IBM Tivoli Federated Identity Manager, Version 6.2.1

Configuring the IBM HTTP Server for SSL

This topic describes how to configure the IBM® HTTP Server for SSL. SSL is required in a WebSphere® Application Server clustered environment.

Before you begin

The Common Audit Service Web service client can invoke the Common Audit Service either directly by talking to the WebSphere Application Server embedded HTTP server, or indirectly by first going through a Web Server. The Web server can be the IBM HTTP Server or another third party Web server. The Web server must be enabled for SSL for secure communication with the client. Refer to the appropriate Web server documentation for details on how to enable SSL.

About this task

Follow these steps:

Procedure

  1. Use the IBM HTTP Server IKEYMAN utility to create a CMS key database file and insert the server's personal certificate.

    For example, to create a CMS key database file, open the CARSServerKey.jks file in IKEYMAN and then save it as a CMS file. Copy the CARSServerKey.kdb and CARSServerKey.sth files to a directory on the HTTP server (for example, /data/certs).

  2. Modify the httpd.conf file.

    For the IBM HTTP Server to support HTTPS, you need to enable SSL on the IBM HTTP Server. You can modify the configuration file of IBM HTTP Server, which is IHS_HOME/conf/httpd.conf. IHS_HOME is the home directory of your IBM HTTP Server. Open the IHS_HOME/conf/httpd.conf file and add the following lines to the bottom of the file. This example uses port 443.

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
  Listen 443
  <VirtualHost *:443>
   SSLEnable
   SSLClientAuth none
   SSLServerCert certname 
</VirtualHost>
</IfModule>
SSLDisable
Keyfile /data/certs/CARSServerKey.kdb
    Note: The SSLServerCert certname is the label of the server's certificate in the key database file. It is not needed if the default certificate in the keyfile is used. Change the host name and the path for the key file accordingly.

    You can also use the administrative console to enable SSL.

  3. Restart the IBM HTTP Server.
  4. Add the port number to the virtual host.

    To enable the application server to communicate with the IBM HTTP Server using, for example, port 443, add the host alias on the default_host. In the administrative console:

    1. Click Environment > Virtual Hosts > default_host.
    2. Under Additional properties, click Host Aliases > New.
    3. Enter the following information in the fields:
      • Type * for Host Name.
      • Type 443 for Port.
    4. Click Apply and Save. When you click Save, the information is written to the security.xml file and the Web server plug-in. For example, /opt/IBM/WebSphere/Plugins/config/webserver1_hostname/plugin-cfg.xml is automatically updated.
  5. 5. Enable security on your installed Web server.
    1. Click Servers > Web servers > your_web_server > Global directives.
    2. Under Global Directives specify the following information:
      • Select Security enabled.
      • Enter CARSWebStore in Key store certificate alias.
      • Enter *:443 in Listen ports.
    3. Click Apply and Save to enable port 443 for listening on the Web server.
  6. Stop and restart the IBM HTTP Server and IBM HTTP Administrative Server.
  7. Stop and restart WebSphere Application Server. In a clustered environment, stop and restart the cluster.
Parent topic: Configuring SSL

Feedback