Configuring IBM HTTP Server and IBM WebSphere Plug-In
You must configure IBM HTTP Server and the IBM WebSphere Plug-in for IBM® Surveillance Insight® for Financial Services.
Procedure
- Log in to the server as root.
- Create an ihsmgr user and group.
groupadd -g 1511 ihsmgr
useradd -u 1511 -g 1511 ihsmgr
- Run the following command to configure the admin server.
"/opt/IBM/HTTPServer/bin/setupadm" -usr ihsmgr -grp ihsmgr -cfg "/opt/IBM/HTTPServer/conf/httpd.conf" -adm "/opt/IBM/HTTPServer/conf/admin.conf"
If you used a directory other than
/opt/IBM/HTTPServer
for the HTTP Server installation, ensure that you change the paths in the command to the correct paths for your environment. - Set the admin password:
"/opt/IBM/HTTPServer/bin/htpasswd" -b "/opt/IBM/HTTPServer/conf/admin.passwd" "ihsmgr" "password"
- Set the admin port in the admin.conf file:
sed -i s#@@AdminPort@@#"8008"#g "/opt/IBM/HTTPServer/conf/admin.conf"
- Create an SSL certificate for IBM HTTP Server.
- Create a directory for the certificate:
rm -rf "/opt/IBM/HTTPServer/cert"
mkdir "/opt/IBM/HTTPServer/cert"
- Create a keystore:
"/opt/IBM/HTTPServer/bin/gskcmd" -keydb -create -db "/opt/IBM/HTTPServer/cert/sifs_ihs_ks.kdb" -pw "password" -type cms -expire "3650" -stash
- Create a self-signed certificate:
"/opt/IBM/HTTPServer/bin/gskcmd" -cert -create -db "/opt/IBM/HTTPServer/cert/sifs_ihs_ks.kdb" -pw "password" -size "2048" -dn "CN=localhost,OU=SIFS,O=IBM,C=US" -label "sifs_ihs_cert" -default_cert yes -expire 3650
Ensure that you change the
dn
value to suit your environment.
- Create a directory for the certificate:
- Back up the original httpd.conf file.
cp "/opt/IBM/HTTPServer/conf/httpd.conf" "/opt/IBM/HTTPServer/conf/httpd.conf.original"
- Open the httpd.conf file in a text editor, and change the following
values:
- Search for
Listen 80
, and comment out the line. - Search for
ServerName
, and change the port number to 443, the default secure port for the web server. - Add the following lines to the end of the file:
LoadModule rewrite_module modules/mod_rewrite.so LoadModule ibm_ssl_module modules/mod_ibm_ssl.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so Listen 443 SSLCheckCertificateExpiration 30 <VirtualHost *:443> SSLEnable SSLProtocolEnable TLSv12 SSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_SHA -SSL_RSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA #For POODLE TLS attack (CVE-2014-8730) SSLAttributeSet 471 1 FileETag None Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header edit Set-Cookie ^(.*)$ $1;Secure Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires 0 </VirtualHost> KeyFile /opt/IBM/HTTPServer/cert/sifs_ihs_ks.kdb SSLStashfile /opt/IBM/HTTPServer/cert/sifs_ihs_ks.sth SSLDisable #Removing Server Version Banner AddServerHeader Off ServerTokens Prod ServerSignature Off #Code to rewrite/redirect http traffic to https RewriteEngine On RewriteCond %{SERVER_PORT} =80 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R] #Deny certain operations RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC] RewriteRule .? - [F] LoadModule was_ap24_module /opt/IBM/WebSphere/Plugins/bin/64bits/mod_was_ap24_http.so WebSpherePluginConfig /opt/IBM/HTTPServer/conf/plugin-cfg.xml
- Ensure that only one line says
Listen 443
. If there are multiple lines, delete the other lines. - To stop the directory traversal threat, under
Directory
, setOptions -Indexes
wherever appropriate. - Save and close the httpd.conf file.
- Search for
- Grant the ihsmgr user permission for the configuration files:
chown ihsmgr:ihsmgr "/opt/IBM/HTTPServer/conf/httpd.conf"
chown ihsmgr:ihsmgr "/opt/IBM/HTTPServer/conf/admin.conf"
- Start the IBM HTTP Server and the admin processes:
/opt/IBM/HTTPServer/bin/adminctl start
/opt/IBM/HTTPServer/bin/apachectl start
- Verify that the server is running by accessing the URL: https://<hostname>