Configuring the IBM HTTP server to accept inbound SSL traffic
You must first configure the IBM HTTP server to accept inbound SSL traffic. To do this, do the following:
1. Create the IBM HTTP server keys.
2. Create a self-signed digital certificate. This is for a test environment only in a production environment self-signed certificated would not be used.
3. Configure the IBM HTTP server to use a certificate.
The following sections explain how to do these tasks.
Creating the IBM HTTP server keys
To create the IBM HTTP server keys, perform the following steps:
1. Create a folder named "keys" on the IBM HTTP server machine under the IHS root directory, for example: IHS_root\ssl\keys.
2. Launch the HTTP server Key Management Utility tool by selecting Start - Programs - IBM HTTP Server - Start Key Management Utility.
3. Select Key Database File - New, and enter the following information (see figure 1):
Key Database Type: CMS key database file
File Name: ihscert.kdb
Then click OK.
Figure 1. Creating a new key database file
4. At the password prompt (see figure 2), enter a password, and then confirm it.
Figure 2. Password Prompt dialog
5. Uncheck the Set expiration time check box or you will need to change the password in 60 days, as this is a test environment this is ok however in a production environment this would need to be need to be set for security purposes on a live server.
6. Select "Stash the password to a file," and click OK. This enables the HTTP server to make use of the password to gain access to any certificates you store in the key store.
7. If you are creating a self-signed certificate, verify that the following files are now visible in the IHS_root\ssl\keys directory:
Creating a self-signed digital certificate
To create a self-signed digital certificate, do the following:
1. Launch the HTTP server's Key Management Utility.
2. In the Signer Certificates box, select Personal Certificates. A list of signer certificates appears. These represent the identities of a selection of CAs. (You do not need a CA-signed certificate if you are creating a self-signed certificate.)
Select each certificate and click Delete, then confirm the deletion.
4. Select New Self-Signed. Enter the following information, and click OK:
Enter the fully qualified host name of the IBM HTTP server, for example, qdsvt06p.cn.ibm.com
Enter the organization name, such as Acme Corporation.
Enter the country, such as US.
A new self-signed certificate is created and added to the ihscert.kdb file. From the menu, select Key Database File - Exit.
Configuring the IBM HTTP server to use a certificate
To configure the IBM HTTP server to use a certificate, proceed as follows:
1. Navigate to IHS_root\conf and, with a text editor, make a backup copy of the IBM HTTP server configuration file (httpd.conf) and open it.
2. Add the following lines to the end of the httpd.conf file to implement one type of SSL implementation on the IBM HTTP server:
LoadModule was_ap20_module "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
- DocumentRoot C:\IBM\HTTPServer\htdocs
...where HttpServerName is the fully qualified DNS name of the HTTP server name. Note:
You need to manually create the files named sslerror.log and sslaccess.log under the IHS_HOME/logs/ directory.
3. Save and close the file, and restart the HTTP server.
4. Verify that SSL is working correctly with the IBM HTTP server, by going to https://qdsvt06p.cn.ibm.com
(See attached file: httpd.conf)
CONFIGURING HTTP SERVER WITH CONNECTIONS CERTIFICATES
Once all of these steps are complete the HTTP Server has been set up to accept SSL connections. Next step is adding the signed certificates from Connections to the .kdb file. This is explained in infocenter under section "Configuring the IBM HTTP Server for SSL
However there are sometimes problems with this as noted on infocenter - in any case this can be done another way...
- Extract the Personal Certificate for the WebSphere Application Server node on which the Lotus Connections features are deployed.
a. Open the Integrated Solutions Console of the WebSphere Application Server and click Security > SSL certificate and key management.
b. Click Key stores and certificates, and then click NodeDefaultKeyStore.
Note: In a network deployment, click CellDefaultKeyStore.
c. Click Personal certificates, and then select the check box beside the default certificate.
d. Click Extract and then type a fully-qualified name (on the WebSphere Application Server's file system) in the Certificate file name field.
e. Click OK to extract the file.
Note: If you do not specify a directory path, the certificate is stored in the WAS_HOME\profiles\profile_name\etc path of the WebSphere Application Server.
Make sure to extract these file(s) to a folder accessible to the HTTP Server's IKEYMAN utility or else copy them over to a location which is.
Open the .kdb file created earlier in the IKEYMAN utility and import these certificates which were exported from WAS Console
Do this for all of the certificates exported and restart the HTTP server. Now you will be able to use https and Connections. This is required in order to login to connections.
Test this https://qdsvt06p.cn.ibm.com/activities
LDAP SSL from info center->http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/topic/com.ibm.connections.25.help/t_inst_federated_repositories.html
1. Optional: If you are using SSL for LDAP, add a signer certificate to your trust store by completing the following steps:
a. From the WebSphere Application Server Integrated Solutions Console, select Security > SSL Certificate and key management > Key Stores and certificates > CellDefaultTrustStore > Signer Certificate > Retrieve from port.
b. Type the DNS name of the LDAP directory in the Host Name
c. Type the secure LDAP port in the Port
field (typically 636).
d. Type an alias name, such as LDAPSSLCertificate, in the Alias
e. Click Apply
2. Optional: Verify that users in the LDAP directory have been successfully added to the repository:
a. From the WebSphere Application Server Integrated Solutions Console, select Users and Groups
> Manage Users
b. In the Search for
field, enter a user name that you know to be in the LDAP directory and click Search
. If the search succeeds, you have partial verification that the repository is configured correctly. However, this check cannot check for the groups that a user belongs to.