IBM Support

Procedure to copy the IBM HTTP Server SSL keystore files from one server to another

Question & Answer


Question

I have installed the IBM HTTP Server to a new operating system version on a different server. Which SSL files do I need to copy from the previous HTTP Server server so that SSL works correctly on the new server?

Cause

Configuration change

Answer

The IBM HTTP Server SSL keystore files can be manually copied from one IBM HTTP Server machine to another. The keystore files are portable and operating system independent.

Solution

List of files to copy:
  • *.kdb (cms keystore)
  • *.rdb (database that has request cert, certreq.arm)
  • *.sth (password stash file)
  • * crl (certificate revocation list file)
  • *.conf files (configuration files: admin.conf, httpd.conf)
  • Any non-default customized configuration files
  • Any certificate files received from the Certificate Authority (CA) used by your company (.cer, .arm, and so on)

Copy the files from the old server to the new server in the same directory path that was created on the old server. If the directory path has been changed on the new server, the KeyFile directive in the httpd.conf file will need to be changed to reflect the new path. When copying files from server to server using FTP, copy in binary mode.


Example

<VirtualHost 192.168.1.101:443>
ServerName www.mycompany.com
SSLEnable
SSLClientAuth None
SSLServerCert mycompany
<Directory "c:/Program Files/IBM HTTP Server/htdocs">
Options Indexes
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
DocumentRoot "C:/Program Files/IBM Http Server/htdocs"
DirectoryIndex index.html
</VirtualHost>

SSLDisable
KeyFile "C:/Program Files/IBM Http Server/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000

If the hostname or IP address on the new server has changed, the ServerName directive and the SSL VirtualHost stanza in the httpd.conf file will need updating to reflect the new hostname and IP address.

If the environment is configured to encrypt SSL communications between the plug-in and the WebSphere Application Server, then the plugin-key.kdb file might need to be propagated to the Web server.

Propagate the plugin-key.kdb file from the WebSphere administrative console:
  1. Navigate to Servers > Web servers > Web_server_name > Plug-in properties.

  2. Click Copy to WebServer keystore directory.

  3. After all of the changes have been made, a restart of the IBM HTTP Server is required.

Reference the Guide to properly setting up SSL within the IBM HTTP Server for additional details on configuring and troubleshooting SSL for the IBM HTTP Server.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;6.1;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg21396051

Page Feedback