Wednesday, November 16, 2011

Creating a Self signed Certificate for IBM HTTP Server

The process to generate the self Signed certificate for IBM HTTP Server 6.1.

Considering you are enabling one Web site for SSL, and the hostname is the same as the one already defined in the Global Scope for non-SSL (port 80), you can enable SSL as follows.

1. Check you http website is working with either using IP address or using url or both on Port 80 as shown below:-

 say http://x.x.x.x  or http://abc123.com


Check Http processes are running.


2. Just for sake check if https for same Ip address or url is working at port 443 or not.
This is what we have to achieve to get working same URL access using the HTTPS via self signed certificate

3. Check Https and 443 port are defined in /etc/services.

#  cat /etc/services |grep -i 443 |grep -i https
https                    443/tcp                # http protocol over TLS/SSL
https                    443/udp                # http protocol over TLS/SSL

4. Check GSK v7 for Http 6.1 is installed or not

 # lslpp -l |grep -i gsk
 #
 # cd /usr/opt/ibm
  ksh: /usr/opt/ibm:  not found.

5. Install GSK v7 for Http6.1

IBM HTTP Server V6.1 releases
*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)
# lslpp -l |grep -i gsk
  gskjs.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gskjt.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gsksa.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base
  gskta.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base

# cd /usr/opt/ibm
# ls -ltr
total 0
drwxr-xr-x    8 root     system          256 Nov 15 11:11 gsksa
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjt
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjs
drwxr-xr-x    8 root     system          256 Nov 15 11:14 gskta
#
 Please apply the latest fix packs do for proper functioning.

 # lslpp -l |grep -i gsk
  gskjs.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gskjt.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gsksa.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base
  gskta.rte                 7.0.3.20  COMMITTED  AIX Certificate and SSL Base
#

6. Now stop and start Http services.
     
      # pwd
     /usr/IBM/HTTPServer/bin
     #./stopapa
     # ./startapa
     #
7. Check GUI interface working on AIX server , using xclock & xmanager. Install key for ssl as shown below:-

     # cd /usr/IBM/HTTPServer/bin
     # ./ikeyman
                          
 ( ket database --> CMS,   File name --> key.kdb,  Loctaion --> /usr/IBM/HTTPServer/bin  )

Select the checkbox Stash the password to a file? This encrypts the password and saves the file as a .sth file in the same directory as the key database file.

Say  password is :- xyzabc123

             Click OK
   Key Files have been created as shown
           # pwd
              /usr/IBM/HTTPServer/bin
           #
           # ls -ltr key*
              -rw-r--r--    1 root     system          129 Nov 15 11:36 key.sth
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.rdb
              -rw-r--r--    1 root     system       115080 Nov 15 12:36 key.kdb
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.crl
           #
8. Now we need to create the self signed certificate for which we dont need to have authentication from CA or Verisign.


          Click on self signed certificate to generate the certificate:-


            Key Label= (The name you want to give the certificate to identify it in IKEYMAN)
            Say key label :- www.hostname.com or ur url
            Note: Using the SiteName (for example, www.robo.com) as the label is a good practice.
            Not able to generate 2048 bit key
            Rename or move the gskikm.jar file from its default location
           # pwd
           /usr/IBM/HTTPServer/bin
           As done below:-
          # pwd
            /usr/IBM/HTTPServer/java/jre/lib/ext
          # mkdir gskfiles
          # mv gskikm.jar   /usr/IBM/HTTPServer/java/jre/lib/ext/gskfiles/gskikm.jar_backup_orignal

         Now re-run  ikeyman from GUI. If still you didn't get the 2048 bit key option look for latest patches for Java and GSK. Since I was just testing on a box so I didn't take pain to fix this. For more refer to IBM Link
http://www-01.ibm.com/support/docview.wss?uid=swg21307574

 Number of day I have taken 10 years i.e 3650 days and Click OK
 
We don't need to receive and extract the certificate as it self signed or unless it is required.

9. Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf):-

For releases of IBM HTTP Server v2.0, v6.0 and v6.1:  We need to load the below module in httpd.conf file
             LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
 # cd /usr/IBM/HTTPServer/conf
 # ls -ltr httpd.conf
   -rw-r--r--    1 root     system        32974 Nov 17 10:11 httpd.conf
 # more httpd.conf|grep mod_ibm_ssl.so
   LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
 #
 Now do the below entries in httpd.conf file below  Listen Port 40 
ServerName www.XYABC.com     ---> If you are using the URL and defined DNS name for the web,   
                                                                else  no need to define you are accessing via IP
Listen 443
<VirtualHost * :443>
SSLEnable
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "/usr/IBM/HTTPServer/bin/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000


 10. Now open the browser and open the links both using https and http. DONE :)



Done!
 
11. For more info and configuration refer to IBM link 
 
https://www-304.ibm.com/support/docview.wss?uid=swg21179559#step3

*****Note you must a DNS or local pc host file defined if you are using the Name server

Posted by at No comments:

Sunday, November 6, 2011

Taking Backup of Datavg on running Aix System / FAST backup of datavg

How to clone data VG & restore to other system without downtime/fast clone. ( Well tested)
or 
How to take backup of running system if application availability is high  priority and offline backup takes near 5-8 hrs to get completed.

========================================================================
Map the hdisky or lun to both the system

On system1:-

lspv

cfgmgr   ** to get new hdiskY/lun

Now Extendvg

extendvg vgname hdisky/lun

******if you are unable to extendvg due to Max pp limitation then change the Vg properties.

chvg -t 2|3|4 (etc)  vgname

extendvg vgname hdiskY

mirrorvg vgname hdiskY

lsvg -l vgname   * check all fs are syncd and consistent, else wait to get it consistent.
Freeze the Filesystems to keep the consistency and to clear the chace so that all data will be written on disk. 

chfs -a freeze=120  filesystem_names  ( all filesystem of that VG and application )

 This will freeze the filesystem no I/O will be happen. Users will get the application hanging issue for 2 mins but these 2 mins will be enough for you to split the consistent VG.

Now split the VG

splitvg -y new_vgname -c 2 -i old_vgname   ( -i is used so that hdiskY cant join the vg again and lv/fs remain consistent, else if you need the hdisk to rejoin the vg then dont use -i , -c 2 is to separate the second copy of lv i.e hdiskY)
Activate or thawn the filesystems:- Now activate the filesystems to be accessed by the application and Users.
chfs -a freeze= 0 filesystem_names  ( fielsystems whch were made frozen above)
Now you have only taken or say frozen the application for 2 -3 mins and you can take the backup of the consistent  datavg  as shown below:-

varyoffvg new_vgname

exportvg new_vgname

rmdev -Rdl hdiskY
=======================
ON System 2 or TSM

Then map same hdiskY/lun to different system if you have not done earlier

lpsv

cfgmgr

lspv

importvg -y vgname( name you like to put) hdiskY

cp -p /etc/filesystems /etc/filesystems_copy

edit /etc/filesystems  remove unwanted prefix like /fs/fs etc
mount all

check VG doesn’t have any stale Lv.

Check files and application.

Remove mapping of hdisky/lun from system1.

Mount the filesystems

Take the backup on TSM for consistent datavg with the down time of 2-3 mins only on actual host and user will now keep on accessing the server or run the application as cloned server if your mksysb is also cloned on the target server.

That its.

Done!
=========================================================================

Extra using script to change lv or fs prefix if you want or else u can do it in /etc/filesystems file as I tested that also as stated above:-

the filesystems still have the "/fs/fs" prefix. So, a quick and dirty script cleans that up:

for fs in `lsvg -l datavg | grep fs | awk '{ print $7 }' | cut -d'/' -f 4-`       
do
chfs -m /$fs /fs/fs/$fs                                                             ****chfs -m newmount oldmount******
done

And, the LVs still have the "fs" prefix, I could leave them, but my OCD won't let me:

for fs in `lsvg -l datavg | grep fs | awk '{ print $1 }' | cut -d's' -f 2-`
do
chlv -n $fs fs$fs
done

Then I used "mount -a" to mount all the filesystems.
Posted by at 2 comments:
Subscribe to: Posts (Atom)