Secure with SSL communications
This section provides information to help we set up SSL, using the default http.conf configuration file.
Procedure
-
![[AIX Solaris HP-UX Linux Windows]](dist.gif)
Use the IBM HTTP Server iKeyman utility (GUI) or iKeyman utility (command line) to create a CMS key database file and self-signed server certificate.
-
![[z/OS]](ngzos.gif)
IBM HTTP Server uses the z/OS gskkyman tool for key management to create a CMS key database file, public and private key pairs, and self-signed certificates. Or, we can create a SAF keyring in place of a CMS key database file.
- Enable SSL directives in the IBM HTTP Server httpd.conf configuration
file.
- Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.so configuration
directive.
- Create an SSL virtual host stanza in the httpd.conf file
using the following examples and directives.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so <IfModule mod_ibm_ssl.c> Listen 443 <VirtualHost *:443> SSLEnable </VirtualHost> </IfModule> SSLDisable KeyFile "c:/Program Files/IBM HTTP Server/key.kdb"
![[Windows]](windows.gif)
Always specify the address with the port on the Listen directive. For example, add the Listen directive in httpd.conf using the default address 0.0.0.0 to listen on IPv4 port 443: Listen 0.0.0:443.
This second example assumes that we are enabling a single Web site to use SSL, and the server name is different from the server name that is defined in the global scope for non-SSL (port 80). Both host names must be registered in a domain name server (DNS) to a separate IP address, and we must configure both IP addresses on local network interface cards.
Listen 80 ServerName www.mycompany.com <Directory "c:/Program Files/IBM HTTP Server/htdocs"> Options Indexes AllowOverride None order allow,deny allow from all <Directory> DocumentRoot "c:/program files/ibm http server/htdocs" DirectoryIndex index.html <VirtualHost 192.168.1.103:80> ServerName www.mycompany2.com <Directory "c:/Program Files/IBM HTTP Server/htdocs2"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs2" DirectoryIndex index2.html </VirtualHost> Listen 443 <VirtualHost 192.168.1.103:443> ServerName www.mycompany2.com SSLEnable SSLClientAuth None <Directory "c:/Program Files/IBM HTTP Server/htdocs2"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs2" DirectoryIndex index2.html </VirtualHost> SSLDisable KeyFile "c:/program files/ibm http server/key.kdb" SSLV2Timeout 100 SSLV3Timeout 1000
This third example assumes that you are enabling multiple Web sites to use SSL. All host names must be registered in the domain name server (DNS) to a separate IP address. Also, we must configure all of the IP addresses on a local network interface card. Use the SSLServerCert directive to identify which personal server certificate in the key database file passes to the client browser during the SSL handshake for each Web site. If we have not defined the SSLServerCert directive, IBM HTTP Server passes the certificate in the key database file that is marked (*) as the "default key".Listen 80 ServerName www.mycompany.com <Directory "c:/Program Files/IBM HTTP Server/htdocs"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs" DirectoryIndex index.html <VirtualHost 192.168.1.103:80> ServerName www.mycompany2.com <Directory "c:/Program Files/IBM HTTP Server/htdocs2"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs2" DirectoryIndex index2.html </VirtualHost> <VirtualHost 192.168.1.104:80> ServerName www.mycompany3.com <Directory "c:/Program Files/IBM HTTP Server/htdocs3"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs3" DirectoryIndex index3.html </VirtualHost> Listen 443 <VirtualHost 192.168.1.102:443> ServerName www.mycompany.com SSLEnable SSLClientAuth None SSLServerCert mycompany <Directory "c:/Program Files/IBM HTTP Server/htdocs"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs" DirectoryIndex index.html </VirtualHost> <VirtualHost 192.168.1.103:443> ServerName www.mycompany2.com SSLEnable SSLClientAuth None SSLServerCert mycompany2 <Directory "c:/Program Files/IBM HTTP Server/htdocs2"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs2" DirectoryIndex index2.html </VirtualHost> <VirtualHost 192.168.1.104:443> ServerName www.mycompany3.com SSLEnable SSLClientAuth None SSLServerCert mycompany3 <Directory "c:/Program Files/IBM HTTP Server/htdocs3"> Options Indexes AllowOverride None order allow,deny allow from all </Directory> DocumentRoot "c:/program files/ibm http server/htdocs3" DirectoryIndex index3.html </VirtualHost> SSLDisable KeyFile "c:/program files/ibm http server/key.kdb" SSLV2Timeout 100 SSLV3Timeout 1000
- Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.so configuration
directive.
Sub-topics
SSL protocol
SSL directive considerations
Secure Sockets Layer environment variables
SSL directives
Related concepts
IPv4 and IPv6 configuration for Windows operating systems
Related information
Guide to properly setting up SSL within the IBM HTTP Server