How To
Summary
Step by step instructions for configuring IBM HTTP Server for WebSphere Liberty
Steps
- Install and configure IBM HTTP Server (IHS) and the Web Server plug-ins for IBM WebSphere Application Server (plug-in)
-
On Linux, AIX, and Windows IHS and the WebSphere WebServer plug-in are available together in a simplified archive installation:
https://www.ibm.com/docs/en/ibm-http-server/9.0.5?topic=archive-installing-http-server-fro
No additional configuration is needed at this stage. This guide will assume your installation is in /opt/IBM/IHS
-
On all operating systems, IHS and the Web Server plug-ins for IBM WebSphere Application Server are available as separately installable components using IBM Installation Manager:
https://www.ibm.com/docs/en/ibm-http-server/9.0.5?topic=server-installing-http-distributed-systems-installation-manager
If this installation method is used an additional step is necessary to associate the two components. Run thesimplepct
script included with IHS and pass the installation path of the WebSphere WebServer plug-in:
cd /opt/IBM/HTTPServer bin/simplepct.sh /opt/IBM/WebSphere/plug-ins
-
-
Append the corresponding line to server.xml on the Liberty installation to configure the WebSphere WebServer plug-in installation root:
-
Archive Installation:<pluginConfiguration pluginInstallRoot="/opt/IBM/IHS/plugins"/>
-
IBM Installation Manager: <pluginConfiguration pluginInstallRoot="/opt/IBM/WebSphere/plug-ins"/>
-
- Copy the plugin-cfg.xml generated under the Liberty servers usr/servers/SERVER_NAME/logs/state directory to the config/webserver1/ directory under the WebSphere WebServer plug-in installation root
- Choose whether to configure or disable SSL between the WebSphere WebServer plug-in and WebSphere Liberty
If SSL is not required on the backend, append the following to httpd.conf and skip Step 5.
SetEnv ssl-map-mode offload - Configure SSL: The issuer of the certificate used by Liberty must be trusted by plugin-key.kdb.
- Extract the issuer of the certificate used by Liberty.
This can be completed with iKeyman (where available) or with the keytool command. The key.p12 passphrase may be specified in usr/servers/defaultServer/server.xml or usr/servers/defaultServer/etc/server.env
The following command-line invocation can be used to extract the self-signed certificate labeled "default" in the default Liberty key store:keytool -exportcert -rfc -alias default -file /tmp/liberty.pem \ -keystore usr/servers/defaultServer/resources/security/key.p12
If Liberty uses a non self-signed certificate, obtain the root CA certificate that ultimately signed the certificate used by Liberty and save it as /tmp/liberty.pem -
Add the certificate from the preceding step to plugin-key.kdb. This can be completed with iKeyman (where available) or with the "gskcapicmd" certificate management tool included with IHS:
# Archive Install: cd /opt/IBM/IHS bin/gskcapicmd -cert -add -db plugin/config/webserver1/plugin-key.kdb \ -stashed -label ca-liberty -file /tmp/liberty.pem # IBM Installation Manager: cd /opt/IBM/HTTPServer bin/gskcapicmd -cert -add -db /opt/IBM/WebSphere/plug-ins/config/webserver2/plugin-key.kdb \ -stashed -label ca-liberty -file /tmp/liberty.pem
- Extract the issuer of the certificate used by Liberty.
-
If multiple Liberty servers are used behind the same IHS:
-
Repeat step 2 for each Liberty server
-
Repeat step 3 for each Liberty server, but instead of replacing config/webserver1/plugin-cfg.xml use pluginUtility provided with Liberty to merge the current plugin-cfg.xml with the additional servers plugin-cfg.xml:
https://www.ibm.com/docs/en/was-liberty/base?topic=SSEQTP_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_admin_pluginutility.html -
If SSL has not disabled in step 4, repeat step 5 with each unique CA or self-signed certificate from each Liberty server
-
-
To configure front-end SSL for IHS, review the following document: https://www.ibm.com/support/pages/using-ikeyman-create-key-database-file
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m3p000000F7xiAAC","label":"IBM Http Server\/WebSphere Plugin-All Platforms"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m3p000000F7xiAAC","label":"IBM Http Server\/WebSphere Plugin-All Platforms"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 October 2021
UID
ibm16498133