Configure IBM HTTP Server for SSL mutual authentication

 

+

Search Tips   |   Advanced Search

 

Before you begin

IBM HTTP Server supports SSL V2 and V3 and Transport Layer Security (TLS) V1. IBM HTTP Server is based on the Apache Web server, but for SSL configuration it requires the IBM-supplied SSL modules, rather than the OpenSSL modules. This document describes configuration of IBM HTTP Server, although it is possible to use another supported Web server.

SSL is disabled by default and it is necessary to modify a configuration file and generate a server-side certificate using the key management utility (iKeyman) provided with IBM HTTP Server to enable SSL.

 

Set up certificates

  1. Run the key management utility by clicking...

    Start | Programs | IBM HTTP Server | Start Key Management Utility

    Refer to Requesting a CA-signed personal certificate, Creating a certificate signing request (CSR), Receiving a CA-signed personal certificate, and Extracting a public certificate for use in a truststore file

  2. Create a key database and click Key Database File > New.

  3. Type a file name, serverkey.kdb, for example, and the location path. Click OK.

  4. Type a password, select the Stash the password to a file check box and click OK.

  5. Obtain a personal certificate for IBM HTTP Server. Click Personal Certificate in the key management utility menu. Click Create | New Certificate Request. The Create New Key and Certificate Request panel is displayed. Complete the following information:

    Key label
    Server_Cert
    Key size
    Select either a 512 or a 1024 bit size for your key.
    Common name
    droplet.austin.ibm.com
    Organization
    IBM
    Organization unit
    WebSphere
    Locality
    Austin
    State
    Texas
    Zip code
    76758
    Country
    US
    File name
    Server_certreq.arm

    The Verisign Test CA Root Certificate is in the set of signer certificates that ship with the IKeyMan utility for IBM HTTP Server.

  6. Go to http://www.verisign.com, click Free SSL Trial. Complete the profile information, click Submit, and click Continue twice.

  7. Use your favorite text editor to edit the request file Server_certreq.arm, and copy the entire contents of the file into the browser request panel. Click Continue. VeriSign sends the signed personal certificate to your e-mail.

  8. Copy and paste this certificate into a file, for example Server_Cert.arm. Click Personal Certificate from the menu in the key management utility. Click Receive. Specify the file name, Server_Cert.arm, and click OK. You might need to add VeriSign test root certificate to the signer certificates for the receive to be successful. Close the serverkey.kdb file.

 

Enable SSL on IBM HTTP Server

  1. Open...

    IHS_HOME/conf/httpd.conf

    ...and add the following lines to the bottom of the file: 

    LoadModule  ibm_ssl_module   modules/mod_ibm_ssl.so
Listen 443
<VirtualHost  droplet.austin.ibm.com:443>
    ServerName  droplet.austin.ibm.com
    DocumentRoot <install_root>\htdocs
    SSLEnable
    #SSLClientAuth  required
</VirtualHost>
SSLDisable
Keyfile <IHS_HOME>/serverkey.kdb

    Note: Change the host name and the path for the key file accordingly. Modify the Web server to support client certificates by uncommenting the SSLClientAuth directive shown in the httpd.conf file.

    SSLClientAuth required

  2. Restart IBM HTTP Server.

  3. Test SSL between a browser and IBM HTTP Server.

    For more information on the default IBM HTTP Server port number, see Port number settings in WAS versions.

  4. Follow the prompts to select a personal certificate if the SSLClientAuth directive is set to required.

  5. To enable the application server to communicate with IBM HTTP Server using port 443, add the host alias on the default_host. In the administrative console, click...

    Environment | Virtual Hosts | default_host | [Additional properties] Host Aliases | New

    Enter the following information in the appropriate fields:

    Host name
    *
    Port
    443

  6. Click Apply and Save When you click Save, the information is written to the security.xml file and the Web server plug-in is automatically updated.

  7. Restart WebSphere Application Server.

  8. Test your connection.

 

Result

We can connect to the Snoop servlet.

 

See Also


Secure Sockets Layer

 

Related Tasks


Request certificate authority-signed personal certificates
Receive certificate authority-signed personal certificates
Extract public certificates for truststore files
Manage digital certificates
Create a Secure Sockets Layer repertoire configuration entry

 

See Also


Port number settings in WAS versions