The chapter describes how to configure Secure Socket Layer (SSL) with the HTML Server, and includes the following tasks:
SSL requires a Signed Personal Certificate. You can either request a CA-Signed Personal Certificate directly from IBM, or you can generate a Self-Signed Certificate yourself. This task describes how to generate and use a Self-Signed Certificate. For production environments, we recommend you request one from CA. For instructions to request a CA-Signed Personal Certificate, refer to the IBM Info Center.
Create a folder named keys
in the HTTP Server installation directory.
Start the ikeyMan
utility which is located in the bin directory of your HTTP Server. For example:
/u01/IBM/WebSphere/AppServer/bin
In the IikeyMan utility, create a Key Database File by navigating Key Database File > New.
At the prompt, enter the following information:
Key Database Type = CMS
Only CMS is supported with the IBM HTTP Server.
File Name = serverkey.kdb
Location = /u01/IBM/HTTPServer/keys
Enter the password (for example, "serverkey") and select the option stash the password file.
Click the OK button.
From the drop down box, select Personal Certificates.
Click New Self-Signed.
Enter following information on the screen that appears:
Key Label= Enter any label (for example, server_cert)
Version= X509V3
Key Size = 1024
Common Name = Fully Qualified Server Name (for example, denicint2.mlab.jdedwards.com)
Organization = your organization name (for example, Oracle).
Country or region = US
Validity Period = 365 days
A sample screen shot is provided below:
On Create New Self-Signed Certificate, after the fields are complete click the OK button.
The program displays your certificate in the list.
Delete all the other certificates.
Open the httpd.conf
file in a text editor, and add the following virtual host definition.
Note:
The text in thehttpd.conf
is case sensitive; type the host definition exactly as shown.If you have already configured a port on the HTTP Server (for example, port 91), the file will include an Alias. Use the same alias under your Virtual Host definition as described here.
# Example SSL configuration which supports SSLv3 and TLSv1 # To enable this support: # 1) Create a key database with ikeyman # 2) Update the KeyFile directive below to point to that key database # 3) Uncomment the directives up through the end of the example # Note: The IPv6 Listen directive must only be uncommented if # IPv6 networking is enabled. # # uncomment below line to enable ssl LoadModule ibm_ssl_module modules/mod_ibm_ssl.so <IfModule mod_ibm_ssl.c> Listen 0.0.0.0:443 # IPv6 support: # Listen [::]:443 <VirtualHost *:443> Alias /jde "/u01/IBM/WebSphere/AppServer/profiles/AppSrv02/installedApps/denicint2Node01Cell/EA_JS_91.ear/webclient.war" SSLEnable SSLProtocolDisable SSLv2 </VirtualHost> <Directory "/u01/IBM/WebSphere/AppServer/profiles/AppSrv02/installedApps/denicint2Node01Cell/EA_JS_91.ear/webclient.war/WEB_INF"> Order Deny,Allow Deny from All </Directory> <Directory "/u01/IBM/WebSphere/AppServer/profiles/AppSrv02/installedApps/denicint2Node01Cell/EA_JS_91.ear/webclient.war"> Order Deny,Allow Allow from All </Directory> </IfModule> KeyFile /u01/IBM/HTTPServer/keys/WebServerKeys.kdb SSLDisable # End of example SSL configuration
This definition is taken from the httpd.conf
file itself. It is advisable to backup the httpd.conf
file before making changes to the file. After the IBM HTTP Server SSL Configuration, test the setup by typing in the URL as below:
https://<machine_name>:443/
A sample screen shot of the expected result is as below:
Log on to your WebSphere Admin Console.
Navigate to EnvironmentVirtual Hosts.
Select your virtual host.
For example, if you initially installed your application on port 91, then the virtual host should be VH_EA_JS_91.
Under the virtual host, select Additional PropertiesHostAliases.
Under Host Aliases, click New.
A sample screen shot is provided below:
Create a new host alias using the fully qualified name of the server and a port number of 443
.
Host: *
port: 443 (Default SSL Port)
Regenerate and propogate the HTTP Server plug-in file and restart your HTTP Server.
Restart the Application Server.
You should be able to login to the following URL:
https://fully_qualified_server_name/jde/E1Menu.maf
Note:
If SSL is activated, the system uses https instead of the http protocol.