Home
Add certificates to a network deployment with IBM HTTP Server
Overview
Add signer certificates to an IBM HTTP Server plug-in for a network deployment.
To establish trusted communication between IBM HTTP Server and a Web browser, import signer certificates from WAS.
This procedure describes how to import the self-signed certificate that is shipped with WAS. You can also import a certificate that you purchased from a third-party Certificate Authority, or create a new self-signed certificate.
Import a public WAS certificate into the IBM HTTP Server plug-in
- Ensure that IBM HTTP Server is configured to support SSL
- Copy the plugin-key.kdb file from...
ibm_http_server_root/Plugins/config/webserver1
...to...
dmgr_host:DMGR_PROFILE/config/cells/cell_name/nodes/<http_node_name>/servers/<Webserver_name>
- Log into the IBM WAS admin console and select...
Security | SSL Certificate and key management | Key stores and certificates | CellDefaultTrustStore | Signer Certificates
- Select the check box beside the certificate to extract.
You probably have several options, such as default_1, default_2, to default_n , and so on. When you have selected a certificate, click Extract.
The number of certificates that you should extract depends on the number of nodes in your deployment; extract one certificate per node.
- Enter a fully-qualified Certificate file name.
If you do not specify a path, the certificate is stored in...
app_server_root/profiles/profile_name/etc
- Click OK to extract the file.
- Repeat steps 4-7 for each managed node.
- In the IBM WAS admin console, select...
Servers | Web servers | <Webserver_name> | Plug-in properties | Manage keys and certificates | Additional Properties | Signer certificates | Add
- Enter the certificate Alias and its fully-qualified File name, and click OK.
- Click Save to import the file.
- Repeat steps 11-14 for each managed node.
- To synchronize the KDB file with IBM HTTP Server, in the IBM WAS admin console, select...
Servers | Web servers | Plug-in properties | Plug-in properties | Copy to Web server key store
- Restart IBM HTTP Server to apply the changes.
Results
If your configuration changes aren't successful, ensure that you have applied the instructions to configure a default personal certificate.
The proxy-config.tpl file allows the proxy to work with self-signed certificates. This is true out-of-the-box but for improved security you should set the value of the unsigned_ssl_certificate_support property to false when your deployment is ready for production.
Related tasks
Add certificates to IBM HTTP Server
Configure IBM HTTP Server for SSL