IBM Support

Configuring IBM HTTP Server for WebSphere Liberty

How To


Summary

Step by step instructions for configuring IBM HTTP Server for WebSphere Liberty

Steps

  1. Install and configure IBM HTTP Server (IHS) and the Web Server plug-ins for IBM WebSphere Application Server (plug-in)
  2. Append the corresponding line to  server.xml on the Liberty installation to configure the WebSphere WebServer plug-in installation root:
    • Archive Installation:<pluginConfiguration pluginInstallRoot="/opt/IBM/IHS/plugins"/>
    • IBM Installation Manager: <pluginConfiguration pluginInstallRoot="/opt/IBM/WebSphere/plug-ins"/>
  3. Copy the plugin-cfg.xml generated under the Liberty servers  usr/servers/SERVER_NAME/logs/state directory to the config/webserver1/ directory under the WebSphere WebServer plug-in installation root
  4. Choose whether to configure or disable SSL between the WebSphere WebServer plug-in and WebSphere Liberty
    If SSL is not required on the backend, append the following to httpd.conf and skip Step 5.
    SetEnv ssl-map-mode offload
  5. Configure SSL: The issuer of the certificate used by Liberty must be trusted by plugin-key.kdb. 
    • Extract the issuer of the certificate used by Liberty. 

      This can be completed with iKeyman (where available) or with the keytool command.  The key.p12 passphrase may be specified in usr/servers/defaultServer/server.xml or usr/servers/defaultServer/etc/server.env

      The following command-line invocation can be used to extract the self-signed certificate labeled "default" in the default Liberty key store: 
      keytool -exportcert -rfc -alias default -file /tmp/liberty.pem  \
    -keystore usr/servers/defaultServer/resources/security/key.p12

      If Liberty uses a non self-signed certificate, obtain the root CA certificate that ultimately signed the certificate used by Liberty and save it as /tmp/liberty.pem 
    • Add the certificate from the preceding step to plugin-key.kdb. This can be completed with iKeyman (where available) or with the "gskcapicmd" certificate management tool included with IHS:  
      # Archive Install:
cd /opt/IBM/IHS
bin/gskcapicmd -cert -add -db plugin/config/webserver1/plugin-key.kdb \
    -stashed -label ca-liberty -file /tmp/liberty.pem

# IBM Installation Manager:
cd /opt/IBM/HTTPServer
bin/gskcapicmd -cert -add -db /opt/IBM/WebSphere/plug-ins/config/webserver2/plugin-key.kdb \
    -stashed -label ca-liberty -file /tmp/liberty.pem
  6. If multiple Liberty servers are used behind the same IHS:
  7. To configure front-end SSL for IHS, review the following document: https://www.ibm.com/support/pages/using-ikeyman-create-key-database-file

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m3p000000F7xiAAC","label":"IBM Http Server\/WebSphere Plugin-All Platforms"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m3p000000F7xiAAC","label":"IBM Http Server\/WebSphere Plugin-All Platforms"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
12 October 2021

UID

ibm16498133

Page Feedback