Configure IBM WebSphere Application Server to accept SSL requests

Edit online

The steps we took to configure IBM WebSphere Application Server to accept SSL requests are detailed here to provide a more complete understanding of the changes we made.

If you are interfacing with WebSphere® you will need to create a virtual host alias that will use port 443 for SSL connections. To do that, you must:
  1. Go into the WebSphere Administrative Console (see Figure 1)
    Figure 1. WebSphere Administrative Console
    zvm08
  2. On the left hand side of the screen, under Environment, choose Virtual Hosts (see Figure 2)
    Figure 2. WebSphere Administrative Console - Virtual Hosts
    zvm09
  3. Choose "default host" (see Figure 3)
    Figure 3. WebSphere Administrative Console - Default Host
    zvm10
  4. Under Additional Properties, choose Host Aliases (see Figure 4)
    Figure 4. WebSphere Administrative Console - Host Aliases
    zvm11
  5. Click New
  6. Enter the General Properties information (see Figure 5)
    Figure 5. WebSphere Administrative Console - General Properties
    zvm12
  7. Click OK and save your changes.
  8. From the left hand side of the screen, choose Servers -> webservers
  9. Generate the plug-in again

    The plug-in will be stored in /opt/IBM/WebSphere/AppServer/profiles/default/cells/lnwas5Node01Cell/nodes/webserver1_node/servers/webserver1/plugin-cfg.xml.

  10. Copy the plug-in to your webserver in the /opt/IBM/WebSphere/Plugins/config/webserver1 directory.
  11. Start IBM® HTTP Server

    Note that you can verify your settings by going to https://<ip address>/trade.

Tips

The following are some tips to keep in mind when setting up your hardware encryption.

Be careful when setting your password. When you initialize your cryptographic token with pkcsconf -c 0 -l, the SP pin is set by you, but it is already expired. You have to change it using the pkcsconf -c 0 -P option. If the password you enter is incorrect, you might receive the following error when running gsk7ikm:

Figure 6. Error Message
zvm13
If you do mess up the password, you need to do the following:
  1. Delete all the files (but not the directories) in the /etc/pkcs11 directory
  2. Delete all the files (but not the directories) in the /etc/pkcs11/lite directory
  3. Re-initialize the token with the pkcsconf command

The password you enter on the sslstash command is the user pin set when you issued the pkcsconf-c 0 -P command.

Remember to create your key.sth file by checking off the "create stash file" box when prompted for a password in the gsk7ikm dialogs.

Remember that when a plug-in is regenerated, both the IBM HTTP Server and the WebSphere Application Server need to be restarted.