performance / tuning tips. to the point.                
 APP SERVER TUNING
    Apache
    WebSphere
    WebLogic
 DB TUNING
    DB2
    Oracle
    SQL Server
    MySQL
 APP PROFILING
    Google-perftools
    Java Memory Leaks
    Debugging Hangs
    Socket Performance
    Find Slow Queries
    Linux CPU Profiler
 EXPERT HELP
    LDAP Quick Tips
    Oracle Tuning Guide
    Use Bind Variables
    Configure SSL
    Run X via PuTTY
    Remote Desktop
    CPU Analysis
    Memory Tuning
    Network Usage
    Disk IO Tuning
    Extend DB Tablespace
    Linux Commands
    Automate Linux Tasks
    Install via mstsc
    Useful Tech Notes
 TEST AUTOMATION
    Installing STAF
    JMeter Scenarios
    Perfmon and nmon
    Tie Everything Together
    Synchronize Server Clocks
 TROUBLE-SHOOTING
    Hanging
    Crashing
    25% CPU Usage
    Slow Response Time
    DB2
    Oracle
    MySQL
    WebSphere
    WebLogic
    Apache HTTPD
    Java
    C++
About Us | Site Map | Privacy
Disclaimer | Feedback
About RSS Feed
Add to My Yahoo!
Google Reader or Homepage
del.icio.us performancewiki.com Latest Items


© 2006-2007 PerformanceWiki.com
All Rights Reserved.







Configure Secure Sockets Layer (SSL) for IBM HTTP server



Tested on AIX, HTTP Server v1.3.2; Applies to WebSphere, and should work on most platforms too

--------------------------------------------------------------------------------

Configure Secure Sockets Layer (SSL) for IBM HTTP server
If you installed WebSphere on this workstation, you need configure Secure Sockets Layer (SSL) 
for IBM HTTP Server. 

This section explains how to configure Secure Sockets Layer (SSL) for IBM HTTP Server on 
an AIX server to establish secure connections. 

Quick notes about SSL:

Secure Sockets Layer (SSL) is an encryption system used on servers to ensure that data 
transferred between a client and a server remains secure and private. For a server and 
client to use SSL for secure communications, the server must have two things: 

- Key pair: A Key pair consists of public and private keys. The keys are used for 
  encryption and decrypting of messages to ensure privacy and confidentiality in 
  transmissions across the internet. 

- Certificate: The certificates is used for authentication or verification of identity. 
  A certificate can be either self-signed certificate or an issued certificate: 

		Self-signed: A certificate that you create for your own private Web network 
					 Issued;
		Provided (issued): to you by a certificate authority (CA) or by a certificate signer. 
		
SSL uses a security handshake to initiate a secure connection between the client and the server. 
During the handshake, the client and server agree on the keys they will use for the session and 
the method for encryption. The client authenticates the server using the server certificate. 

After the handshake, SSL is used to encrypt and decrypt all of the information in both the 
HTTPS (a unique protocol that combines SSL and (HTTP) request and the server response, including: 

The URL that the client is requesting 
The contents of any form being submitted 
Access authorization information (like user names and passwords) 
All data sent between the client and the server 

Configuring secure connections
To have a secure network connection, you will need to complete the following four procedures: 

[I]   Create a new key database (if one does not already exist) and a key. 
[II]  Receive a server certificate from a certificate authority or create a self-signed 
      server certificate using the IBM Key Management Utility (IKEYMAN). 
[III] Set up SSL using the IBM Administration Server. 
[IV]  Test the server installation and configuration. 

--------------------------------------------------------------------------------
[I] Creating a new key database
A key database is a file that the server uses to store one or more key pairs and certificates. 
You can use one key database for all your key pairs and certificates, or create multiple databases. 
You can create a new key database or you can use an existing key database. If you want to use 
an existing key database, you can go on to Creating a self-signed certificate. 

If you want to create a new key database, continue below. 

To create a new key database: 

__  1. 
 Start by creating a directory to store the keys database files: 

# mkdir /usr/IBMHttpServer/keys

This directory must pre-exist when you actually create the files. 
 
__  2. 
 Enter the following command to start the Key Management utility: 

/usr/IBMHttpServer/bin/ikeyman
 
__  3. 
 Click Key Database File --> New. 
 
__  4. 
 In the New window that opens: 

	__  a. 
	 Enter your key database name in the File name field (for example: key.kdb) 
	__  b. 
	 Enter the path to the keys folder (that you created in step 1) in the Location field 
	__  c. 
	 Click OK 
 
__  5. 
 When the Password Prompt window opens: 

	__  a. 
	 Create a password. (A minimum of six characters is required.) 
	__  b. 
	 Confirm the password. 
 	__  c. 
	 Very important: Select the Stash the password to a file check box. 
 	__  d. 
	 Click OK. 

	Password Strength guidelines: 
	You can see the strength of the password change by the number of key symbols that 
	appear (up to five keys).You can see five keys appear after you enter a complicated key 
	with mixed-case alpha-numeric characters that include special characters, 
	such as the following example: MickeyMouseHappyWorld@#01234  
__  6. 
 An information window opens to tell you that the password has been encrypted and saved. Click OK. 
 
__  7. 
 Close the IBM Key Management window (Key Database File --> Exit). 

--------------------------------------------------------------------------------
[II] Creating a self-signed certificate
Use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients 
and the server. Use this procedure if you are acting as your own CA for a private Web network. 

__  1. 
 Enter ikeyman on the command line to start the Key Management utility . 
 
__  2. 
 Click Key Database File --> Open. 
 
__  3. 
 In the Open dialog box, navigate to your key database name 
 (for example: /usr/IBMHttpServer/keys/key.kdb), then click Open. 
 
__  4. 
 When the Password Prompt window opens, enter your password (that you created in the previous section) 
 and click OK. 
 
__  5. 
 Select Personal Certificates from the dropdown list in the Key Database content frame, then 
 click the New Self-Signed... button. 
 
__  6. 
 In the Create New Self-Signed Certificate window, you need to know the following information for 
 these fields (the other fields are self explanatory): Key label Set your Key label to "myappname".
 
Common name 
 Enter the fully qualified host name of the Web server as the common name (for example: www.myserver.com). 
 
Organization 
 You need to put some information in this field (for example: the name of your company or organization). 
 
__  7. 
 When you have completed this panel, click OK. 
 
__  8. 
 You can verify that the new Personal Certificate was created successfully and its name appears in 
 the Personal Certificate panel (for example *myappname). 
 
__  9. 
 After creating the self-signed certificate, confirm that all necessary files have been created. In 
 the /usr/HTTPServer/keys directory, 

	you should find four files: 

	key.kdb 
	key.sth 
	key.crl 
	key.rdb 

If you are missing the key.sth file, you forgot to stash the password to a file. Go back and repeat 
Creating a new key database. Make sure that you check the box to stash the password after you create it. 
 
__ 10. 
 You are now ready to set up SSL using the IBM HTTP administration server. 

Close the IBM Key Management window (Key Database File --> Exit). 

-------------------------------------------------------------------------------- 
[III] Setting up SSL for AIX
To set up SSL for AIX: 

__  1. 
 Back up the current configuration file /usr/IBMHttpServer/conf/httpd.conf: 

 # cp -p /usr/IBMHttpServer/conf/httpd.conf
                  /usr/IBMHttpServer/conf/httpd.conf.save

__  2. 
 Optn the httpd.conf file and look for the first item of the Dynamic Shared Object (DSO) Support. 
 It should be: 

	 ClearModuleList 
	AddModule mod_so.c 
	LoadModule ibm_app_server_http_module
	     /usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so

Add the following line after the line after the third line: 

	 LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.so

The final result should look like the following: 

	 ClearModuleList 
	AddModule mod_so.c 
	LoadModule ibm_app_server_http_module
	     /usr/WebSphere/AppServer/bin/mod_ibm_app_server_http.so 
	LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.so

__  3. 
 Add the port number for the virtual server just below the "Port 80" statement. The default port 
 number for SSL is 443: 

	Port 80 
	Port 443

__  4. 
 Add the port number for the virtual server just below the "Listen 80" statement. The default port 
 number for SSL is 443: 

	Listen 80 
	Listen 443

__  5. 
 Check that you have defined the ServerName directive. Change the hostnames in red to the name of 
 your machine, example: 

	ServerName homer.domain1.myco.com

__  6. 
 Add following text-block to the end of the httpd.conf (after adjusting hostname in red): 

	 
	ServerName homer.svl.myco.com 
	DocumentRoot /usr/IBMHttpServer/htdocs/en_US 
	Keyfile /usr/IBMHttpServer/keys/key.kdb 
	SSLV2Timeout 100 
	SSLV3Timeout 1000 
	SSLEnable 
	SSLClientAuth none 
	SSLServerCert myappname 
	SSLCipherSpec 39 
	SSLCipherSpec 3A 
	SSLCipherSpec 62 
	SSLCipherSpec 64 
	

__  7. 
 Save the httpd.conf file . 
 
__  8. 
 Check for the syntax 

# /usr/IBMHttpServer/bin/apachectl configtest
 
__  9. 
 Restart the server. 

# /usr/IBMHttpServer/bin/apachectl graceful

--------------------------------------------------------------------------------
[IV]  Test the server installation and configuration. 
 Test the server installation: 

	__  a. 
	 Test the http connection: 
	From a web browser enter the URL: http:// 
	__  b. 
	 Test the https (SSL) connection: 

From a web browser enter the URL: https:// 


If SSL is not working, check /usr/IBMHttpServer/logs/error_log for messages. 
A common error message is "mod_ibm_ssl: GSK could not initialize, Invalid password for keyfile". 
In this case, be sure you choose to stash the password when the key database was created (using 
the ikeyman utility).