Wednesday, November 16, 2011

Creating a Self signed Certificate for IBM HTTP Server

The process to generate the self Signed certificate for IBM HTTP Server 6.1.

Considering you are enabling one Web site for SSL, and the hostname is the same as the one already defined in the Global Scope for non-SSL (port 80), you can enable SSL as follows.

1. Check you http website is working with either using IP address or using url or both on Port 80 as shown below:-

 say http://x.x.x.x  or http://abc123.com


Check Http processes are running.


2. Just for sake check if https for same Ip address or url is working at port 443 or not.
This is what we have to achieve to get working same URL access using the HTTPS via self signed certificate

3. Check Https and 443 port are defined in /etc/services.

#  cat /etc/services |grep -i 443 |grep -i https
https                    443/tcp                # http protocol over TLS/SSL
https                    443/udp                # http protocol over TLS/SSL

4. Check GSK v7 for Http 6.1 is installed or not

 # lslpp -l |grep -i gsk
 #
 # cd /usr/opt/ibm
  ksh: /usr/opt/ibm:  not found.

5. Install GSK v7 for Http6.1

IBM HTTP Server V6.1 releases
*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)
# lslpp -l |grep -i gsk
  gskjs.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gskjt.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gsksa.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base
  gskta.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base

# cd /usr/opt/ibm
# ls -ltr
total 0
drwxr-xr-x    8 root     system          256 Nov 15 11:11 gsksa
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjt
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjs
drwxr-xr-x    8 root     system          256 Nov 15 11:14 gskta
#
 Please apply the latest fix packs do for proper functioning.

 # lslpp -l |grep -i gsk
  gskjs.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gskjt.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Java
  gsksa.rte                 7.0.3.18  COMMITTED  AIX Certificate and SSL Base
  gskta.rte                 7.0.3.20  COMMITTED  AIX Certificate and SSL Base
#

6. Now stop and start Http services.
     
      # pwd
     /usr/IBM/HTTPServer/bin
     #./stopapa
     # ./startapa
     #
7. Check GUI interface working on AIX server , using xclock & xmanager. Install key for ssl as shown below:-

     # cd /usr/IBM/HTTPServer/bin
     # ./ikeyman
                          
 ( ket database --> CMS,   File name --> key.kdb,  Loctaion --> /usr/IBM/HTTPServer/bin  )

Select the checkbox Stash the password to a file? This encrypts the password and saves the file as a .sth file in the same directory as the key database file.

Say  password is :- xyzabc123

             Click OK
   Key Files have been created as shown
           # pwd
              /usr/IBM/HTTPServer/bin
           #
           # ls -ltr key*
              -rw-r--r--    1 root     system          129 Nov 15 11:36 key.sth
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.rdb
              -rw-r--r--    1 root     system       115080 Nov 15 12:36 key.kdb
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.crl
           #
8. Now we need to create the self signed certificate for which we dont need to have authentication from CA or Verisign.


          Click on self signed certificate to generate the certificate:-


            Key Label= (The name you want to give the certificate to identify it in IKEYMAN)
            Say key label :- www.hostname.com or ur url
            Note: Using the SiteName (for example, www.robo.com) as the label is a good practice.
            Not able to generate 2048 bit key
            Rename or move the gskikm.jar file from its default location
           # pwd
           /usr/IBM/HTTPServer/bin
           As done below:-
          # pwd
            /usr/IBM/HTTPServer/java/jre/lib/ext
          # mkdir gskfiles
          # mv gskikm.jar   /usr/IBM/HTTPServer/java/jre/lib/ext/gskfiles/gskikm.jar_backup_orignal

         Now re-run  ikeyman from GUI. If still you didn't get the 2048 bit key option look for latest patches for Java and GSK. Since I was just testing on a box so I didn't take pain to fix this. For more refer to IBM Link
http://www-01.ibm.com/support/docview.wss?uid=swg21307574

 Number of day I have taken 10 years i.e 3650 days and Click OK
 
We don't need to receive and extract the certificate as it self signed or unless it is required.

9. Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf):-

For releases of IBM HTTP Server v2.0, v6.0 and v6.1:  We need to load the below module in httpd.conf file
             LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
 # cd /usr/IBM/HTTPServer/conf
 # ls -ltr httpd.conf
   -rw-r--r--    1 root     system        32974 Nov 17 10:11 httpd.conf
 # more httpd.conf|grep mod_ibm_ssl.so
   LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
 #
 Now do the below entries in httpd.conf file below  Listen Port 40 
ServerName www.XYABC.com     ---> If you are using the URL and defined DNS name for the web,   
                                                                else  no need to define you are accessing via IP
Listen 443
<VirtualHost * :443>
SSLEnable
SSLClientAuth None
</VirtualHost>
SSLDisable
KeyFile "/usr/IBM/HTTPServer/bin/key.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000


 10. Now open the browser and open the links both using https and http. DONE :)



Done!
 
11. For more info and configuration refer to IBM link 
 
https://www-304.ibm.com/support/docview.wss?uid=swg21179559#step3

*****Note you must a DNS or local pc host file defined if you are using the Name server

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)