|This section describes the overall tasks that are required to configure SSL. Some of these tasks are performed on the IBM® WebSphere® Application Server and the Web server. The steps that refer to the WebSphere Application Server and the Web server are summarized here; you should refer to the WebSphere Application Server and the Web server documentation for more detailed information. Steps that are unique to Lotus® Quickr™ are described in detail here.
This section describes the overall tasks that are required to configure SSL. Some of these tasks are performed on the IBM® WebSphere® Application Server and the Web server. The steps that refer to the WebSphere Application Server and the Web server are summarized here; you should refer to the WebSphere Application Server and the Web server documentation for more detailed information. Steps that are unique to Lotus® Quickr™ are described in detail here.
This procedure might be slightly different if a front-end security proxy server such as IBM Tivoli® Access Manager for e-business WebSEAL is used. In that case, the front-end security server handles the client SSL connections. The Web server receives connections from the front-end security proxy server. Mutually authenticated SSL could be configured in the Web server and the front-end security proxy server if needed. This is highly dependent on the security requirements of each deployment.
If you plan to use a Tivoli Access Manager WebSEAL TAI with an SSL junction, perform only steps 1-2 of this procedure.
If only the login process should be secure over SSL, perform the first two steps and then go to Configuring SSL only for the login process
- Configure the Web server to support HTTPS. This involves setting up the Web server to accept inbound connections from client browsers over SSL. Depending on the Web server you want to use, other software may have to be installed on the Web Server machine, for instance Microsoft® Internet Information Server and Microsoft Certificate Service. The Web server must have a port defined (usually 443), and the necessary certificates and keys must be installed. Go to Securing with SSL communications for information on how to enable SSL on an IBM HTTP Server.
Note: See the Security planning overview section of the WebSphere Application Server information center for details on digital certificates planning and configuration.
In configurations where the Web server and Lotus Quickr reside on separate machines, requests to the Web server are rerouted to the application server. Under these circumstances, you can also configure SSL between the Web server and the application server to provide more complete security. This requires that you create additional keyfiles for the Web server plugin and for the embedded HTTPS of WebSphere Application Server. In a cluster environment, refer to the http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/tsec_defsslrepkey.html for an explanation of how the key files and trust files of the deployment manager must be manually copied to each node in the cell as part of enabling SSL. For detailed instructions on configuring SSL between the Web server and the application server,, refer to the section entitled 731 Secure the transport channel between Web server and WebSphere of the IBM WebSphere Application Server V61 Security Handbook, SG24-6316-00. The settings described in this section are viable for any level of WebSphere Application Server V6.0 or higher.
If this is a production environment, you must obtain a certificate from a certificate authority. For testing purposes, you can use IKEYMAN to generate a self-signed certificate. Refer to the Managing digital certificates section of the WebSphere Application Server information center.
For Internet Information Server, create SSL keys by using the Web server's Version 6.0 resource tool kit.
Note: If you are using SSL with Microsoft Windows® Vista, and the SSL configurations on both the client browser and WebSphere Application Server have only the SSLv3 protocol configured, SSL connections might fail if you use only SSLv3 AES ciphers in both the server and client.
Note: Always create a new SSL repository for the external Web server and change the WebSphere_Portal server's secure transport channel to use the new SSL repository. Do not modify the default SSL repository.
Add or change the following two property parameters in configuration services, as described in Setting configuration properties:
Add or change the following SOAP timeout parameter in soap.client.props, as described in Java Management Extensions connector properties.
Use the following steps to update transport security constraints: Go to Configuring server with HTTPS for SSL: qp85.
Parent topic: Secure Socket Layer: qp85