enable httpsfor IBM HTTP ServerWord格式文档下载.docx

1、HTTP Server, but only one, which can still contain multiple personal certificates, can be used per TLS-enabled virtual host.Supported KeystoresJKS and JCES, PKCS12, CMSEnd to end pathsCase 1-Use JKS or JCES as certificate:1. Create key database.You can create key database use following two selection

2、s:Selection 1 （use command）:Access to $HTTPSServer/bin, execute:./gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/bin/key.kdb -pw Letmein -stashSelection 2 （use GUI）: ./ikeymanNote: please select stash to password when password prompt.2. Create a JKS or JCES certificateIf you already have JKS or J

3、CES file, please ignore this step. $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias testlabel -keystore /opt/IBM/HTTPServer/bin/key.jks -storepass Letmein -validity 360 -keysize 2048 -dname CN=username, OU=IBM Platform, O=IBM Platform, L=Markham, ST=Ontario, C=CA3. Import a JKS or JCESYou can impor

4、t key by command or GUI:Use command to import:./gskcmd -cert -import -db /opt/IBM/HTTPServer/bin/key.jks -pw Letmein -target key.kdb -target_pw LetmeinThen set the imported key as default key:./gskcmd -cert -setdefault -db /opt/IBM/HTTPServer/bin/key.kdb -label testlabelUse GUI to import:4. Configur

5、e $HTTPServer/conf/httpd.conf.Uncomment the following code in httpd.conf:LoadModule ibm_ssl_module modules/mod_ibm_ssl.soListen 443SSLEnable/VirtualHostKeyFile /opt/IBM/HTTPServer/bin/key.kdbSSLDisable5. Configure $HTTPServer/conf/plugin-cfg.xml . Property Name=keyring Value=/opt/IBM/HTTPServer/bin/

6、key.kdb /stashfile/opt/IBM/HTTPServer/bin/key.sth/Transport Make sure https port is allowed to access, and the keyring and stashfile is specified.6. Configure $PAC_TOP/conf/server.xmlfeatureManagerfeaturessl-1.0/featureManagerssl id=defaultSSLConfig sslProtocol=TLS keyStoreRef=defaultKeyStorekeyStor

7、e id= location= type=CMSKS password=Letmein provider=IBMCMSProvider7. Configure $PAC_TOP/ jre/linux-x86_64/lib/security/java.securityCMS keystore can be configured when using the IBM JRE but some special configuration is required. The CMS provider is not available by default on the IBM JRE, therefor

8、e it must be added to the provider list in the java.security file of the IBM JRE. Please make sure provider number is correct in provider list:security.provider.1=com.ibm.jsse2.IBMJSSEProvider2security.provider.2=com.ibm.crypto.provider.IBMJCEsecurity.provider.3=com.ibm.security.jgss.IBMJGSSProvider

9、security.provider.4=com.ibm.security.cert.IBMCertPathsecurity.provider.5=com.ibm.security.sasl.IBMSASLsecurity.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvidersecurity.provider.7=com.ibm.xml.enc.IBMXMLEncProvidersecurity.provider.8=org.apache.harmony.security.provider.PolicyProvidersecurity.provid

10、er.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGOsecurity.provider.10=com.ibm.security.cmskeystore.CMSProvider8. Restart servicesource /$HTTPServer/bin/envvars./$HTTPServer/bin/apachectl stop./$HTTPServer/bin/apachectl startpmcadmin stoppmcadmin start9. Access PAC by: https:/httpserver_ip/platformCas

11、e 2-Use PKCS12 as certificate: The steps are basically same with case 1; here we introduce the different part when enable x509 as SSO.3. Import p12 key into key.kdb./gskcmd -cert -import -db /opt/IBM/HTTPServer/bin/my.p12 -pw Letmein -target key.kdb -target_pw Letmein./gskcmd -cert -setdefault -db /

12、opt/IBM/HTTPServer/bin/key.kdb -label testlable6. Configure $PAC_TOP/conf/server.xml, and add parameter clientAuthentication=true clientAuthentication= Additionally, import my.p12 into IBM JRE trust store and your browser $JAVA_HOME/bin/keytool -export -alias testlable -file my.cert -keypass changei

13、t -storepass changeit -storetype PKCS12 -keystore my.p12$JAVA_HOME/bin/keytool -import -noprompt -trustcacerts -alias testlable -file my.cert -keypass changeit -storepass changeit -keystore $JAVA_HOME/lib/security/cacerts Then you can use access PAC by: https:/ip/platform/framework/login/toNoFilterL

14、ogin.actionCase 3-Use CMS as certificate:./gskcapicmd -keydb -create -db /opt/IBM/HTTPServer/bin/key.kdb -pw Letmein stash2. Create Self-signed certificate.Then set testlabel as default certificate, you can click view/edit button to check whether its a default certificate.3. Configure $HTTPServer/conf/httpd.conf.4. Configure $HTTPServer/conf/plugin-cfg.xml5. Configure $PAC_TOP/conf/server.xml and add following code into server.xml6. Configure $PAC_TOP/ jre/linux-x86_64/lib/security/java.security7. Restart serviceMore Information