Using X.509 certificates from a SAF key ring database to configure ITOMweb to support SSL or TLS

Configure SSL or TLS to enable secure communication between web browsers and the ITOMweb virtual host on the IBM® HTTP Server (powered by Apache) using the X.509 certificates that are stored in a SAF key ring.

The following examples describe the basic steps and required configuration directives. Configure other SSL directives as specified by your organization policies.

Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.so configuration directive in the httpd.con file.
In the omweb.vhost.conf file, add the following lines immediately after the ServerName configuration directive:
1. SSLEnable
2. KeyFile /saf key_ring_name
3. SSLClientAuth Optional
4. SSLServerCert Host Server Cert Label
Immediately after the configuration directive that ends the virtual host definition (</VirtualHost>), add the following configuration directive:
1. SSLDisable
The SAF key ring must contain the server certificate including its private key and all the certificates in the certificate chain all the way back to the Root CA certificate.

<VirtualHost *:8392>
  ServerAdmin admin@domain.com
  DocumentRoot /itom/om
  ServerName RS13:8392
  SSLEnable
  KeyFile /saf ITOMWEB
  SSLClientAuth None
  SSLServerCert "RS13 Site"

Output from RACDCERT LISTRING(ITOMWEB) ID(WEBSRV) command:

Digital ring information for user WEBSRV:                             
                                                                      
  Ring:                                                               
       >ITOMWEB<                                                      
  Certificate Label Name             Cert Owner     USAGE      DEFAULT
  --------------------------------   ------------   --------   -------
  rootca                             CERTAUTH       CERTAUTH     NO   
  Issuing ca                         CERTAUTH       CERTAUTH     NO   
  RS13 Site                          SITE           PERSONAL     YES

The user ID that is used to run the web server must have the appropriate authority to various profiles in the FACILITY, CSFSERV, and CRYPTOZ Class. There are special considerations if the SITE certificate is shared between application servers. In particular for these profiles in the FACILITY Class:

IRR.DIGTCERT.LIST			READ
IRR.DIGTCERT.LISTRING		UPDATE
IRR.DIGTCERT.GENCERT		CONTROL