IBM Support

Guide to properly setting up SSL within the IBM HTTP Server

Troubleshooting


Problem

The following document is a guide for setting up Secure Sockets Layer (SSL) within the IBM HTTP Server. This document contains instructions for creating keyfiles, certificates, and SSL-enabled virtualhosts as well as troubleshooting and tracing information.

Resolving The Problem

The following steps help guide you through initial configuration of SSL within IBM HTTP Server (IHS)
  1. Create a key database file and certificates needed to enable SSL
  2. Enable SSL directives within the IBM HTTP Server configuration file (httpd.conf)
  3. Further SSL configuration
 
1) Create a key database file and certificates needed to authenticate the Web server during an SSL handshake
The iKeyman GUI, which is included within the IBM HTTP Server distribution, can be used to create a key database file (for example: key.kdb) needed to store "personal certificates" used to enable SSL.  A command-line tool, "gskcapicmd", is also provided.

It is also possible to manage certificates for IHS using the WebSphere Application Server Administration Console.  See https://www.ibm.com/support/pages/node/6453975 for details.

For detailed information on creating a  key database and server certificates, refer to the following technotes:
Note: If managing certificates via the WebSphere Application Server Administration Console, this step will already be completed.
 
2.i)Load mod_ibm_ssl
# Remove leading # from below if present
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
2.ii) Create an SSL virtualhost stanza using one of the following examples and directives
Examples configurations can be appended to httpd.conf

Option 1: Adding a single SSL virtual host using the default certificate in a keyfile
 
Listen 443
# On Windows, specify a Listen of 0.0.0.0:443 and/or [::]:443
<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    SSLEnable
</VirtualHost>
KeyFile "c:/program files/ibm http server/conf/key.kdb"
Option 2: Adding SSL virtual hosts using multiple certificates (8.5.5 and earlier)
If multiple certificates are needed, multiple SSL virtualhosts can be defined. Either multiple keystores, or specified labels from a shared KeyFile can be used.  Each SSL virtual host must use a unique IP:PORT combination.

For more information on why different IP addresses are required when enabling multiple Web sites for SSL prior to 9.0, see the following technote: IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Host
 
Listen 443
<VirtualHost 192.168.1.102:443>
  ServerName www.example.com
  SSLEnable
  SSLServerCert example
</VirtualHost>

<VirtualHost 192.168.1.103:443>
  ServerName store.example.com
  SSLEnable
  SSLServerCert store
</VirtualHost>

<VirtualHost 192.168.1.104:443>
  ServerName orders.example.com
  SSLEnable
  # Custom keystore
  KeyFile "c:/program files/ibm http server/store.kdb"
</VirtualHost>

# Default keyfile when unspecified in virtual host
KeyFile "c:/program files/ibm http server/key.kdb"

 
Option 3: Adding multiple SSL virtual hosts using multiple certificates (9.0)
IHS 9.0 and later supports a more flexible way of using multiple certificates without multiple IP:PORT combinations. See the following topic for examples: TLS Server Name Indication
After basic SSL has been configured, some further configuration topics may be of interest.
 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 May 2021

UID

swg21179559