Home

 

Add certificates to a network deployment with IBM HTTP Server

Overview

Add signer certificates to an IBM HTTP Server plug-in for a network deployment.

To establish trusted communication between IBM HTTP Server and a Web browser, import signer certificates from WAS.

This procedure describes how to import the self-signed certificate that is shipped with WAS. You can also import a certificate that you purchased from a third-party Certificate Authority, or create a new self-signed certificate.

Import a public WAS certificate into the IBM HTTP Server plug-in

1. Ensure that IBM HTTP Server is configured to support SSL

2. Copy the plugin-key.kdb file from...
   ibm_http_server_root/Plugins/config/webserver1

   ...to...

   dmgr_host:DMGR_PROFILE/config/cells/cell_name/nodes/<http_node_name>/servers/<Webserver_name>

3. Log into the IBM WAS admin console and select...
   Security | SSL Certificate and key management | Key stores and certificates | CellDefaultTrustStore | Signer Certificates

4. Select the check box beside the certificate to extract.

   You probably have several options, such as default_1, default_2, to default_n , and so on. When you have selected a certificate, click Extract.

   The number of certificates that you should extract depends on the number of nodes in your deployment; extract one certificate per node.

5. Enter a fully-qualified Certificate file name.

   If you do not specify a path, the certificate is stored in...

   app_server_root/profiles/profile_name/etc

6. Click OK to extract the file.

7. Repeat steps 4-7 for each managed node.

8. In the IBM WAS admin console, select...
   Servers | Web servers | <Webserver_name> | Plug-in properties | Manage keys and certificates | Additional Properties | Signer certificates | Add

9. Enter the certificate Alias and its fully-qualified File name, and click OK.

10. Click Save to import the file.

11. Repeat steps 11-14 for each managed node.

12. To synchronize the KDB file with IBM HTTP Server, in the IBM WAS admin console, select...
    Servers | Web servers | Plug-in properties | Plug-in properties | Copy to Web server key store

13. Restart IBM HTTP Server to apply the changes.

 

Results

If your configuration changes aren't successful, ensure that you have applied the instructions to configure a default personal certificate.

The proxy-config.tpl file allows the proxy to work with self-signed certificates. This is true out-of-the-box but for improved security you should set the value of the unsigned_ssl_certificate_support property to false when your deployment is ready for production.

 

Related tasks

Add certificates to IBM HTTP Server
Configure IBM HTTP Server for SSL

+

Search Tips   |   Advanced Search