IHS Plugin Websphere SSL configuration

Security should be enabled from
Webclient to WebServer (IBM Http Server )
WebSphere Plugin to WAS

WebClient to Webserver
Run ikeyman.bat and generate self-signed certificate(.kdb and .sth)
Modify httpd.conf in IHS

LoadModule  ibm_ssl_module   modules/mod_ibm_ssl.so
Listen 443
FileETag none
<VirtualHost mss13:443>
    ServerName mss13
    SSLEnable
    SSLClientAuth none
    Keyfile "c:\IBM\IHS\keys\ihscert.kdb"
    SSLServerCert self-signed
    SSLStashfile "c:\IBM\IHS\keys\ihscert.sth"
    SSLV2Timeout 100
    SSLV3Timeout 1000
    ErrorLog "c:\IBM\IHS\logs\sslerror.log"
    TransferLog "c:\IBM\IHS\logs\sslaccess.log"
</VirtualHost>

Restart IHS and check the connection Ex: https://mss

Wesphere Plugin to WAS:

@Plugin
Run ikeyman from /bin/
Generate self-signed certificate(.kdb and .sth will be generated)
Extract the certificate(.arm)

@WAS
Run ikeyman from profiles//bin
Generate self-signed certificate(.jks)
Extract the certificate(.arm)

Exchange certificates form WAS to plugin and plugin to WAS

@IHS
Run ikeyman from IHS/bin
Import certificate:
->Open the .kdb file using ikeyman
->select signer certificates from KeyDatabase content combo box
->click Add and select certificate(.arm) of the Websphere [Ex:C:\IHS\plugins\etc\keys]
close and exit ikeyman

@WebSphere
Run ikeyman from profiles//bin
Import certificate:
->Open the .jks file using ikeyman
->select signer certificates from KeyDatabase content combo box
->click Add and select certificate(.arm) of the IHS
close and exit ikeyman

@admin console
Start DMGR and open admin console
goto servers->application servers->
->Under Container settings->Web Container Transport Chains->WCInboundDefaultSecure->SSL Inbound Channel
->SSL configuration repertoire-celllevel
->New JSSE Repertoire
*Alias(any name)
*Securitylevel HIGH
*Key file name
*Key file password(give the path,name and password of the .jks file, which you have created using ikeyman)
*Trust file name
*Trust file password(give the path,name and password of the .jks file, which you have created using ikeyman(if you have created a separate trust file then you need to give the turst file name and pwd))
*Apply and OK->save and sync

->Now come back to SSL Inbound Channel configuration page
->Under SSL repertoire select the repertoire which you have just created
->save and sync
->Now click Environment->Virtual Hosts->default_host(if you have user-defined select that one)->Host Aliases->New->Port=443->save n sync
(if your wcdefaultsecure port is not here, then you need create one)

@command prompt
Generate plugin under dmgr[Ex: profiles\dmgr\bin>genplugincfg]
copy plugin-cfg.xml from dmgr to plugin config directory
change the .kdb and .sth files to the filenames what you have created under plugins keys

start IHS
Test IHS for https[Ex: https://mss/] you should IBM HTTP server page
Test Websphere secure connection directly[Ex: https://mss:/snoop]
Now, send a request for snoop servlet through webserver[Ex: https://mss/snoop]

Related Posts

Leave a Reply

Your email address will not be published.