How to configure IBM IHS web server to use SSL

Home > Search > How-to

A public certificate and private key pair are used to encrypt packets being transmitted between a client and IBMs IHS web server.


Key Database

IBM stores the public certificate and private key in what is called a Key Database. The Key Database is a file that ends with the .kdb extension. There are a few different ways to create the public certificate and private key in the Key Database file.

  • Using the WebSphere deployment manager (dmgr)
  • Using the Global Security Key command line tool
  • Using iKeyman GUI

To create the Key Database using IBMs Global Security Kit (or just "GSKit" for short) command line tool, refer to using the GSK command line tool.

When you add a new web server to the dmgr, the Key Database file will automatically be created. The name of the Key Database file will be plugin-key.kdb. In the dmgr, select Security > SSL certificate and key management Key stores and certificates > CMSKeystore, and the location of the plugin-key.kdb file will be displayed.

You can copy the plugin-key.kdb file to the ${ihs_install_root}/conf directory of the IHS web server. Probably the easiest way to get this done is to select Servers > Server Types Web servers > your web server > Plug-in properties, and click on the Copy to Web server key store directory button.


Configure IHS

After the Key Database is created, and contains a public certificate and private key, you can then configure IHS to use the Key Database. You would add the following to your IHS httpd.conf file. After modifying your httpd.conf file, restart the web server.

LoadModule ibm_ssl_module modules/
Listen 443
SSLCheckCertificateExpiration 30
<VirtualHost *:443>
  SSL Enable

  # Replace "default" with the name of your certificate
  SSLServerCert default

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
KeyFile "/path/to/example.kdb"



Now, you should be able to get resources from your IHS web server over SSL. If you are using a self-signed certificate, like I am, your browser will complain that the certificate is invalid. This is fine if you are doing this in a development environment, but for production, you should use a certificate from a trusted certificate authority.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.