For optimal security, configure SSL communication between
servers in a Kerberos junction deployment.
This topic provides an overview of the steps to configure a WebSphere® cluster environment
to use SSL to communicate between WebSEAL, IBM® HTTP Server (IHS), WebSphere Application
Server Plug-in, WebSphere Application
Server and Tivoli® Federated
Identity Manager. These steps do not
address SSL communication between the client and WebSEAL or to the
back-end Web server. No changes to these standard SSL configurations
are necessary for Kerberos junction support.
Tip: Consider deploying a working configuration without
SSL prior to adding SSL.
For each component, create a public/private key pair, and extract
the public key to a known location.
On the WebSEAL server:
- Copy the IHS public key to the WebSEAL system.
- Use the ikeyman utility to add the IHS public key. When
there is more then one IHS proxy in the environment, complete this
task for each IHS server.
- Configure appropriate values for the following [tfim-cluster:cluster] variables:
server, ssl-keyfile, ssl-keyfile-stash. Optionally, configure the
ssl-valid-server-dn variable if applicable.
For more information,
see Planning WebSEAL Kerberos junction configuration.
- Restart WebSEAL to activate the changes made to the WebSEAL configuration
file.
On the IBM HTTP Server:
- Copy the WebSEAL public key to the IHS system.
- Use the ikeyman utility on IHS to add the WebSEAL public
key.
- Copy the WebSphere public
key from the WebSphere Deployment
Manager (dmgr) system to the IHS system.
- Use the ikeyman utility on IHS to add the WebSphere public key.
- Update the httpd.conf file to configure or add
a virtual host to support SSL connections.
- Restart IHS to activate the changes.
- When your deployment includes multiple IHS proxies, repeat the
above steps for each IHS proxy.
On the WebSphere plug-in
located on the IHS server:
- Copy the WebSphere public
key to the plug-in system.
- Use the ikeyman utility for the plug-in to add the WebSphere public key.
- Copy the WebSphere node
public key from the WebSphere node
to the plug-in server.
- Use the ikeyman utility for the plug-in to add the WebSphere node public key.
- When your deployment includes multiple plug-ins, repeat the above
steps for each plug-in.
On the WebSphere Network
Deployment Manager (dmgr):
- Ensure that the public key for the plug-in is located in a file
path that can be accessed through the WebSphere administration console.
- Use the WebSphere console
to add the public key for the plug-in to the CellDefaultTrustStore.
- When your deployment includes multiple plug-ins, repeat the above
steps for each plug-in.
- Ensure that the public key for Node is located in a file path
that can be accessed through the WebSphere administration
console.
- Use the WebSphere console
to add the public key for the Node to the CellDefaultTrustStore.
- When your deployment includes multiple nodes, repeat the above
steps for each nodes.
- Configure client authentication if appropriate for your deployment.
On the WebSphere Node:
- Ensure that the public key for the Deployment Manager (dmgr) is
located in a file path that can be accessed through the WebSphere administration console.
- Use the WebSphere console
to add the dmgr public key to the NodeDefaultTrustStore.
- When your deployment includes multiple nodes, repeat the above
steps for each nodes.