Configure IBM HTTP Server for SSL mutual authentication
Overview
IBM HTTP Server supports SSL V2 and V3 and TLS V1. IBM HTTP Server is based on the Apache Web server, but for SSL configuration it requires the IBM-supplied SSL modules, rather than the OpenSSL modules. This document describes configuration of IBM HTTP Server, although it is possible to use another supported Web server.
SSL is disabled by default and it is necessary to modify a configuration file and generate a server-side certificate using the key management utility (iKeyman) provided with IBM HTTP Server to enable SSL.
- For a single server, enable SSL on IBM HTTP Server (port 443,for example).
- To set up certificates start the key management utility by clicking...
Start | Programs | IBM HTTP Server | Start Key Management Utility
- Create a key database and click...
Key Database File | New
- Type a file name, serverkey.kdb, for example, and the location path. Click OK.
- Type a password, select the Stash the password to a file check box and click OK.
- Obtain a personal certificate for IBM HTTP Server click Personal Certificate Requests in the key management utility menu. Click New.
The Create New Key and Certificate Request panel appears. Complete
the following information:
- Key label
- Server_Cert
- Common name
- droplet.austin.ibm.com
- Organization
- IBM
- Country
- US
- File name
- Server_certreq.arm
The Verisign Test CA Root Certificate is in the set of signer certificates shipped with the IKeyMan for IBM HTTP Server.
- Go to URL http://www.verisign.com, click Get Free Trial SSL ID. Complete the profile information, click Submit, and click Continue twice.
- Use your favorite text editor to edit the request file Server_certreq.arm, and copy the entire contents of the file into the browser request panel. Click Continue. VeriSign displays the Personal Certificate in the browser.
- Copy and paste this certificate into a file, for example Server_Cert.arm. Click Personal Certificate from the menu in the key management utility. Click Receive. Specify the file name, Server_Cert.arm, and click OK. Close the serverkey.kdb file.
- To allow IBM HTTP Server to support HTTPS, port 443, for example, enable SSL on IBM HTTP Server. Modify the configuration file of IBM HTTP Server, IHS_HOME/conf/httpd.conf. You also can enable SSL can be enabled through the IBM HTTP Server administrative console also. Open the file...
IHS_HOME/conf/httpd.conf
...and then add the following lines above the line Alias /IBMWebAS/ "install_root/web"...
LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll install_root/bin/mod_ibm_app_server_http.dll Listen 443 <VirtualHost droplet.austin.ibm.com:443> ServerName droplet.austin.ibm.com DocumentRoot <install_root>\htdocs SSLEnable #SSLClientAuth required </VirtualHost> SSLDisable Keyfile <IHS_HOME>/serverkey.kdb
Change the host name and the path for the key file accordingly. Modify the Web server to support client certificates by uncommenting the SSLClientAuth directive shown in the httpd.conf file.
SSLClientAuth required
- Restart IBM HTTP Server.
- Test SSL between a browser and IBM HTTP Server.
- Follow the prompts to select a personal certificate if the SSLClientAuth directive is set to required.
- To enable the appserver to communicate with IBM HTTP Server using port 443, add the host alias on the default_host. Click...
Environment | Virtual Hosts | default host | Host Aliases | New
Enter the following information in the appropriate fields:
- Host name
- *
- Port type
- 443
- Click Apply and Save to write to the security.xml file.
- Click Update Web Server Plugin, and then click OK.
- Restart WebSphere Application Server.
- Test your connection.
Results
You can connect to the Snoop servlet.
Example
Secure Sockets Layer
Requesting a CA-signed personal certificate
Creating a certificate signing request (CSR)
Receiving certificate authority-signed personal certificates
Extracting public certificates for truststore files
Managing digital certificates
Creating a Secure Sockets Layer repertoire configuration entry
Port number settings in WebSphere Application Server versions