enable httpsfor IBM HTTP ServerWord格式文档下载.docx

资源描述

enable httpsfor IBM HTTP ServerWord格式文档下载.docx

《enable httpsfor IBM HTTP ServerWord格式文档下载.docx》由会员分享，可在线阅读，更多相关《enable httpsfor IBM HTTP ServerWord格式文档下载.docx（8页珍藏版）》请在冰豆网上搜索。

enable httpsfor IBM HTTP ServerWord格式文档下载.docx

HTTPServer,butonlyone,whichcanstillcontainmultiplepersonalcertificates,canbeusedperTLS-enabledvirtualhost.

∙SupportedKeystores

JKSandJCES,PKCS12,CMS

∙Endtoendpaths

Case1-UseJKSorJCESascertificate:

1.Createkeydatabase.

Youcancreatekeydatabaseusefollowingtwoselections:

Selection1（usecommand）:

Accessto$HTTPSServer/bin,execute:

./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein-stash

Selection2（useGUI）:

./ikeyman

Note:

pleaseselectstashtopasswordwhenpasswordprompt.

2.CreateaJKSorJCEScertificate

IfyoualreadyhaveJKSorJCESfile,pleaseignorethisstep.

$JAVA_HOME/bin/keytool-genkey-keyalgRSA-aliastestlabel-keystore/opt/IBM/HTTPServer/bin/key.jks-storepassLetmein-validity360-keysize2048-dname"

CN=username,OU=IBMPlatform,O=IBMPlatform,L=Markham,ST=Ontario,C=CA"

3.ImportaJKSorJCES

YoucanimportkeybycommandorGUI:

●Usecommandtoimport:

./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/key.jks-pwLetmein-targetkey.kdb-target_pwLetmein

Thensettheimportedkeyasdefaultkey:

./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlabel

●UseGUItoimport:

4.Configure$HTTPServer/conf/httpd.conf.

Uncommentthefollowingcodeinhttpd.conf:

LoadModuleibm_ssl_modulemodules/mod_ibm_ssl.so

Listen443

VirtualHost*:

443>

SSLEnable

/VirtualHost>

KeyFile/opt/IBM/HTTPServer/bin/key.kdb

SSLDisable

5.Configure$HTTPServer/conf/plugin-cfg.xml

VirtualHostName="

8443"

…….

TransportHostname="

9.111.251.100"

Port="

Protocol="

https"

PropertyName="

keyring"

Value="

/opt/IBM/HTTPServer/bin/key.kdb"

stashfile"

/opt/IBM/HTTPServer/bin/key.sth"

/Transport>

Makesurehttpsportisallowedtoaccess,andthekeyringandstashfileisspecified.

6.Configure$PAC_TOP/conf/server.xml

featureManager>

feature>

ssl-1.0<

/feature>

/featureManager>

sslid="

defaultSSLConfig"

sslProtocol="

TLS"

keyStoreRef="

defaultKeyStore"

keyStoreid="

location="

type="

CMSKS"

password="

Letmein"

provider="

IBMCMSProvider"

7.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security

CMSkeystorecanbeconfiguredwhenusingtheIBMJREbutsomespecialconfigurationisrequired.TheCMSproviderisnotavailablebydefaultontheIBMJRE,thereforeitmustbeaddedtotheproviderlistinthejava.securityfileoftheIBMJRE.

Pleasemakesureprovidernumberiscorrectinproviderlist:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2

security.provider.2=com.ibm.crypto.provider.IBMJCE

security.provider.3=com.ibm.security.jgss.IBMJGSSProvider

security.provider.4=com.ibm.security.cert.IBMCertPath

security.provider.5=com.ibm.security.sasl.IBMSASL

security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider

security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider

security.provider.8=org.apache.harmony.security.provider.PolicyProvider

security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

security.provider.10=com.ibm.security.cmskeystore.CMSProvider

8.Restartservice

source/$HTTPServer/bin/envvars

./$HTTPServer/bin/apachectlstop

./$HTTPServer/bin/apachectlstart

pmcadminstop

pmcadminstart

9.AccessPACby:

https:

//httpserver_ip/platform

Case2-UsePKCS12ascertificate:

Thestepsarebasicallysamewithcase1;

hereweintroducethedifferentpartwhenenablex509asSSO.

……………………

3.Importp12keyintokey.kdb

./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/my.p12-pwLetmein-targetkey.kdb-target_pwLetmein

./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlable

6.Configure$PAC_TOP/conf/server.xml,andaddparameterclientAuthentication="

true"

clientAuthentication="

Additionally,importmy.p12intoIBMJREtruststoreandyourbrowser

$JAVA_HOME/bin/keytool-export-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-storetypePKCS12-keystoremy.p12

${JAVA_HOME}/bin/keytool-import-noprompt-trustcacerts-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-keystore${JAVA_HOME}/lib/security/cacerts

ThenyoucanuseaccessPACby:

https:

//ip/platform/framework/login/toNoFilterLogin.action

Case3-UseCMSascertificate:

./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein–stash

2.CreateSelf-signedcertificate.

Thensettestlabelasdefaultcertificate,youcanclickview/editbuttontocheckwhetherit’sadefaultcertificate.

3.Configure$HTTPServer/conf/httpd.conf.

4.Configure$HTTPServer/conf/plugin-cfg.xml

5.Configure$PAC_TOP/conf/server.xmlandaddfollowingcodeintoserver.xml

6.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security

7.Restartservice

∙MoreInformation

展开阅读全文