IBM Support

How to setup end to end security in HACP EE v1.6

How To


Summary

This document explains the step by step configuration needed to be performed by HACP EE users to be able to access HACP EE pages with Secure URL.

Objective

To access HOD html and Config pages securely via HACP EE client, users need to have below configuration.

  • Secure IBM WebSphere Application Server
  • Secure IBM HTTP Webserver (or any other web server)
  • IBM HTTP Webserver Self-Sign certificate should be added under IBM WebSphere Application Server java key store.

Steps to configure IBM WebSphere Application Server as Secure

  1. Open IBM WebSphere Application Server’s key store. Sample location of the key store is as below. This depends on the installed location of WAS and how you have configured it
     
    \IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\testnameNode01Cell\nodes\testnameNode01\key.p12
     
  2. Either create a self-signed certificate in this key store, or import a Certificate Authority certificate to this key store.
  3. Add the above certificate to the browser’s key store as well, under trusted root certificate.
  4. Restart WAS service
  5. Clear the browser history and restart the browser.
  6. Open WAS URL in browser with secure port
    https://<WAS IP>:<WAS secure port>/ibm/console
     
    e.g. https://WAS IP:9043/ibm/console
     
  7. Give Secure WAS URL in the browser. Secure WAS URL should not display any errors and display a lock symbol.

Steps to configure IBM HTTP Server (or any other web server) as Secure

  1. Open IBM HTTP Server’s key store. Sample location of the key store is as below. This depends on the installed location of IBM HTTP Server and how you have configured it
  2. If such a key store does not exist, create a new one.
  3. Either create a self-signed certificate in this key store, or import a Certificate Authority certificate to this key store
  4. Update httpd.conf file of IBM HTTP server and modify to include ssl module and provide the appropriate configuration (below is a sample)
     
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    <IfModule mod_ibm_ssl.c>
    Listen 0.0.0.0:443
    ## IPv6 support:
    #Listen [::]:443
    #SSLCheckCertificateExpiration 30
    <VirtualHost *:443>
     SSLEnable
     # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    </VirtualHost>
    </IfModule>
    SSLDisable
    KeyFile "C:/Program Files/ibm/HTTPServer/key.kdb"
    SSLStashFile "C:/Program Files/ibm/HTTPServer/key.sth"
     
  5. Restart IBM HTTP Server

Secure connection between IBM WebSphere Application Server and IBM HTTP Server (on any other web server)

To complete the setup, please add both the web server certificate as well as the IBM WebSphere Application Server certificate to the signer section of IBM WAS’s java key store.

Sample location of WAS java key store is as below.

 

IBM\WebSphere\AppServer9\java\8.0\jre\lib\security

 

Restart IBM WebSphere Application Server

This should complete the secure setup. Now, you can open the HACP EE URL with https.

 

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
17 June 2019

UID

ibm10887015

Page Feedback