642 IBM WebSphere Host Publisher Version 3.5
20.3 Steps to establish SSL server authentication
Server authentication means, basically, the ability to verify the server identity
before supplying critical information, such as credit card details. Users do not
trust providing critical information to a Web site if they cannot verify its identity.
To establish SSL server authentication, we need to:
1. Obtain a digital certificate (create or buy a certificate)
2. Use a key management tool (IBM Key Management or IKEYMAN) to save
keys in a keys database
3. Configure the server to enable SSL (using Web Server, WebSphere
Application Server)
4. Configure the browser to use the new certificate
The way we configure each component (IBM HTTP Server, WebSphere
Application Server) will be different, as we explain later in this chapter.
20.3.1 Obtaining a digital certificate
We need to get a certificate from a Certificate Authority (CA), which verifies our
identity. There are three ways to obtain a certificate.
1. Buying a certificate from an external trusted CA provider such as VeriSign.
In this case, we buy a signed certificate by submitting a certificate request to a
CA provider. This method is similar to going to the passport office to get a
passport.
2. Creating a self-signed certificate.
This is similar to issuing your own passport hoping that others will accept it. In
general, this is only good for testing or maybe for a predefined set of clients
who trust the certificate signer.
Note: We do not recommend using this type of certificate in a production
system.
3. Obtaining a temporary certificate from a CA for testing purposes.
These certificates are normally free of charge. In order to test the use of this
certificate, you must install a special Test CA Root on
each browser that you
will be using in the test.
IBM products provide a Java-based graphical user interface application
(IKEYMAN) to manage certificates and encryption keys in a secure manner.
Chapter 20. Securing sessions 643
To manage certificates and encryption keys in a secure manner, IBM products
use a secured repository called a key database. A key database is basically a
password-protected file that can be used to save root certificates and SSL keys.
Creating a key database will be the first step in setting up SSL.
In the rest of this section, you will learn how to obtain a digital certificate using
IKEYMAN. We will create a self-signed certificate and a certificate request to be
sent to a CA.
Creating a self-signed certificate
Self-signed certificates are good for testing purposes only, because not having a
CA involved in the certificate identification is a security risk. Web browsers
usually notify users about the new unregistered issuer when a site that uses the
self-signed certificate is accessed. The user then has the choice of accepting or
rejecting the connection to such a server.
The first thing you need to do before using IKEYMAN is to create a key database.
You can create a key database by following the steps below:
1. Run IKEYMAN by clicking Start -> Programs -> IBM HTTP Server -> Start
Key Management Utility. This will load the IKEYMAN Java Program.
2. Now the IKEYMAN application is loaded and you can start creating a new key
database by selecting Key Database File -> New.
3. In the New pop-up window shown in Figure 20-10 on page 644, select the
CMS key database file from the Key database type list box and enter the
new key database file name and location. Then click OK.
644 IBM WebSphere Host Publisher Version 3.5
Figure 20-10 Creating a new key database using the IKEYMAN tool
4. To control who can access the key database, enter a password for this
database, then click OK. If you want the HTTP engine to start automatically,
select the Stash the password to a file checkbox. If the password is not
stashed into a file, the Web server will not be able to start automatically and
you will be asked for the password when you start the server.
5. Select Create -> New Self-Signed Certificate. Figure 20-11 on page 645 will
appear.
Chapter 20. Securing sessions 645
Figure 20-11 Creating a self-signer key using IKEYMAN
6. Fill in all the information, then click OK to create and save the certificate.
Information provided in the resulting window, shown in Figure 20-12, will be
available to anyone who accesses the site using this certificate.
Get A Comprehensive Guide to IBM WebSphere Host Publisher Version 3.5 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
