This topic describes how to configure the IBM® HTTP Server for SSL. SSL is required in a WebSphere® Application Server
clustered environment.
Before you begin
The Common Audit Service Web
service client can invoke the Common Audit Service either
directly by talking to the WebSphere Application
Server embedded HTTP server, or indirectly by first going through
a Web Server. The Web server can be the IBM HTTP
Server or another third party Web server. The Web server must be enabled
for SSL for secure communication with the client. Refer to the appropriate
Web server documentation for details on how to enable SSL.
About this task
Follow these steps:
Procedure
- Use the IBM HTTP
Server IKEYMAN utility to create a CMS key database
file and insert the server's personal certificate.
For
example, to create a CMS key database file, open the CARSServerKey.jks
file in IKEYMAN and then save it as a CMS file. Copy the CARSServerKey.kdb
and CARSServerKey.sth files to a directory on the HTTP server (for
example, /data/certs).
- Modify the httpd.conf file.
For the IBM HTTP Server to support HTTPS,
you need to enable SSL on the IBM HTTP
Server. You can modify the configuration file of IBM HTTP Server, which is IHS_HOME/conf/httpd.conf. IHS_HOME is
the home directory of your IBM HTTP
Server. Open the IHS_HOME/conf/httpd.conf file
and add the following lines to the bottom of the file. This example
uses port 443.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEnable
SSLClientAuth none
SSLServerCert certname
</VirtualHost>
</IfModule>
SSLDisable
Keyfile /data/certs/CARSServerKey.kdb
Note: The SSLServerCert certname
is the label of the server's certificate in the key database file.
It is not needed if the default certificate in the keyfile is used.
Change the host name and the path for the key file accordingly.
You can also use the administrative console to enable SSL.
- Restart the IBM HTTP
Server.
- Add the port number to the virtual host.
To
enable the application server to communicate with the IBM HTTP Server using, for example, port 443,
add the host alias on the default_host. In the administrative console:
- Click .
- Under Additional properties, click .
- Enter the following information in the fields:
- Type * for Host Name.
- Type 443 for Port.
- Click Apply and Save.
When you click Save, the information is written
to the security.xml file and the Web server plug-in. For example, /opt/IBM/WebSphere/Plugins/config/webserver1_hostname/plugin-cfg.xml is
automatically updated.
- 5. Enable security on your installed Web
server.
- Click .
- Under Global Directives specify the following
information:
- Select Security enabled.
- Enter CARSWebStore in Key store certificate
alias.
- Enter *:443 in Listen ports.
- Click Apply and Save to enable port 443
for listening on the Web server.
- Stop and restart the IBM HTTP
Server and IBM HTTP Administrative
Server.
- Stop and restart WebSphere Application
Server. In a clustered environment, stop and restart the cluster.