Step By Step - SSL Configuration in WebSphere Application Server 8.5
Part 1: Creating a self signed digital certificate
Step 1 : create a directory /websphere/ssl to store all files required for SSL setup.
Step 2 : Start ikeyman utility of IBM HTTP Server from <IHS_ROOT>/bin directory
# ./ikeyman.sh
Step 3 : Click New menu-item under Key Database File menu.
Step 4 : Select CMS as the key database type.
Step 5 : Click OK button.
6. Give a password to secure new key ring when the password prompt appears, say “websphere”
7. Check Stash password to a file option
8. Click OK button.
9. Select Personal Certificates from the drop-down.
10. Click New Self-Signed button.
11. A new window opens up and asks for details for the creation of the digital certificate.
12. Give a meaningful name for key label.
13. Note this down as we need this later.
14. Leave default values for Version, Key Size, Signature Algorithm.
15. Click OK button.
A Self-signed Digital Certificate is generated and is added to the key database.
16. Exit ikeyman tool.
Conclusion : we have created a database ( kdb file ) and added a Self-Signed Digital Certificate to it.
Part 2: Adding SSL to the IHS virtual host configuration
In this part, we will configure IBM HTTP Server to use the SSL port 443 and point
it to the database holding the Digital Certificate.
Step 1 : Change to <IHS_ROOT>/bin directory and stop IBM HTTP Server, if it is running.
# ./apachectl stop
Step 2 : Add the following text to the bottom of httpd.conf file under <IHS_ROOT>/conf directory, just above the plug-in configuration.
Listen 0.0.0.0:443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
SSLServerCert
ihs_key_label
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "
<IHS_ROOT>/bin/key.kdb"
SSLV3Timeout 1000
Please Note : The string mentioned against SSLServerCert is the key label used while generating the
digital certificate. Also replace <IHS_ROOT> with the correct path.
Step 3 : Verify that the SSL modules are uncommented in httpd.conf file, else uncomment the following lines.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Step 4 :. Start IBM HTTP Server from <IHS_ROOT>/bin directory
# ./apachectl start.
Part 3: Propagating keyring file from WAS to Web server.
Next step is to propagate WAS keyring file to IBM HTTP Server, so that the web server can talk to WAS over SSL.
Step 1 : Expand Servers | Expand Server Types | Click Web servers.
Step 2 : Click on <web_server_name> .
Step 3 : Click on
Plug-in properties under Additional Properties section
Step 4 : Click on Copy to Web server key store directory button.
Step 5 : Check for additional files apart from plugin-cfg.xml under <IHS_ROOT>/Plugins/config/<webserver_name> directory as shown below
/opt/IBM/HTTPServer/Plugins/config/webserver2$ ls -l
total 20
-rw-r--r-- 1 wasadmin wasadmin 3966 2018-04-07 12:11 plugin-cfg.xml
-rw-r--r-- 1 wasadmin wasadmin 10080 2018-04-08 19:12 plugin-key.kdb
-rw-r--r-- 1 wasadmin wasadmin 129 2018-04-08 19:12 plugin-key.sth
Step 6. Restart IBM HTTP server
# ./apachectl stop
# ./apachectl start
Step 7 : Open a browser and type the following URL, with the IP Address of the host running IBM HTTP Server :
https://<IP_ADDRESS>/snoop
Step 8. The following response from the web server indicates correct functioning of the web server and WAS.
