Load balancing HTTPS requests

By default, the IBM HTTP Server software component is not enabled to handle requests using HTTPS protocol. Use this procedure to enable IBM HTTP Server to handle HTTPS protocol.

Before you begin

The following procedure assumes that you will be using the default key database /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb and self signed certificate labeled LoadBalancer. If you use a different key database and certificate from CA, you must make the appropriate changes in /opt/IBM/WebSphere/HTTPServer/conf/httpd.conf file.

Procedure

  1. SSH into the virtual machine in the load balancer pattern instance that is running the IBM HTTP Server.
  2. Uncomment the following lines in /opt/IBM/WebSphere/HTTPServer/conf/httpd.conf :
    Listen 443
    SSLCheckCertificateExpiration 30
    <VirtualHost *:443> 
    SSLEnable 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    </VirtualHost>
    KeyFile /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb
    SSLDisable
  3. Add the SSL server certificate label SSLServerCert LoadBalancer after SSLEnable. Your /opt/IBM/WebSphere/HTTPServer/conf/httpd.conf SSL stanza should be similar to the following:
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    SSLCheckCertificateExpiration 30
    <VirtualHost *:443>
    SSLEnable
    SSLServerCert LoadBalancer
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    </VirtualHost>
    KeyFile /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb
    SSLDisable
    
  4. Execute the following commands:
    1. Create the /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb:
      /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -keydb -create -db 
      /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb -pw WebApp -stash -type pkcs12
    2. Create a self signed certificate labeled LoadBalancer. Change <FQDN_OF_HTTP_SERVER> to the actual host name (for example, ipas-pvm-112-068.purescale.raleigh.ibm.com:
      . /opt/IBM/WebSphere/HTTPServer/bin/gskcapicmd -cert -create -db
      /opt/IBM/WebSphere/HTTPServer/conf/ihsserverkey.kdb -type kdb -label LoadBalancer -pw 
      WebApp -dn "CN=<FQDN_OF_HTTP_SERVER>,OU=Root 
      Certificate,OU=CloudBurstCell_1,OU=CloudBurstNode_5,O=IBM,C=US"
  5. Use the following commands to restart the IBM HTTP Server:
    /opt/IBM/WebSphere/HTTPServer/bin/apachectl -k stop
    /opt/IBM/WebSphere/HTTPServer/bin/apachectl -k start