B Configuring Secure Socket Layer with the HTML Server

The chapter describes how to configure Secure Socket Layer (SSL) with the HTML Server, and includes the following tasks:

B.1 Configuring SSL on the IBM HTTP Server

SSL requires a Signed Personal Certificate. You can either request a CA-Signed Personal Certificate directly from IBM, or you can generate a Self-Signed Certificate yourself. This task describes how to generate and use a Self-Signed Certificate. For production environments, we recommend you request one from CA. For instructions to request a CA-Signed Personal Certificate, refer to the IBM Info Center.

  1. Create a folder named keys in the HTTP Server installation directory.

  2. Start the Key Management Utility by navigating the following path:

    Start > Programs > IBM HTTP Server > Start Key Management Utility

    Alternately you can use a script found in this directory

    Z:\IBM\HTTPServer\bin

  3. In the IBM Key Management utility, create a Key Database File by navigating Key Database File > New.

    This image is described in surrounding text.
  4. At the prompt, enter the following information:

    • Key Database Type = CMS

      Only CMS is supported with the IBM HTTP Server.

    • File Name = serverkey.kdb

    • Location = x:\IBM\HTTPServer\keys

      where x: is the drive on which you installed the IBM HTTP Server.

  5. Enter the password (for example, "serverkey") and select the option stash the password file.

  6. Click the OK button.

  7. From the drop down box, select Personal Certificates.

  8. Click New Self-Signed.

  9. Enter following information on the screen that appears:

    • Key Label= Enter any label (for example, server_cert)

    • Version= X509V3

    • Key Size = 1024

    • Common Name = Fully Qualified Server Name (for example, denicint2.mlab.jdedwards.com)

    • Organization = your organization name (for example, Oracle).

    • Country or region = US

    • Validity Period = 365 days

    A sample screen shot is provided below:

    This image is described in surrounding text.
  10. On Create New Self-Signed Certificate, after the fields are complete click the OK button.

    The program displays your certificate in the list.

  11. Delete all the other certificates.

  12. Open the httpd.conf file in a text editor, and add the following virtual host definition.

    Note:

    The text in the httpd.conf is case sensitive; type the host definition exactly as shown.

    If you have already configured a port on the HTTP Server (for example, port 91), the file will include an Alias. Use the same alias under your Virtual Host definition as described here.

    # Example SSL configuration which supports SSLv3 and TLSv1
    # To enable this support:
    #   1) Create a key database with ikeyman
    #   2) Update the KeyFile directive below to point to that key database
    #   3) Uncomment the directives up through the end of the example
    #      Note: The IPv6 Listen directive must only be uncommented if
    #      IPv6 networking is enabled.
    #
    # uncomment below line to enable ssl
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    <IfModule mod_ibm_ssl.c>
    Listen 0.0.0.0:443
    # IPv6 support:
    # Listen [::]:443
    <VirtualHost *:443>
    Alias /jde "Z:\IBM\WebSphere\AppServer\profiles\AppSrv02\installedApps\denicint2Node01Cell\EA_JS_91.ear\webclient.war"
    SSLEnable
    SSLProtocolDisable SSLv2
    </VirtualHost>
    <Directory "Z:\IBM\WebSphere\AppServer\profiles\AppSrv02\installedApps\denicint2Node01Cell\EA_JS_91.ear\webclient.war\WEB_INF">
    Order Deny,Allow
    Deny from All
    </Directory>
    <Directory "Z:\IBM\WebSphere\AppServer\profiles\AppSrv02\installedApps\denicint2Node01Cell\EA_JS_91.ear\webclient.war">
    Order Deny,Allow
    Allow from All
    </Directory>
    </IfModule>
    KeyFile Z:\IBM/HTTPServer\keys\WebServerKeys.kdb
    SSLDisable
    # End of example SSL configuration
    

    This definition is taken from the httpd.conf file itself. It is advisable to backup the httpd.conf file before making changes to the file. After the IBM HTTP Server SSL Configuration, test the setup by typing in the URL as below:

    https://<machine_name>:443/

    A sample screen shot of the expected result is as below:

    This image is described in surrounding text.

B.2 Configuring SSL on IBM WebSphere

  1. Log on to your WebSphere Admin Console.

  2. Navigate to EnvironmentVirtual Hosts.

  3. Select your virtual host.

    For example, if you initially installed your application on port 91, then the virtual host should be VH_EA_JS_91.

  4. Under the virtual host, select Additional PropertiesHostAliases.

  5. Under Host Aliases, click New.

    A sample screen shot is provided below:

    This image is described in surrounding text.
  6. Create a new host alias using the fully qualified name of the server and a port number of 443.

    • Host: *

    • port: 443 (Default SSL Port)

  7. Regenerate and propogate the HTTP Server plug-in file and restart your HTTP Server.

  8. Restart the Application Server.

    You should be able to login to the following URL:

    https://fully_qualified_server_name/jde/E1Menu.maf

    Note:

    If SSL is activated, the system uses https instead of the http protocol.