IBM Support

Guide to properly setting up SSL within the IBM HTTP Server



The following document is a guide for setting up Secure Sockets Layer (SSL) within the IBM HTTP Server. This document contains instructions for creating keyfiles, certificates, and SSL-enabled virtual hosts as well as troubleshooting and tracing information.

Resolving The Problem

The following steps help guide you through the initial configure of TLS/SSL within the IBM HTTP Server:
  1. Create a key database file and certificates needed to enable SSL
  2. Enable SSL directives within the IBM HTTP Server configuration file (httpd.conf)
  3. Further SSL configuration
1) Create a key database file and certificates needed to authenticate the Web server during an SSL handshake
The iKeyman GUI, which is included within the IBM HTTP Server distribution, can be used to create a key database file (for example: key.kdb) needed to store "personal certificates" used to enable SSL.
It is also possible to manage certificates for IHS using the WebSphere Application Server Administration Console. See for details.

For detailed information on creating a  key database and server certificates, refer to the following technotes:
2.i) Load mod_ibm_ssl
# Remove leading # from below if present
LoadModule ibm_ssl_module modules/
2.ii) Create an SSL virtual host stanza using one of the following examples and directives
Examples configurations can be appended to httpd.conf

Option 1: Adding a single SSL virtual host using the default certificate in a keyfile
Listen 443
# On Windows, specify a Listen of and/or [::]:443
<VirtualHost *:443>
KeyFile "c:/program files/ibm http server/conf/key.kdb"
Option 2: Adding SSL virtual hosts using multiple certificates (8.5.5 and earlier)
If multiple certificates are needed, multiple SSL virtualhosts can be defined. Either multiple keystores, or specified labels from a shared KeyFile can be used.  Each SSL virtual host must use a unique IP:PORT combination.
Listen 443
  SSLServerCert example

  SSLServerCert store

  # Custom keystore
  KeyFile "c:/program files/ibm http server/store.kdb"

# Default keyfile when unspecified in virtual host
KeyFile "c:/program files/ibm http server/key.kdb"

Option 3: Adding multiple SSL virtual hosts using multiple certificates (9.0)
IHS 9.0 and later supports a more flexible way of using multiple certificates without multiple IP:PORT combinations. See the following topic for examples: TLS Server Name Indication
After basic SSL has been configured, some further configuration topics may be of interest.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022