Saturday, April 7, 2018

SSL CONFIGURATION | WEBSPHERE 8.5 | STEP BY STEP




Step By Step - SSL Configuration in WebSphere Application Server 8.5



Part 1: Creating a self signed digital certificate

Step 1 : create a  directory  /websphere/ssl to store all files required for SSL setup.
Step 2 : Start ikeyman utility of IBM HTTP Server from <IHS_ROOT>/bin directory
# ./ikeyman.sh
Step 3 : Click New menu-item under Key Database File menu.
Step 4 : Select CMS as the key database type.
Step 5 : Click OK button.














6. Give a password to secure new key ring when the password prompt appears, say “websphere”

7. Check Stash password to a file option

8. Click OK button.
























9. Select Personal Certificates from the drop-down.

10. Click New Self-Signed button.




































11. A new window opens up and asks for details for the creation of the digital certificate.

12. Give a meaningful name for key label.

13. Note this down as we need this later.

14. Leave default values for Version, Key Size, Signature Algorithm.

15. Click OK button.

A Self-signed Digital Certificate is generated and is added to the key database.

16. Exit ikeyman tool.



Conclusion : we  have created a database ( kdb file )  and added a Self-Signed Digital Certificate to it.

Part 2: Adding SSL to the IHS virtual host configuration

In this part, we will configure IBM HTTP Server to use the SSL port 443 and point
it to the database holding the Digital Certificate.

Step 1 : Change to <IHS_ROOT>/bin directory and stop IBM HTTP Server, if it is running.

# ./apachectl stop

Step 2 : Add the following text to the bottom of httpd.conf file under <IHS_ROOT>/conf directory, just above the plug-in configuration.


Listen 0.0.0.0:443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
SSLServerCert ihs_key_label
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "<IHS_ROOT>/bin/key.kdb"
SSLV3Timeout 1000



Please Note : The string mentioned against SSLServerCert is the key label used while generating the
digital certificate. Also replace <IHS_ROOT> with the correct path.


Step 3 : Verify that the SSL modules are uncommented in httpd.conf file, else uncomment the following lines.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so


Step 4 :. Start IBM HTTP Server from <IHS_ROOT>/bin directory
# ./apachectl start.



Part 3: Propagating keyring file from WAS to Web server.
Next step is to propagate WAS keyring file to IBM HTTP Server, so that the web server can talk to WAS over SSL.

Step 1 : Expand Servers | Expand Server Types | Click Web servers.






Step 2 : Click on <web_server_name> .
Step 3 : Click on Plug-in properties  under Additional Properties section

Step 4 :  Click on Copy to Web server key store directory button.






















Step 5 : Check for additional files apart from plugin-cfg.xml under <IHS_ROOT>/Plugins/config/<webserver_name> directory as shown below

/opt/IBM/HTTPServer/Plugins/config/webserver2$ ls -l
total 20
-rw-r--r-- 1 wasadmin wasadmin 3966 2018-04-07 12:11 plugin-cfg.xml
-rw-r--r-- 1 wasadmin wasadmin 10080 2018-04-08 19:12 plugin-key.kdb
-rw-r--r-- 1 wasadmin wasadmin 129 2018-04-08 19:12 plugin-key.sth


Step 6. Restart IBM HTTP server
# ./apachectl stop
# ./apachectl start


Step 7 : Open a browser and type the following URL, with the IP Address of the host running IBM HTTP Server :
https://<IP_ADDRESS>/snoop

Step 8. The following response from the web server indicates correct functioning of the web server and WAS.



































at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

LINUX : turn OFF password expiration / aging

Hi Team If you are using linux as OS and want to set password as never expiry for any specific user, please follow the steps mentioned be...