Skip to main content

SSL certificate installation on IHS (IBM HTTP Server):

Hi, folks...

Today I am going to explain how to install an SSL certificate on IHS (IBM HTTP Server). Let's go through the below steps:

*Notes:
1) Create a .sh script for creating the db, for importing certificates and for receiving the signed key. 
2) gsk7cmd command supports -Xms1024m -Xmx2048m options for adding extra heap memory to java. This is very usefull because some times you end up with OutOfMemory errors.
3) After creating the request you can see the request by list request certificates in the keystore, after receiving the signed certificate the certificate request is removed. Don't worry, this is normal.
4) SL0208E: SSL Handshake Failed, Certificate validation error.  This error is related to the Root Class-3 certificate. Don't forget to import it to the keystore.


Step 1 : Configure your environment variables (Using command line):

export JAVA_HOME=/java/jre
export PATH=/java/jre/bin:$PATH

Step 2 : Create a new key store database:

<IHS ROOT DIR>/gsk7/bin/gsk7cmd -keydb -create -db keystore -pw 1234 -type cms -stash

Step 3 : Create a new Key Request:

<IHS ROOT DIR>/gsk7/bin/gsk7cmd -certreq -create -db keystore.kdb -pw 1234 -label keystorelabel -dn "CN=subdomain.yourcompany.com,O=Company Name,OU=OrganizationUnit,L=Location,ST=State,C=City" -size 2048 -file keyrequest.csr

Step 4 : Import primary and secondary intermediate certsign public keys access the below link and copy the primary and secondary intermediate keys:

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html

Copy the Primary Intermediate CA Certificate and save in a file called "primary.crt"

Copy the Secondary Intermediate CA Certificate and save in a file called "secondary.crt"

Access Verisign link and choose your product. The most common is "Standard SSL"
https://knowledge.verisign.com/support/mpki-for-ssl-support/index page=content&actp=CROSSLINK&id=SO4785

Access your product. After accessing your product link, it will be displayed the Class 3 Public Primary Certification Authority. Copy the certificate and store it in a file called "rootclasscert.crt"

So now you have the 3 certificates:
primary.crt
secondary.crt
rootclasscert.crt

Step 5 : Import primary, secondary and rootclasscert into your keystore.kdb database

IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label primary -format ascii -trust enable -file primary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label secondary -format ascii -trust enable -file secondary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label rootclasscert -format ascii -trust enable -file rootclasscert.crt

Step  6 : Send your request file keyrequest.csr to Verisign so to receive a signed certificate.

This step is atomic. You access your Verisign account and copy and paste the request key and Verisign will send the signed certificate by email at the same time.

Step 7 : Receive the file and store it in your database

Copy the content of the cert.cer or copy the attached file to your server and issue the following command:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -receive -file cert.cer -db keystore.kdb -pw 1234 -format ascii -default_cert yes

Step 8 : Configure your IHS to point to the new keystore

Example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
< virtualhost your.ip.address.number:443 >
 ServerName your.ip.address.number
 SSLEnable
 SSLProtocolDisable SSLv2
 KeyFile YOUR_PATH/SSL/keystore.kdb
</virtualhost> 
SSLDisable

Step 9 : Stop and Start IHS.

IHS_ROOT_DIR/bin/adminctl stop
IHS_ROOT_DIR/bin/apachectl stop

IHS_ROOT_DIR/bin/adminctl start 
IHS_ROOT_DIR/bin/apachectl start


Step 10 : Now check your server now using https://yourserver/


SSL0208E Fix: SSL Handshake Failed, Certificate validation error on IBM HTTP Server

Clients using IBM HTTP Server 7.0 on Windows after successful import public key and Primary and Secondary Intermediate CA that the system error "SSL0208E: SSL Handshake Failed, Certificate validation error". In this case, the fix is as follows:
1. Open the IBM iKey Manager "Start> IBM HTTP Server> Key Management Utility ". 
2. Open the Key Database.
3. In cert list, select Signer Certificates.
4. Populate button. In the select list of VeriSign. Choose to cert "VeriSign Class 3 Public Primary Certificate Authority".
5. Exit the Key Management Utility.
6. Restart the IBM HTTP Server. 





Comments

Popular posts from this blog

WebSphere Application Server Performance Tuning...

Here are some tips for WebSphere Application Server Performance Tuning: 1. Turn verbose garbage collection on, either by using WAS console (Servers => Application servers => server_name => Process definition => Java Virtual Machine) or by modifying command line parameters. Then, restart JVM.  2. Run your test harness and peruse the log file native_stderr.log. This will give you an idea whether your JVM has got optimal heap size allocated: you'll want to find that garbage collection does not occur more often than every 10-15 seconds and it does not take longer than 1 to 2 seconds to complete.  3. If the above is not true, change the JVM heap size, restart JVM and repeat step 2.  4. Use WAS console to check the size of Web Container's thread pool. the maximum size of 60-80 is usually a good default value.  5. Use WAS console to make sure the JDBC Connection Pool has its Maximum Connections set up to a value lower than Web Container's...

Security Hardening of WebSphere Application Server Installations:

It is a known fact that an out of the box WAS installation with security enabled is not entirely secure. There is a number of steps that has to be taken in order to "harden" the installation. Most of the steps are documented in the WebSphere hardening guide , which should be closely studied and followed by any WAS administrator or developer. The hardening guide, however, is a little light on the specifics regarding how to secure WAS at the OS level. For example, hardening should normally include changing file and directory permissions to restrict access to sensitive configuration files. Why bother hardening the installation at the OS level? This helps defend against external threats, i.e., a server hosting the installation is compromised and against internal threats, i.e., an unauthorized access from inside. Here are some of the things you can do to secure your installation on a Unix/Linux platform: 1) If you installed WAS as a non-root account, make sure that th...