enable httpsfor IBM HTTP ServerWord格式文档下载.docx
《enable httpsfor IBM HTTP ServerWord格式文档下载.docx》由会员分享,可在线阅读,更多相关《enable httpsfor IBM HTTP ServerWord格式文档下载.docx(8页珍藏版)》请在冰豆网上搜索。
HTTPServer,butonlyone,whichcanstillcontainmultiplepersonalcertificates,canbeusedperTLS-enabledvirtualhost.
∙SupportedKeystores
JKSandJCES,PKCS12,CMS
∙Endtoendpaths
Case1-UseJKSorJCESascertificate:
1.Createkeydatabase.
Youcancreatekeydatabaseusefollowingtwoselections:
Selection1(usecommand):
Accessto$HTTPSServer/bin,execute:
./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein-stash
Selection2(useGUI):
./ikeyman
Note:
pleaseselectstashtopasswordwhenpasswordprompt.
2.CreateaJKSorJCEScertificate
IfyoualreadyhaveJKSorJCESfile,pleaseignorethisstep.
$JAVA_HOME/bin/keytool-genkey-keyalgRSA-aliastestlabel-keystore/opt/IBM/HTTPServer/bin/key.jks-storepassLetmein-validity360-keysize2048-dname"
CN=username,OU=IBMPlatform,O=IBMPlatform,L=Markham,ST=Ontario,C=CA"
3.ImportaJKSorJCES
YoucanimportkeybycommandorGUI:
●Usecommandtoimport:
./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/key.jks-pwLetmein-targetkey.kdb-target_pwLetmein
Thensettheimportedkeyasdefaultkey:
./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlabel
●UseGUItoimport:
4.Configure$HTTPServer/conf/httpd.conf.
Uncommentthefollowingcodeinhttpd.conf:
LoadModuleibm_ssl_modulemodules/mod_ibm_ssl.so
Listen443
<
VirtualHost*:
443>
SSLEnable
/VirtualHost>
KeyFile/opt/IBM/HTTPServer/bin/key.kdb
SSLDisable
5.Configure$HTTPServer/conf/plugin-cfg.xml
<
VirtualHostName="
*:
8443"
/>
…….
<
TransportHostname="
9.111.251.100"
Port="
Protocol="
https"
>
PropertyName="
keyring"
Value="
/opt/IBM/HTTPServer/bin/key.kdb"
/>
stashfile"
/opt/IBM/HTTPServer/bin/key.sth"
/Transport>
Makesurehttpsportisallowedtoaccess,andthekeyringandstashfileisspecified.
6.Configure$PAC_TOP/conf/server.xml
featureManager>
feature>
ssl-1.0<
/feature>
/featureManager>
sslid="
defaultSSLConfig"
sslProtocol="
TLS"
keyStoreRef="
defaultKeyStore"
keyStoreid="
location="
type="
CMSKS"
password="
Letmein"
provider="
IBMCMSProvider"
7.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security
CMSkeystorecanbeconfiguredwhenusingtheIBMJREbutsomespecialconfigurationisrequired.TheCMSproviderisnotavailablebydefaultontheIBMJRE,thereforeitmustbeaddedtotheproviderlistinthejava.securityfileoftheIBMJRE.
Pleasemakesureprovidernumberiscorrectinproviderlist:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
8.Restartservice
source/$HTTPServer/bin/envvars
./$HTTPServer/bin/apachectlstop
./$HTTPServer/bin/apachectlstart
pmcadminstop
pmcadminstart
9.AccessPACby:
https:
//httpserver_ip/platform
Case2-UsePKCS12ascertificate:
Thestepsarebasicallysamewithcase1;
hereweintroducethedifferentpartwhenenablex509asSSO.
……………………
3.Importp12keyintokey.kdb
./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/my.p12-pwLetmein-targetkey.kdb-target_pwLetmein
./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlable
6.Configure$PAC_TOP/conf/server.xml,andaddparameterclientAuthentication="
true"
clientAuthentication="
Additionally,importmy.p12intoIBMJREtruststoreandyourbrowser
$JAVA_HOME/bin/keytool-export-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-storetypePKCS12-keystoremy.p12
${JAVA_HOME}/bin/keytool-import-noprompt-trustcacerts-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-keystore${JAVA_HOME}/lib/security/cacerts
ThenyoucanuseaccessPACby:
https:
//ip/platform/framework/login/toNoFilterLogin.action
Case3-UseCMSascertificate:
./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein–stash
2.CreateSelf-signedcertificate.
Thensettestlabelasdefaultcertificate,youcanclickview/editbuttontocheckwhetherit’sadefaultcertificate.
3.Configure$HTTPServer/conf/httpd.conf.
4.Configure$HTTPServer/conf/plugin-cfg.xml
5.Configure$PAC_TOP/conf/server.xmlandaddfollowingcodeintoserver.xml
6.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security
7.Restartservice
∙MoreInformation