Hi, folks...
Today I am going to explain how to install an SSL certificate on IHS (IBM HTTP Server). Let's go through the below steps:
*Notes:
1) Create a .sh script for creating the db, for importing certificates and for receiving the signed key.
2) gsk7cmd command supports -Xms1024m -Xmx2048m options for adding extra heap memory to java. This is very usefull because some times you end up with OutOfMemory errors.
3) After creating the request you can see the request by list request certificates in the keystore, after receiving the signed certificate the certificate request is removed. Don't worry, this is normal.
4) SL0208E: SSL Handshake Failed, Certificate validation error. This error is related to the Root Class-3 certificate. Don't forget to import it to the keystore.
Step 1 : Configure your environment variables (Using command line):
export JAVA_HOME=/java/jre
export PATH=/java/jre/bin:$PATH
Step 2 : Create a new key store database:
<IHS ROOT DIR>/gsk7/bin/gsk7cmd -keydb -create -db keystore -pw 1234 -type cms -stash
Step 3 : Create a new Key Request:
<IHS ROOT DIR>/gsk7/bin/gsk7cmd -certreq -create -db keystore.kdb -pw 1234 -label keystorelabel -dn "CN=subdomain.yourcompany.com,O=Company Name,OU=OrganizationUnit,L=Location,ST=State,C=City" -size 2048 -file keyrequest.csr
Step 4 : Import primary and secondary intermediate certsign public keys access the below link and copy the primary and secondary intermediate keys:
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Copy the Primary Intermediate CA Certificate and save in a file called "primary.crt"
Copy the Secondary Intermediate CA Certificate and save in a file called "secondary.crt"
Access Verisign link and choose your product. The most common is "Standard SSL"
https://knowledge.verisign.com/support/mpki-for-ssl-support/index page=content&actp=CROSSLINK&id=SO4785
Access your product. After accessing your product link, it will be displayed the Class 3 Public Primary Certification Authority. Copy the certificate and store it in a file called "rootclasscert.crt"
So now you have the 3 certificates:
primary.crt
secondary.crt
rootclasscert.crt
Step 5 : Import primary, secondary and rootclasscert into your keystore.kdb database
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label primary -format ascii -trust enable -file primary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label secondary -format ascii -trust enable -file secondary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label rootclasscert -format ascii -trust enable -file rootclasscert.crt
Step 6 : Send your request file keyrequest.csr to Verisign so to receive a signed certificate.
This step is atomic. You access your Verisign account and copy and paste the request key and Verisign will send the signed certificate by email at the same time.
Step 7 : Receive the file and store it in your database
Copy the content of the cert.cer or copy the attached file to your server and issue the following command:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -receive -file cert.cer -db keystore.kdb -pw 1234 -format ascii -default_cert yes
Step 8 : Configure your IHS to point to the new keystore
Example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
< virtualhost your.ip.address.number:443 >
ServerName your.ip.address.number
SSLEnable
SSLProtocolDisable SSLv2
KeyFile YOUR_PATH/SSL/keystore.kdb
</virtualhost>
SSLDisable
Step 9 : Stop and Start IHS.
IHS_ROOT_DIR/bin/adminctl stop
IHS_ROOT_DIR/bin/apachectl stop
IHS_ROOT_DIR/bin/adminctl start
IHS_ROOT_DIR/bin/apachectl start
Step 10 : Now check your server now using https://yourserver/
SSL0208E Fix: SSL Handshake Failed, Certificate validation error on IBM HTTP Server
Clients using IBM HTTP Server 7.0 on Windows after successful import public key and Primary and Secondary Intermediate CA that the system error "SSL0208E: SSL Handshake Failed, Certificate validation error". In this case, the fix is as follows:
1. Open the IBM iKey Manager "Start> IBM HTTP Server> Key Management Utility ".
2. Open the Key Database.
3. In cert list, select Signer Certificates.
4. Populate button. In the select list of VeriSign. Choose to cert "VeriSign Class 3 Public Primary Certificate Authority".
5. Exit the Key Management Utility.
6. Restart the IBM HTTP Server.
export JAVA_HOME=/java/jre
export PATH=/java/jre/bin:$PATH
Step 2 : Create a new key store database:
<IHS ROOT DIR>/gsk7/bin/gsk7cmd -keydb -create -db keystore -pw 1234 -type cms -stash
Step 3 : Create a new Key Request:
<IHS ROOT DIR>/gsk7/bin/gsk7cmd -certreq -create -db keystore.kdb -pw 1234 -label keystorelabel -dn "CN=subdomain.yourcompany.com,O=Company Name,OU=OrganizationUnit,L=Location,ST=State,C=City" -size 2048 -file keyrequest.csr
Step 4 : Import primary and secondary intermediate certsign public keys access the below link and copy the primary and secondary intermediate keys:
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Copy the Primary Intermediate CA Certificate and save in a file called "primary.crt"
Copy the Secondary Intermediate CA Certificate and save in a file called "secondary.crt"
Access Verisign link and choose your product. The most common is "Standard SSL"
https://knowledge.verisign.com/support/mpki-for-ssl-support/index page=content&actp=CROSSLINK&id=SO4785
Access your product. After accessing your product link, it will be displayed the Class 3 Public Primary Certification Authority. Copy the certificate and store it in a file called "rootclasscert.crt"
So now you have the 3 certificates:
primary.crt
secondary.crt
rootclasscert.crt
Step 5 : Import primary, secondary and rootclasscert into your keystore.kdb database
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label primary -format ascii -trust enable -file primary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label secondary -format ascii -trust enable -file secondary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label rootclasscert -format ascii -trust enable -file rootclasscert.crt
Step 6 : Send your request file keyrequest.csr to Verisign so to receive a signed certificate.
This step is atomic. You access your Verisign account and copy and paste the request key and Verisign will send the signed certificate by email at the same time.
Step 7 : Receive the file and store it in your database
Copy the content of the cert.cer or copy the attached file to your server and issue the following command:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -receive -file cert.cer -db keystore.kdb -pw 1234 -format ascii -default_cert yes
Step 8 : Configure your IHS to point to the new keystore
Example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
< virtualhost your.ip.address.number:443 >
ServerName your.ip.address.number
SSLEnable
SSLProtocolDisable SSLv2
KeyFile YOUR_PATH/SSL/keystore.kdb
</virtualhost>
SSLDisable
Step 9 : Stop and Start IHS.
IHS_ROOT_DIR/bin/adminctl stop
IHS_ROOT_DIR/bin/apachectl stop
IHS_ROOT_DIR/bin/adminctl start
IHS_ROOT_DIR/bin/apachectl start
Step 10 : Now check your server now using https://yourserver/
SSL0208E Fix: SSL Handshake Failed, Certificate validation error on IBM HTTP Server
Clients using IBM HTTP Server 7.0 on Windows after successful import public key and Primary and Secondary Intermediate CA that the system error "SSL0208E: SSL Handshake Failed, Certificate validation error". In this case, the fix is as follows:
1. Open the IBM iKey Manager "Start> IBM HTTP Server> Key Management Utility ".
2. Open the Key Database.
3. In cert list, select Signer Certificates.
4. Populate button. In the select list of VeriSign. Choose to cert "VeriSign Class 3 Public Primary Certificate Authority".
5. Exit the Key Management Utility.
6. Restart the IBM HTTP Server.
Comments
Post a Comment