Configuring SSL from each node to the IBM HTTP Server

For load balancing implementations, you must configure SSL between the IBM® HTTP Server plug-in and each node in the cluster.

Before you begin

This task assumes that you have already installed and configured the IBM HTTP Server for load balancing.

About this task

For each node in the cluster, follow these instructions to configure the node to communicate over a secure (SSL) channel with the IBM HTTP Server.

Procedure

  1. Log in to the Dashboard Application Service Hub.
  2. In the navigation pane, click Settings > Websphere Administrative Console and click Launch Websphere administrative console.
  3. Follow these steps to extract signer certificate from the trust store:
    1. In the WebSphere® Application Server administrative console navigation pane, click Security > SSL certificate and key management.
    2. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultTrustStore link.
    3. In the Additional Properties area, click the Signer certificates link and in the table that is displayed, select the root entry check box.
    4. Click Extract and in the page that is displayed, in the File name field, enter a certificate file name (certficate.arm), for example, c:\tivpc064ha1.arm.
    5. From the Data Type list select the Base64-encoded ASCII data option and click OK.
    6. Locate the extracted signer certificate and copy it to the computer running the IBM HTTP Server.
      Note: This steps are particular to Dashboard Application Service Hub, for general WebSphere Application Server details and further information, see: http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_sslextractsigncert.html
  4. On the computer running the IBM HTTP Server, follow these steps to import the extracted signer certificate into the key database:
    1. Start the key management utility (iKeyman), if it is not already running, from HTTP_SERVER_PATH/bin:
      • LinuxUNIXAt the command line, enter ./ikeyman.sh
      • WindowsAt the command line, enter ikeyman.exe
    2. Open the CMS key database file that is specified in plugin-cfg.xml, for example, HTTP_SERVER_PATH/plug-ins/etc/plug-in-key.kdb.
    3. Provide the password (default is WebAS) for the key database and click OK.
    4. From the Key database content, select Signer Certificates.
    5. Click Add and select the signer certificate that you copied from the node to the computer running the IBM HTTP Server and click OK.
    6. Select the Stash password to a file check box and click OK to save the key database file.
      Note: For more information on certificates in WebSphere Application Server, see: http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_ikeyscca.html
  5. Repeat these steps for each node in the cluster.
  6. For the changes to take effect, stop and restart all nodes in the cluster and also restart the computer running the IBM HTTP Server.
    1. In the /opt/IBM/JazzSM/profile/bin directory, depending on your operating system, enter one of the following commands:
      • WindowsstopServer.bat server1
      • LinuxUNIXstopServer.sh server1
        Note: On UNIX and Linux systems, you are prompted to provide an administrator username and password.
    2. In the /opt/IBM/JazzSM/profile/bin directory, depending on your operating system, enter one of the following commands:
      • WindowsstartServer.bat server1
      • LinuxUNIXstartServer.sh server1
    3. Restart the IBM HTTP Server.
      For more information, see http://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_startihs.html.

What to do next

You should now be able to access the load balanced cluster through https://http_server_hostname/ibm/console (assuming that the default context root (/ibm/console) was defined in at the time of installation.