About this task
To support SSL, create a self-signed certificate and then configure IBM
HTTP Server for SSL traffic. If you use this certificate in production, users might receiver warning messages from their browsers. In a typical production deployment, you would use a certificate from a trusted certificate authority.
To configure IBM
HTTP Server for SSL, complete the following steps:
- Create a key file.
- Start the iKeyman user interface. For more information, go to the Starting the Key Management utility page in the IBM HTTP Server information center.
- Click key database file in the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.
- Enter a name for the new key file. For example, hostname-key.kdb. Click OK.
- Enter your password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file and then click OK. The new key database should display in the iKeyman utility with default signer certificates. Ensure that there is a functional, non-expiring signer certificate for each of your personal certificates.
- Create a self-signed certificate:
- Start the iKeyman user interface.
- Click Key Database File and then click Open.
- Enter your key file name in the Open dialog box and click OK.
- In the Password Prompt dialog box, enter your password and click OK.
- Click Personal Certificates in the Key Database content frame, and then click the New Self-Signed radio button.
- Enter the required information about the key file, your webserver, and organization in the dialog box.
- Click OK.
Note: Save the new self-signed certificate with a unique file name; do not overwrite the default Plugin-key.kdb file because that file might be accessed by other applications.
- Stop IBM HTTP Server.
- Log in to the WebSphere® Application Server Integrated Solutions Console for the Deployment Manager and select Servers -> Server types -> Web servers.
- From the list of web servers, click the web server that you defined for this profile.
- On the Configuration page for this web server, click Edit beside the Configuration file name field. This action opens the httpd.conf configuration file on the Deployment Manager.
- Add the following text to the end of the configuration file:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
- <server_name> is the host name of the IBM HTTP Server.
- <path_to_key_file> is the path to the key file that you created with the iKeyman utility.
- <path_to_stash_file> is the path to the associated stash file.
- Keyfile: /usr/IBM/keyfiles/<key_file>.kdb
- SSLStashFile: /usr/IBM/keyfiles/<key_file>.sth
- Keyfile: /opt/IBM/keyfiles/<key_file>.kdb
- SSLStashFile: /opt/IBM/keyfiles/<key_file>.sth
- Microsoft™ Windows™:
- Keyfile: C:\IBM\keyfiles\<key_file>.kdb
- SSLStashFile: C:\IBM\keyfiles\<key_file>.sth
is the name that you have given to your key file and stash file.
- Click Apply and then click OK.
- Restart IBM HTTP Server to apply the changes.
- Test the new configuration: Open a web browser and ensure that you can successfully reach https://<server_name>. You might be prompted to accept the self-signed certificate on your browser.
Connections users can access applications through the SSL protocol.
If you receive an error message about failing to load a GSK library (libgsk7ssl.so), install the libgsk7ssl.so
GSK library. For more information, go to the following Support page: Failure attempting to load GSK library when using SSL with IBM HTTP Server
What to do next
For more information about securing web communications, go to the IBM WebSphere Application Server Information Center
or read the IBM WebSphere Application Server V7.0 Security Handbook
For more information about the key store and setting up the IBM
HTTP Server, see the Securing communications
topic in the WebSphere
Application Server Information Center.
The key file can be shared between two webservers, thus providing failover capability.
Parent topic: Configuring IBM HTTP Server
Previous topic: Defining IBM HTTP Server
Next topic: Adding certificates to the WebSphere trust store
Adding certificates to the WebSphere trust store
Updating web addresses in IBM HTTP Server
Forcing traffic to be sent over SSL
Configuring IBM Connections