Configuring SSL from each node to the IBM HTTP Server

For load balanced implementations, you must configure SSL between the IBM HTTP Server plug-in and each node in the cluster.

Before you begin

IBM HTTP Server is installed and configured for load balancing.

About this task

For each node in the cluster, follow these instructions to configure the node to communicate over a secure (SSL) channel with the IBM HTTP Server.

Procedure

  1. Log in to the Web GUI.
  2. In the navigation pane, click Console Settings > Websphere Administrative Console and click Launch Websphere administrative console.
  3. Follow these steps to extract signer certificate from the truststore:
    1. In the WebSphere Application Server administrative console navigation pane, click Security > SSL certificate and key management.
    2. In the Related Items area, click the Key stores and certificates link and in the table click the NodeDefaultTrustStore link.
    3. In the Additional Properties area, click the Signer certificates link and in the table that is displayed, select the root entry check box.
    4. Click Extract and in the page that is displayed, in the File name field, enter a certificate file name (certficate.arm.
      For example, c:\tivpc064ha1.arm.
    5. From the Data Type list, select the Base64-encoded ASCII data option and click OK.
    6. Locate the extracted signer certificate and copy it to the computer that is running the IBM HTTP Server.
      Note: These steps are particular to Dashboard Application Services Hub, for general WebSphere Application Server details and further information, see: Adding the correct SSL Signer certificates to the plug-in keystore
  4. On the computer that is running the IBM HTTP Server, follow these steps to import the extracted signer certificate into the key database:
    1. Start the key management utility (iKeyman), if it is not already running, from HTTP_SERVER_PATH/bin:
      • For UNIX operating systemFor Linux operating systemAt the command line, enter ./ikeyman.sh
      • For Windows operating systemAt the command prompt, enter ikeyman.exe
    2. Open the CMS key database file that is specified in plugin-cfg.xml.
      For example, HTTP_SERVER_PATH/plug-ins/etc/plug-in-key.kdb.
    3. Provide the password (default is WebAS) for the key database and click OK.
    4. From the Key database content, select Signer Certificates.
    5. Click Add and select the signer certificate that you copied from the node to the computer that is running the IBM HTTP Server and click OK.
    6. Select the Stash password to a file check box and click OK to save the key database file.
      Note: For more information about certificates in WebSphere Application Server, see Receiving a signed certificate from a certificate authority.
  5. Repeat these steps for each node in the cluster.
  6. For the changes to take effect, stop and restart all nodes in the cluster and also restart the computer that is running the IBM HTTP Server.
    1. In the JazzSM_WAS_Profile/bin directory, depending on your operating system, enter one of the following commands:
      • For Windows operating systemstopServer.bat server1
      • For UNIX operating systemFor Linux operating systemstopServer.sh server1
        Note: On UNIX and Linux® systems, you are prompted to provide an administrator user name and password.
    2. In the JazzSM_WAS_Profile/bin directory, depending on your operating system, enter one of the following commands:
      • For Windows operating systemstartServer.bat server1
      • For UNIX operating systemFor Linux operating systemstartServer.sh server1
    3. Restart the IBM HTTP Server.
      For more information, see Starting and stopping IBM HTTP Server.

What to do next

You can access the load balanced cluster through https://http_server_hostname/ibm/console (assuming that the default context root (/ibm/console) was defined in at the time of installation.