Enable HTTPS when high availability is configured in IBM Spectrum LSF Application Center

Edit online

When you install IBM Spectrum LSF Application Center for the first time, HTTPS is enabled by default. There are, however, additional configuration steps for high availability.

1. Enable HTTPS in LSF Application Center hosts

Edit online

Procedure

  1. Log in to the LSF Application Center server as root.
  2. Set your environment.
    For example:
    • For csh or tcsh: 
      # source /opt/pac/cshrc.platform
    • For sh, ksh, or bash: 
      # . /opt/pac/profile.platform
  3. Enable HTTPS with settings for your environment.

    Specify the keystore password. The password must be at least 6 characters long. The default keystore password is changenow.

    Specify the --validhosts option to indicate the IBM® HTTP Server host name. You can specify short host name, full host name, and IP address if your users will be accessing LSF Application Center by entering those in the URL. If you also want your LSF Application Centerservers accessible through the URL, specify LSF Application Center server information also.

    This example configures the IBM HTTP Server server1 short host name, long host name, and IP address:
    # pmcadmin stop 
# pmcadmin https disable
# pmcadmin https enable --password changenow --validhosts server1,server1.example.com,203.0.113.0
  4. Add CMS providers to the java.security file:
    1. Open the Java™ security file /opt/pac/jre/linux-x86_64/lib/security/java.security of the IBM JRE.
    2. Add security.provider.8, security.provider.9, security.provider.10, as follows: 
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
  5. Repeat step 4 for all instances of IBM Spectrum LSF Application Center.
  6. Copy the LSF Application Center generated keystore file to a shared location. The generated keystore file will need to be imported to the IBM HTTP Server keystore. 
    cp $GUI_CONFDIR/https/work/serverKeyStore.jks /share/serverKeyStore.jks

2. Create the CMS keystore in IBM HTTP Server

Edit online

Procedure

Create the CMS keystore file and stash file.

The parameters for the command are:

  • -pw password
  • -db kdb_file_path
  • -stash to create the sth file
For example:

$ cd /opt/IBM/HTTPServer/bin
$ ./gskcapicmd -keydb -create -db /share/key.kdb -pw changeit -stash
$ ls -al /share/key.*
-rw------- 1 root root 88 Nov 27 07:59 key.crl
-rw------- 1 root root 88 Nov 27 07:59 key.kdb
-rw------- 1 root root 88 Nov 27 07:59 key.rdb
-rw------- 1 root root 129 Nov 27 07:59 key.sth

3. Import the LSF Application Center certificate into the CMS keystore

Edit online

Procedure

  1. Login to IBM HTTP Server host as root.
  2. Import the LSF Application Center certificate into the IBM HTTP Server keystore.
    The parameters for the command are as follows:
    • -db LSF Application Center keystore file
    • -pw LSF Application Center keystore password
    • -target IBM HTTP Server keystore kdb file
    • -target_pw IBM HTTP Server keystore kdb password

    For example:

    $ cd /opt/IBM/HTTPServer/bin
$ ./gskcmd -cert -import -db /share/serverKeyStore.jks -pw changenow -target /share/key.kdb -target_pw changeit
  3. Set the LSF Application Center certificate as the default certificate for the IBM HTTP Server keystore.

    The parameters for the command are as follows:

    • -setdefaut is to set the certificate as the default
    • -pw is the LSF Application Center keystore password
    • -label is the certificate label. It must be srvalias.

    For example:

    $ ./gskcmd -cert -setdefault -db /share/key.kdb -label "srvalias" -pw changeit

4. Enable HTTPS in IBM HTTP Server

Edit online

Procedure

  1. Log into the IBM HTTP Server host as root.
  2. Edit the /opt/IBM/HTTPServer/conf/httpd.conf file and uncomment the following lines to enable SSL. 
    LoadModule
          ibm_ssl_module modules/mod_ibm_ssl.so
          Listen 443
          <VirtualHost *:443>
           SSLEnable</VirtualHost>
          KeyFile /share/key.kdb
          SSLDisable
         # End of example SSL configuration

    In the lines that you uncommented, check the following:

    • Check that key file points to the location of the CMS keystore kdb file.
    • If you do not use 443 as the HTTPS port, change 443 to your port number.
  3. Edit the /opt/IBM/HTTPServer/conf/plugin-cfg.xml file: 
    <Transport Hostname="hostA" Port="8443" Protocol="https">
    <Property Name="keyring" Value="/share/key.kdb" />
    <Property Name="stashfile" Value="/share/key.sth" />
</Transport>

    In <Transport...> :

    • Ensure that Hostname is the LSF Application Center hostname or IP address.
    • Ensure that the Port is the LSF Application Center HTTPS port. By default it is 8443.
    • Ensure that Protocol is configured to Protocol="https".
    • Ensure that Property Name="keyring", contains the correct path to the CMS keystore file.
    • Ensure that Property Name="stashfile", contains the correct path to the stash file you created in previous steps.
  4. Repeat step 3 to add all LSF Application Center servers in the file.

5. Configure IBM Spectrum LSF Application Center to use the same keystore as IBM HTTP Server

Edit online

Procedure

  1. Log on to the LSF Application Center web server as root.
  2. Open the $GUI_CONFDIR/server_https.xmlfile and edit <keystore...> to indicate the location of your keystore file.

    IBM HTTP Server and LSF Application Center use the same CMS keystore:

    <keyStore id="defaultKeyStore" location="/share/key.kdb" type="CMSKS" 
		provider="IBMCMSProvider" password="changeit" />

6. Restart all instances of LSF Application Center

Edit online

Procedure

  1. Log in to one instance of LSF Application Center server as root.
  2. Set your LSF Application Center environment.
    For example:
    • For csh or tcsh: 
      # source /opt/pac/cshrc.platform
    • For sh, ksh, or bash: 
      # . /opt/pac/profile.platform
  3. Restart LSF Application Center services: 
    pmcadmin stop
pmcadmin start
  4. Repeat steps 1 to 3 on all instances of LSF Application Center server.

7. Restart IBM HTTP Server

Edit online

Procedure

  1. Log on to IBM HTTP Server.
  2. Restart IBM HTTP Server: 
    
cd /opt/IBM/HTTPServer/bin
./apachectl stop
./apachectl start

8. Connect to LSF Application Center using the IBM HTTP Server URL

Edit online

Procedure

Connect using the URL https://IBM_HTTP_Server_host/platform.