CMS key database file.

  3. Enable SSL directives in the IBM HTTP Server httpd.conf configuration file.

    1. Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.so configuration directive.

    2. Create an SSL virtual host stanza in the httpd.conf file using the following examples and directives.
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
        Listen 443
        <VirtualHost *:443>
          SSLEnable
        </VirtualHost>
      SSLDisable	  
      KeyFile "c:/Program Files/IBM HTTP Server/key.kdb"

      This second example assumes that you are enabling a single Web site to use SSL, and the server name is different from the server name that is defined in the global scope for non-SSL (port 80). Both host names must be registered in a domain name server (DNS) to a separate IP address, and you must configure both IP addresses on local network interface cards.

      Listen 80
      ServerName www.mycompany.com
      
      <Directory "c:/Program Files/IBM HTTP Server/htdocs">
      Options Indexes
      AllowOverride None
      Require all granted
      <Directory>
      
      DocumentRoot "c:/program files/ibm http server/htdocs"
      DirectoryIndex index.html
      
      <VirtualHost 192.168.1.103:80>
      ServerName www.mycompany2.com
      <Directory "c:/Program Files/IBM HTTP Server/htdocs2">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs2"
      DirectoryIndex index2.html
      </VirtualHost>
      
      Listen 443
      <VirtualHost 192.168.1.103:443>
      ServerName www.mycompany2.com
      SSLEnable
      SSLClientAuth None
      <Directory "c:/Program Files/IBM HTTP Server/htdocs2">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs2"
      DirectoryIndex index2.html
      </VirtualHost>
      
      SSLDisable
      KeyFile "c:/program files/ibm http server/key.kdb"
      SSLV2Timeout 100
      SSLV3Timeout 1000

      This third example assumes that you are enabling multiple Web sites to use SSL. All host names must be registered in the domain name server (DNS) to a separate IP address. Also, you must configure all of the IP addresses on a local network interface card. Use the SSLServerCert directive to identify which personal server certificate in the key database file passes to the client browser during the SSL handshake for each Web site. If you have not defined the SSLServerCert directive, IBM HTTP Server passes the certificate in the key database file that is marked (*) as the "default key".

      Listen 80
      ServerName www.mycompany.com
      
      <Directory "c:/Program Files/IBM HTTP Server/htdocs">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      
      DocumentRoot "c:/program files/ibm http server/htdocs"
      DirectoryIndex index.html
      
      <VirtualHost 192.168.1.103:80>
      ServerName www.mycompany2.com
      <Directory "c:/Program Files/IBM HTTP Server/htdocs2">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs2"
      DirectoryIndex index2.html
      </VirtualHost>
      
      <VirtualHost 192.168.1.104:80>
      ServerName www.mycompany3.com
      <Directory "c:/Program Files/IBM HTTP Server/htdocs3">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs3"
      DirectoryIndex index3.html
      </VirtualHost>
      
      Listen 443
      <VirtualHost 192.168.1.102:443>
      ServerName www.mycompany.com
      SSLEnable
      SSLClientAuth None
      SSLServerCert mycompany
      <Directory "c:/Program Files/IBM HTTP Server/htdocs">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs"
      DirectoryIndex index.html
      </VirtualHost>
      
      <VirtualHost 192.168.1.103:443>
      ServerName www.mycompany2.com
      SSLEnable
      SSLClientAuth None
      SSLServerCert mycompany2
      <Directory "c:/Program Files/IBM HTTP Server/htdocs2">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs2"
      DirectoryIndex index2.html
      </VirtualHost>
      
      <VirtualHost 192.168.1.104:443>
      ServerName www.mycompany3.com
      SSLEnable
      SSLClientAuth None
      SSLServerCert mycompany3
      <Directory "c:/Program Files/IBM HTTP Server/htdocs3">
      Options Indexes
      AllowOverride None
      Require all granted
      </Directory>
      DocumentRoot "c:/program files/ibm http server/htdocs3"
      DirectoryIndex index3.html
      </VirtualHost>
      
      SSLDisable
      KeyFile "c:/program files/ibm http server/key.kdb"
      SSLV2Timeout 100
      SSLV3Timeout 1000


Related concepts


Related tasks


Related