Troubleshooting
Problem
The following document is a guide for setting up Secure Sockets Layer (SSL) within the IBM HTTP Server. This document contains instructions for creating keyfiles, certificates, and SSL-enabled virtual hosts as well as troubleshooting and tracing information.
Resolving The Problem
The following steps help guide you through the initial configure of TLS/SSL within the IBM HTTP Server:
- Create a key database file and certificates needed to enable SSL
- Enable SSL directives within the IBM HTTP Server configuration file (httpd.conf)
- Further SSL configuration
1) Create a key database file and certificates needed to authenticate the Web server during an SSL handshake
The iKeyman GUI, which is included within the IBM HTTP Server distribution, can be used to create a key database file (for example: key.kdb) needed to store "personal certificates" used to enable SSL.
It is also possible to manage certificates for IHS using the WebSphere Application Server Administration Console. See https://www.ibm.com/support/pages/node/6453975 for details.
For detailed information on creating a key database and server certificates, refer to the following technotes:
For detailed information on creating a key database and server certificates, refer to the following technotes:
- Using iKeyman to create a key database file and certificates
- Using gskcapicmd on the command line to create a key database file and certificates
- Renewing certificates with iKeyman and gskcapicmd
- More extensive information on using the iKeyman GUI to create key database files and certificates is located here: IBM HTTP Server v9.0
2.i) Load mod_ibm_ssl
# Remove leading # from below if present
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
2.ii) Create an SSL virtual host stanza using one of the following examples and directives
Examples configurations can be appended to httpd.conf
Option 1: Adding a single SSL virtual host using the default certificate in a keyfile
Option 1: Adding a single SSL virtual host using the default certificate in a keyfile
Listen 443
# On Windows, specify a Listen of 0.0.0.0:443 and/or [::]:443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEnable
</VirtualHost>
KeyFile "c:/program files/ibm http server/conf/key.kdb"
Option 2: Adding SSL virtual hosts using multiple certificates (8.5.5 and earlier)
If multiple certificates are needed, multiple SSL virtualhosts can be defined. Either multiple keystores, or specified labels from a shared KeyFile can be used. Each SSL virtual host must use a unique IP:PORT combination.
Listen 443
<VirtualHost 192.168.1.102:443>
ServerName www.example.com
SSLEnable
SSLServerCert example
</VirtualHost>
<VirtualHost 192.168.1.103:443>
ServerName store.example.com
SSLEnable
SSLServerCert store
</VirtualHost>
<VirtualHost 192.168.1.104:443>
ServerName orders.example.com
SSLEnable
# Custom keystore
KeyFile "c:/program files/ibm http server/store.kdb"
</VirtualHost>
# Default keyfile when unspecified in virtual host
KeyFile "c:/program files/ibm http server/key.kdb"
Option 3: Adding multiple SSL virtual hosts using multiple certificates (9.0)
IHS 9.0 and later supports a more flexible way of using multiple certificates without multiple IP:PORT combinations. See the following topic for examples: TLS Server Name Indication
After basic SSL has been configured, some further configuration topics may be of interest.
- Redirect HTTP to HTTPS
- Logging SSL request information in the access log for IBM HTTP Server.
- Configure HSTS
- For a complete list of available SSL directives:
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
07 September 2022
UID
swg21179559