650 IBM WebSphere Host Publisher Version 3.5
Requesting a certificate from an unknown CA (not predefined)
When acquiring a certificate from an unknown Certificate Authority, you need to
obtain its root certificate first and store it in the key database. The term
unknown
CA
does not say anything about the reliability or trustworthiness of the CA, but
only means that the CA’s root certificate is not preconfigured in the key database.
Storing the root certificate of the CA
The procedure to request and configure a certificate from an unknown CA is
basically the same as with well-known CAs. Prior to obtaining the certificate, you
have to get the root certificate of the CA. The CA provides the information on how
to obtain it. The root certificate must be stored in the key database before the
certificate.
1. Start the IKEYMAN application and open your key database. Select Signer
Certificates from the pull-down list.
2. Click the Add... button to add the CA’s root certificate from a file.
3. In the pop-up window, verify the proper file type that you have. Fill in the
location and file name of the certificate file.
4. Click OK to mark that the certificate is trusted and to store it. After completion,
the new root certificate will show up in the Signer Certificates list. The root
certificate is now available to every certificate you intend to include in this key
database.
20.3.2 Configuring SSL
In this section, we cover the required steps to enable SSL in a simple way. We
enable SSL for the entire Web site.
Directives are basically entries in the configuration file (httpd.conf) that are
detected by the IHS HTTP engine when it starts. To change a directive, you need
to open the httpd.conf file, change, add or delete the directive, save the file as a
text file and finally restart the IBM HTTP Server to make the changes effective.
Note: You also need to make sure that you change the ServerName directive to
the server host name. SSL configuration requires that the ServerName directive
match the server’s fully qualified host name.
The minimum configuration changes needed to activate SSL are:
Defining the ServerName directive
Adding LoadModule for loading the proper SSL module
Port number for the SSL virtual host
Chapter 20. Securing sessions 651
Definition for the SSL virtual host
Keyfile location
Figure 20-16 HTTP versus HTTPS for IBM WebSphere Application Server (WAS)
components
The default port number for SSL is 443. In order to achieve this, defining a virtual
host comes in handy. When editing the httpd.conf file, keep in mind that
comments within the configuration sections are not allowed. The following
actions guide you through these steps:
1. Add the following lines to httpd.conf:
LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.so # for the
Unixes AddModule mod_ibm_ssl.c
LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll # for NT
2. Add the port number for the virtual server just below the Listen 80 statement.
The default port number for SSL is 443.
Listen 443
3. Add the following text block to the end of the httpd.conf file:
<VirtualHost :443>
SSLEnable
SSLClientAuth none
</VirtualHost>
4. Save the file and restart the IBM HTTP Server.
Web Server
(HTTP Server)
NO SSL
Non-secure
Port 80
Sockets
SSL
Secure
Port 443
HTTP://... HTTPS://...
Get A Comprehensive Guide to IBM WebSphere Host Publisher Version 3.5 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
