Considering you are enabling one Web site for SSL, and the hostname is the same as the one already defined in the Global Scope for non-SSL (port 80), you can enable SSL as follows.
1. Check you http website is working with either using IP address or using url or both on Port 80 as shown below:-
say http://x.x.x.x or http://abc123.com
Check Http processes are running.
2. Just for sake check if https for same Ip address or url is working at port 443 or not.
This is what we have to achieve to get working same URL access using the HTTPS via self signed certificate
3. Check Https and 443 port are defined in /etc/services.
# cat /etc/services |grep -i 443 |grep -i https
https 443/tcp # http protocol over TLS/SSL
https 443/udp # http protocol over TLS/SSL
4. Check GSK v7 for Http 6.1 is installed or not
# lslpp -l |grep -i gsk
#
# cd /usr/opt/ibm
ksh: /usr/opt/ibm:
not found.
5. Install GSK v7 for Http6.1
IBM HTTP Server V6.1 releases
*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)
*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)
# lslpp -l |grep -i gsk
gskjs.rte
7.0.3.18 COMMITTED AIX Certificate and SSL Java
gskjt.rte
7.0.3.18 COMMITTED AIX Certificate and SSL Java
gsksa.rte 7.0.3.18 COMMITTED
AIX Certificate and SSL Base
gskta.rte
7.0.3.18 COMMITTED AIX Certificate and SSL Base
# cd /usr/opt/ibm
# ls -ltr
total 0
drwxr-xr-x 8 root system 256 Nov 15 11:11 gsksa
drwxr-xr-x 7 root system 256 Nov 15 11:12 gskjt
drwxr-xr-x 7 root system 256 Nov 15 11:12 gskjs
drwxr-xr-x 8 root system 256 Nov 15 11:14 gskta
#
# ls -ltr
total 0
drwxr-xr-x 8 root system 256 Nov 15 11:11 gsksa
drwxr-xr-x 7 root system 256 Nov 15 11:12 gskjt
drwxr-xr-x 7 root system 256 Nov 15 11:12 gskjs
drwxr-xr-x 8 root system 256 Nov 15 11:14 gskta
#
Please apply the latest fix packs do for proper functioning.
# lslpp -l |grep -i gsk
gskjs.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gskjt.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gsksa.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Base
gskta.rte 7.0.3.20 COMMITTED AIX Certificate and SSL Base
#
gskjs.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gskjt.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gsksa.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Base
gskta.rte 7.0.3.20 COMMITTED AIX Certificate and SSL Base
#
6. Now stop and start Http services.
# pwd
/usr/IBM/HTTPServer/bin
#./stopapa
/usr/IBM/HTTPServer/bin
#./stopapa
# ./startapa
#
7. Check
GUI interface working on AIX server , using xclock & xmanager. Install key
for ssl as shown below:-
# cd /usr/IBM/HTTPServer/bin
# ./ikeyman
( ket
database --> CMS, File name --> key.kdb, Loctaion --> /usr/IBM/HTTPServer/bin )
Select the checkbox Stash the password to a
file? This encrypts the password and saves the file as a .sth file in the
same directory as the key database file.
Say
password is :- xyzabc123
Click OK
Key Files have been created as shown
# pwd
/usr/IBM/HTTPServer/bin
#
# ls -ltr key*
-rw-r--r-- 1 root system 129 Nov 15 11:36 key.sth
-rw-r--r-- 1 root system 80 Nov 15 12:36 key.rdb
-rw-r--r-- 1 root system 115080 Nov 15 12:36 key.kdb
-rw-r--r-- 1 root system 80 Nov 15 12:36 key.crl
#
8. Now we need to create the self signed certificate for which we dont need to have authentication from CA or Verisign.
Click on self signed certificate to generate the certificate:-
Key Label= (The name you want to give the
certificate to identify it in IKEYMAN)
Say key label :- www.hostname.com or ur url
Note: Using the SiteName (for example,
www.robo.com) as the label is a good practice.
Not able to generate 2048
bit key
Rename or move the gskikm.jar file from its
default location
# pwd
/usr/IBM/HTTPServer/bin
As done below:-
# pwd
/usr/IBM/HTTPServer/java/jre/lib/ext
# mkdir gskfiles
# mv gskikm.jar
/usr/IBM/HTTPServer/java/jre/lib/ext/gskfiles/gskikm.jar_backup_orignal
Now re-run
ikeyman from GUI. If still you didn't get the 2048 bit key option look for latest patches for Java and GSK. Since I was just testing on a box so I didn't take pain to fix this. For more refer to IBM Link
http://www-01.ibm.com/support/docview.wss?uid=swg21307574
9. Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf):-
For releases of IBM HTTP Server
v2.0, v6.0 and v6.1: We need to load the below module in httpd.conf file
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
# cd /usr/IBM/HTTPServer/conf
# ls -ltr httpd.conf
-rw-r--r-- 1 root system 32974 Nov 17 10:11 httpd.conf
# more httpd.conf|grep mod_ibm_ssl.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
#
# ls -ltr httpd.conf
-rw-r--r-- 1 root system 32974 Nov 17 10:11 httpd.conf
# more httpd.conf|grep mod_ibm_ssl.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
#
Now do the below entries in httpd.conf file below Listen Port 40
ServerName www.XYABC.com ---> If you are using the URL and defined DNS name for the web,
else no need to define you are accessing via IP
Listen
443
<VirtualHost
* :443>
SSLEnable
SSLClientAuth
None
</VirtualHost>
SSLDisable
KeyFile
"/usr/IBM/HTTPServer/bin/key.kdb"
SSLV2Timeout
100
SSLV3Timeout 1000
10. Now open the browser and open the links both using https and http. DONE :)
11. For more info and configuration refer to IBM link
https://www-304.ibm.com/support/docview.wss?uid=swg21179559#step3
*****Note you must a DNS or local pc host file defined if you are using the Name server