Home

 

Configure SSL between the IHS Administration Server and the deployment manager

 

+

Search Tips   |   Advanced Search

 

Configure SSL between the deployment manager for WAS and the IHS administration server (adminctl).

In situations where adminctl is attempting to connect through SSL, and WAS is not configured, in the dmgr log you might receive an error that is similar to...

-CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=localhost" was sent from target host:port "null:null".

The signer may need to be added to local trust store...

c:/WAS70/profiles/Dmgr01/config/cells/rjrCell02/trust.p12

...located in SSL configuration alias "CellDefaultSSLSettings" loaded from SSL configuration file "security.xml".

The extended error message from the SSL handshake exception is:

-IOException javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found

  1. Generate a self-signed server certificate.

    • For distributed systems, use iKeyman to create a self-signed certificate for adminctl, and save the certificate as...

      /conf/admin.kdb

      Best practice: Make note of the password and select...

      Stash password to a file

      The following fields are required for the certificate:

      Label

      adminselfSigned

      Common Name

      fully_qualified_host_name

    • For z/OS: IHS uses the z/OS gskkyman tool for key management to create...

      • a CMS key database file
      • public and private key pairs
      • self-signed certificates

      Alternatively, you can create a SAF keyring in place of a CMS key database file.

  2. Extract the self-signed certificate to a file using iKeyman utility.

    1. Select the certificate created in Step 1.

      For example...

      adminselfSigned

    2. Click Extract Certificate.

      The recommended file name for extraction is...

      C:\Program Files\IBM\HTTPServer\conf\cert.arm.

      Do not change the data type.

  3. Modify the Administration Server configuration File, which is named admin.conf.

    1. Configure the file to load the IBM SSL module. Uncomment the following line:

      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

    2. Enable SSL and define a key file to use.

      Uncomment the following lines to enable SSL and define a key file to use:

      SSLEnable SSLServerCert default Keyfile "C:/Program Files/IBM/HTTPServer5/conf/admin.kdb"

      The key file directive must match the name and location of a valid key file that is installed on your system.

      You must have IBM SSL support installed for this to work.

      The "default" in SSLServerCert is the label, or name, of the self-signed certificate that is created when the plugin-key.kdb file was created.

      The previous example uses SSLServerCert because the default self-signed certificate in the plugin-key.kdb is not flagged as the default certificate.

  4. Start the administration server for IBM HTTP Server (adminctl).

    Verify log file does not contain GSKIT errors.

  5. Log into the Administrative Console for WAS and start the deployment manager.

  6. Select...

    Security | SSL certificate and key management | Manage endpoint security configurations

    You are directed to a list of inbound and outbound endpoints.

  7. Select the outbound cell (cellDefaultSSLSettings,null).

    Select outbound cells because, in this setup, the Administration Console for WAS is the client, and the IBM HTTP Server Administration Server is the server.

    This setup is the opposite configuration from an SSL setup with the IHS plugin and WAS.

  8. In the Related Items section, click...

    Key stores and certificates | CellDefaultTrustStore | [Additional Properties] Signer Certificates

  9. FTP the certificate file to WAS. Do not change the data type.

  10. In the collection panel for Signer Certificates, click Add.

    Enter the following information in the fields.

    Name Value
    Alias adminselfSigned
    File name file_name

    For example, enter the following:

    c:\program files\ibm\httpserver\conf\cert.arm

  11. Save the configuration changes to the admin console.

  12. Stop the deployment manager.

  13. Start the deployment manager.

The IHS administration server and Application Server are now configured to use SSL transactions.

 

Related concepts

SSL protocol
SSL environment variables
Managing keys with the gsk7cmd command line interface (Distributed systems)
Windows: IPv4 and IPv6 configuration for Windows operating systems

 

Related tasks

Work with key databases
Create a self-signed certificate
z/OS: Manage keys with the native key database gskkyman (z/OS systems)
z/OS: Authenticate with SAF on IHS (z/OS systems)

 

Related reference

SSL directives
Manage keys with the ikeyman graphical interface (Distributed systems)
z/OS: SSL directives

 

Related information

SSL directive considerations
Authentication
Guide to properly setting up SSL within the IBM HTTP Server