Enable HTTPS when High Availability is enabled in IBM Spectrum LSF Application Center

When you install IBM Spectrum LSF Application Center for the first time, HTTPS is enabled by default. There are, however, additional configuration steps for High Availability.

Parent topic: Users and Security

1. Enable HTTPS in IBM Spectrum LSF Application Center hosts

Procedure

  1. Log in to the IBM Spectrum LSF Application Center server as root.
  2. Set your environment.

    For example:

    • For csh or tcsh: 
      # source /opt/pac/cshrc.platform
    • For sh, ksh, or bash: 
      # . /opt/pac/profile.platform
  3. Enable HTTPS with settings for your environment.

    Specify the keystore password. The password must be at least 6 characters long. The default keystore password is changenow.

    Specify the --validhosts option to indicate the IBM HTTP server host name. You can specify short host name, full host name, and IP address if your users will be accessing Platform Application Center by entering those in the URL. If you also want your Platform Application Center servers accessible through the URL, specify Platform Application Center server information also.

    The example below configures the IBM HTTP Server server1 short host name, long host name, and IP address.

    # pmcadmin stop 
# pmcadmin https disable
# pmcadmin https enable --password changenow --validhosts server1,server1.example.com,203.0.113.0
  4. Add CMS providers to the java.security file.
    1. Open the Java security file /opt/pac/jre/linux-x86_64/lib/security/java.security of the IBM® JRE.
    2. Add security.provider.8, security.provider.9, security.provider.10 as follows: 
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
  5. Repeat step 4 for all instances of IBM Spectrum LSF Application Center.
  6. Copy the Platform Application Center generated keystore file to a shared location. The generated keystore file will need to be imported to the IBM HTTP Server Keystore. 
    cp $GUI_CONFDIR/https/work/serverKeyStore.jks /share/serverKeyStore.jks

2. Create the CMS Keystore in IBM HTTP Server

Procedure

Create the CMS keystore file and stash file.

The parameters for the command are:

  • -pw password
  • -db kdb_file_path
  • -stash to create the sth file

For example:

$ cd /opt/IBM/HTTPServer/bin
$ ./gskcapicmd -keydb -create -db /share/key.kdb -pw changeit -stash
$ ls -al /share/key.*
-rw------- 1 root root 88 Nov 27 07:59 key.crl
-rw------- 1 root root 88 Nov 27 07:59 key.kdb
-rw------- 1 root root 88 Nov 27 07:59 key.rdb
-rw------- 1 root root 129 Nov 27 07:59 key.sth

3. Import the IBM Spectrum LSF Application Center Certificate into the CMS Keystore

Procedure

  1. Login to IBM HTTP Server host as root.
  2. Import the Platform Application Center certificate into the IBM HTTP Server keystore.

    The parameters for the command are:

    • -db Platform Application Center keystore file
    • -pw Platform Application Center keystore password
    • -target IBM HTTP Server keystore kdb file
    • -target_pw IBM HTTP Server keystore kdb password

    For example:

    $ cd /opt/IBM/HTTPServer/bin
$ ./gskcmd -cert -import -db /share/serverKeyStore.jks -pw changenow -target /share/key.kdb -target_pw changeit
  3. Set the Platform Application Center certificate as the default certificate for the IBM HTTP Server keystore.

    The parameters for the command are:

    • -setdefaut is to set the certificate as the default
    • -pw is the Platform Application Center keystore password
    • -label is the certificate label. It must be srvalias.

    For example:

    $ ./gskcmd -cert -setdefault -db /share/key.kdb -label "srvalias" -pw changeit

4. Enable HTTPS in IBM HTTP Server

Procedure

  1. Log into the IBM HTTP Server host as root.
  2. Edit the /opt/IBM/HTTPServer/conf/httpd.conf file and uncomment the following lines to enable SSL. 
    LoadModule
          ibm_ssl_module modules/mod_ibm_ssl.so
          Listen 443
          <VirtualHost *:443>
           SSLEnable</VirtualHost>
          KeyFile /share/key.kdb
          SSLDisable
         # End of example SSL configuration

    In the lines that you uncommented, check the following:

    • Check that KeyFile points to the location of the CMS Keystore kdb file.
    • If you do not use 443 as the HTTPS port, change 443 to your port number.
  3. Edit the file /opt/IBM/HTTPServer/conf/plugin-cfg.xml. 
    <Transport Hostname="hostA" Port="8443" Protocol="https">
    <Property Name="keyring" Value="/share/key.kdb" />
    <Property Name="stashfile" Value="/share/key.sth" />
</Transport>

    In <Transport…> :

    • Check that Hostname is the Platform Application Center host name or IP address
    • Port is the Platform Application Center HTTPS port. By default it is 8443.
    • Make sure Protocol=”https”
    • In Property Name=”keyring”, make sure it is the correct path to CMS keystore file.
    • In Property Name=”stashfile”, make sure it is the correct path to the stash file you created in previous steps.
  4. Repeat step 3 to add all Platform Application Center servers in the file.

5. Configure IBM Spectrum LSF Application Center to use the same KeyStore as IBM HTTP Server

Procedure

  1. Log on to the Platform Application Center web server as root.
  2. Open the file $GUI_CONFDIR/server_https.xml and edit <keystore…> to indicate the location of your keystore file.

    IBM HTTP Server and Platform Application Center use the same CMS keystore. 

    <keyStore id="defaultKeyStore" location="/share/key.kdb" type="CMSKS" 
		provider="IBMCMSProvider" password="changeit" />

6. Restart all instances of IBM Spectrum LSF Application Center

Procedure

  1. Log in to one instance of Platform Application Center server as root.
  2. Set your Platform Application Center environment.

    For example:

    • For csh or tcsh: 
      # source /opt/pac/cshrc.platform
    • For sh, ksh, or bash: 
      # . /opt/pac/profile.platform
  3. Restart Platform Application Center services. 
    pmcadmin stop
pmcadmin start
  4. Repeat steps 1-3 on all instances of Platform Application Center server.

7. Restart IBM HTTP Server

Procedure

  1. Log on to IBM HTTP Server.
  2. Restart IBM HTTP Server. 
    cd /opt/IBM/HTTPServer/bin
./apachectl stop
./apachectl start

8. Connect to IBM Spectrum LSF Application Center using the IBM HTTP Server URL

Procedure

Connect using the URL https://ibm_http_server_host/platform.