IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Configuring TLS/SSL communication for the IBM HTTP Server used for load balancing multiple portal servers

To configure TLS/SSL communication for a load balancing environment, add the public signer certificate for each Tivoli Enterprise Portal Server's local HTTP server to the load balancing IBM HTTP Server trust store using the iKeyman graphical interface.

Before you begin

Copy the public signer certificate for each portal server's local HTTP server to the computer system where the load balancing HTTP Server is installed.

About this task

Alternatively, you can use the gskcmd command-line interface to complete this task. For detailed information on using the gskcmd command-line interface, see "Managing keys with the gskcmd command line interface (Distributed systems)" in the WebSphere Application Server Information Center.

Procedure

  1. On the computer system where the load balancing HTTP Server is installed, import a public signer certificate into the key database using the iKeyman graphical interface.
    Start the key management utility (iKeyman) using one of these methods:
    • Windows Click Start > Programs > IBM HTTP Server V8.5 > Start Key Management Utility.
    • LinuxUNIX From the command-line run <install_dir>/bin/ikeyman or change to the <install_dir>/bin directory and type ikeyman, where <install_dir> is the directory where the WebSphere Plugin is installed (such as /opt/IBM/WebSphere/Plugins). If you start IKEYMAN to create a new key database file, the utility stores the file in the directory where you start IKEYMAN.
  2. Click Key Database File from the main UI, then click Open.
  3. Specify the location of the CMS key database file plugin-key.kdb that is specified in the HTTP server plugin-cfg.xml file.

    By default the file is plugin-key.kdb.

    When using HTTP server V8.5, the following default locations apply:

    Windows C:\Program Files\IBM\WebSphere\Plugins_1\config\webserver1

    LinuxUNIX /opt/IBM/Websphere/Plugins/config/webserver1

  4. Provide the password for the key database and click OK. The default password is WebAS.
  5. From the Key database content drop down list, select Signer Certificates.
  6. For each portal server's local HTTP server signer certificate:
    1. Click Add.
    2. Select the signer certificate and click OK.
    3. Insert a unique label, such as hostname ITM certificate, and click OK.
  7. Click Save to update the file with your changes.

    If you do not have permission to overwrite the plugin-key.kdb file, you can save it as a different name, like plugin-key2.kdb and later update your httpd.conf and plugin-cfg.xml files accordingly.

  8. Enable SSL for your HTTP server by updating the httpd.conf file. The default location of the httpd.conf file is:

    Windows C:\Program Files\IBM\HTTPServer\conf

    LinuxUNIX /opt/IBM/HTTPServer/conf

    1. Open the httpd.conf file and search for the text string "Example SSL configuration" to view an example configuration.
    2. Add the following block to your httpd.conf file, changing the directory paths to Windows paths if your HTTP server is on Windows:
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
      	Listen 443
      	<VirtualHost *:443>
      	SSLEnable
      	SSLProtocolDisable SSLv2
      	ErrorLog "/opt/IBM/HTTPServer/logs/sslerror.log"
      	TransferLog "/opt/IBM/HTTPServer/logs/sslaccess.log"
      	KeyFile "/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"
      	SSLStashfile "/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"
      	</VirtualHost>
      	SSLDisable 
      Note: The plugin-key.kdb file is the one that you saved in step 7.
  9. Restart the load balancing HTTP Server to implement your changes. For more information, see "Starting and stopping IBM HTTP Server" in the WebSphere Application Server Information Center


Feedback