[z/OS][AIX Solaris HP-UX Linux Windows]

Configure SSL between the IBM HTTP Server Administration Server and the deployment manager

Configure Secure Sockets Layer (SSL) between the deployment manager for WebSphere® Application Server and the IBM® HTTP Server (IHS) administration server, which is called adminctl.

About this task

The Application Server has new SSL management functions that need to be managed properly in order for IBM HTTP Server to connect with an SSL request. In earlier releases, SSL connections used default dummy certificates that were exchanged between IBM HTTP Server and the Application Server. In WebSphere Application Server, you must configure the Application Server to accept a self-signed certificate from IBM HTTP Server so SSL connections are accepted and transactions are completed.

If the Application Server and the IBM HTTP Server administration server are not configured correctly, the Application Server shows any errors that are received in the log file for the deployment manager. In situations where the IBM HTTP Server administration server is attempting to connect through SSL and the Application Server is not configured, you might receive an error that is similar to the following message:
-CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with
SubjectDN "CN=localhost" was sent from target host:port "null:null".
The signer may need to be added to local trust store "c:/619/app2/profiles/Dmgr01/config/cells/rjrCell02/trust.p12" 
located in SSL configuration alias "CellDefaultSSLSettings"
 loaded from SSL configuration file "security.xml".  
The extended error message from the SSL handshake
 exception is: "No trusted certificate found".

-IOException javax.net.ssl.SSLHandshakeException: 
com.ibm.jsse2.util.h: No trusted certificate found

Procedure

  1. Obtain a server certificate.
    Create a CMS key database and create a new self-signed certificate for the IHS administration server.
    • Use the iKeyman utility or gskcapicmd command line for distributed operating systems. Use the gskkyman tool for z/OS® operating systems. For more information about command line instructions for creating the CMS key database and self-signed certificate, see IBM HTTP Server certificate management .
    The following steps assume that you are using the iKeyman facility
    [AIX Solaris HP-UX Linux Windows]
    1. Use the IHS iKeyman utility graphical user interface to create a CMS key database file.
      For more information, see Working with key databases
    2. Use the IHS iKeyman utility graphical user interface to create a new self-signed certificate for the IHS Administration Server and save the certificate as /conf/admin.kdb.
      For more information, see Creating a self-signed certificate.
    Best practice: Make note of the password and select Stash password to a file.
  2. Extract the certificate to a file by using the iKeyman utility.
    1. Select the certificate that you created in Step 1, for example adminselfSigned.
    2. Click Extract Certificate.
      The recommended file name for extraction is C:\Program Files\IBM\HTTPServer\conf\cert.arm.
      Avoid trouble: Do not change the data type.
  3. Modify the Administration Server configuration File, which is named admin.conf.
    1. Configure the file to load the IBM SSL module.
      Uncomment the following line:
      LoadModule ibm_ssl_module     modules/mod_ibm_ssl.so
    2. Enable SSL and define a key file to use.
      Uncomment the following lines to enable SSL and to define a key file to use:
      SSLEnable
      SSLServerCert default
      Keyfile "C:/Program Files/IBM/HTTPServer/conf/admin.kdb"
      Avoid trouble: Be aware of the following:
      • The key file directive must match the name and location of a valid key file that is installed on your system.
      • IBM SSL support must be installed.
      • In the admin.conf file, the SSLServerCert label name must match the certificate label name of the personal certificate in ikeyman stored in the IHS admin.conf's admin.kdb file. If these labels do not match, IHS does not start from the WebSphere administration console and the IHS admin_error.log will log the error SSL0223E: SSL Handshake Failed, No certificate.
      • The value default used in the example code for enabling SSL and defining a key file is the label, or name, of the self-signed certificate that is created in iKeyman for the admin.conf keystore.
      • If the self-signed personal certificate in the IHS admin.kdb file is not flagged as the default certificate, the previous example uses the SSLServerCert directive.
      • Alternatively, instead of using SSLServerCert, open the admin.kdb in ikeyman and click view/edit the self-signed certificate under the personal certificate section. At the end of the page, check the box set the certificate as the default.
  4. Start the administration server for IBM HTTP Server. Verify that the log file does not contain IBM Global Security Kit (GSKit) errors.
  5. Configure WebSphere Application Server.
    1. Log into the Administrative Console for the Application Server and start the deployment manager.
    2. Select Security > SSL certificate and key management.
    3. Select Manage endpoint security configurations.
      You are directed to a list of inbound and outbound endpoints.
    4. Select the outbound cell (cellDefaultSSLSettings, null).
      Select outbound cells because, in this setup, the Administration Console for the Application Server is the client, and the IBM HTTP Server Administration Server is the server.
      Avoid trouble: This setup is the opposite configuration from an SSL setup with the IBM HTTP Server plugin and the Application Server.
    5. In the Related Items section, click Key stores and certificates.
    6. Click CellDefaultTrustStore.
    7. In the Additional Properties section, click Signer Certificates.
    8. FTP the certificate file to the Application Server. Do not change the data type.
    9. In the collection panel for Signer Certificates, click Add.
      Enter the following information in the fields.
      Table 1. Signer Certificate information
      Name Value
      Alias adminselfSigned
      File name file_name
      For example, enter the following:
      c:\program files\ibm\httpserver\conf\cert.arm
    10. Save the configuration changes to the administrative console.
    11. Stop the deployment manager.
    12. Start the deployment manager.