FreeKB - IBM IHS Web Server SSL
IBM IHS Web Server - SSL

A public certificate and private key pair are used to encrypt packets being transmitted between a client and IBMs IHS web server.

 


Key Database

IBM stores the public certificate and private key in what is called a Key Database. The Key Database is a file that ends with the .kdb extension. There are a few different ways to create the public certificate and private key in the Key Database file.

For the sake of this article, let's say you have a Key Database file named example.kdb and a stash file named example.sth, and the Key Database contains a certificate, such as *.example.com.

${ihs_install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/example.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
*-      *.example.com

 

IMPORTANT

The certificate in the Key Database must be proceeded by the - character, meaning the certificate is "personal". If the certificate is proceeded by the ! character, meaning the certificate is "trusted", the web server will fail to produce HTTPS web pages over SSL.

 


Configure IHS

At minimum, add the following to your IHS httpd.conf file. After modifying your httpd.conf file, restart the IHS web server

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
  SSLEnable
</VirtualHost>
SSLDisable
KeyFile "/path/to/example.kdb"
SSLStashFile "/path/to/example.sth"

 

If you have two or more server certificates in the Key Database file, by default, the default certificate in the Key Database file will be used. Or, you can use the SSLServerCert directive to specify the server certificate to use.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
  SSLEnable
  SSLServerCert *.example.com
</VirtualHost>
KeyFile "/path/to/example.kdb"
SSLStashFile "/path/to/example.sth"
SSLDisable

 

You should now be able to get resources from your IHS web server over SSL. If you are using a self-signed certificate, your browser will complain that the certificate is invalid. This is fine if you are doing this in a development environment, but for production, you should use a certificate from a trusted certificate authority.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter decd0 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |