enable httpsfor IBM HTTP Server.docx
- 文档编号:3884264
- 上传时间:2022-11-26
- 格式:DOCX
- 页数:8
- 大小:189.19KB
enable httpsfor IBM HTTP Server.docx
《enable httpsfor IBM HTTP Server.docx》由会员分享,可在线阅读,更多相关《enable httpsfor IBM HTTP Server.docx(8页珍藏版)》请在冰豆网上搜索。
enablehttpsforIBMHTTPServer
EnablehttpsforIBMHTTPServer
∙Introduction
Thisdocumentintroducehowtoenablehttpswhencustomerdeploy
PACuseIBMHTTPServer+PAC(WAS).IfdonotuseIHS,thisdocumentisnotappropriateforyou.
∙CertificatelimitationsinIBMHTTPServer
1.OnlyRSAcertificates(keys)aresupportedwithIBMHTTPServer.DSAandECCcertificatesarenotsupported.
2.Certificateswithakeylengthofupto4096bitsaresupportedatrun
timewithIBMHTTPServer.
3.Ikeymanandgskcmd(ikeycmd)supportcreatingcertificatesoflengths
upto2048bits.The gskcapicmd commandsupportscreatingcertificatesoflengthsupto4096bits.
4.MultiplekeydatabasefilescanbeusedwitheachinstanceofIBM
HTTPServer,butonlyone,whichcanstillcontainmultiplepersonalcertificates,canbeusedperTLS-enabledvirtualhost.
∙SupportedKeystores
JKSandJCES,PKCS12,CMS
∙Endtoendpaths
Case1-UseJKSorJCESascertificate:
1.Createkeydatabase.
Youcancreatekeydatabaseusefollowingtwoselections:
Selection1(usecommand):
Accessto$HTTPSServer/bin,execute:
./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein-stash
Selection2(useGUI):
Accessto$HTTPSServer/bin,execute:
./ikeyman
Note:
pleaseselectstashtopasswordwhenpasswordprompt.
2.CreateaJKSorJCEScertificate
IfyoualreadyhaveJKSorJCESfile,pleaseignorethisstep.
$JAVA_HOME/bin/keytool-genkey-keyalgRSA-aliastestlabel-keystore/opt/IBM/HTTPServer/bin/key.jks-storepassLetmein-validity360-keysize2048-dname"CN=username,OU=IBMPlatform,O=IBMPlatform,L=Markham,ST=Ontario,C=CA"
3.ImportaJKSorJCES
YoucanimportkeybycommandorGUI:
●Usecommandtoimport:
./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/key.jks-pwLetmein-targetkey.kdb-target_pwLetmein
Thensettheimportedkeyasdefaultkey:
./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlabel
●UseGUItoimport:
Accessto$HTTPSServer/bin,execute:
./ikeyman
Thensettheimportedkeyasdefaultkey:
4.Configure$HTTPServer/conf/httpd.conf.
Uncommentthefollowingcodeinhttpd.conf:
LoadModuleibm_ssl_modulemodules/mod_ibm_ssl.so
Listen443
443> SSLEnable
KeyFile/opt/IBM/HTTPServer/bin/key.kdb
SSLDisable
5.Configure$HTTPServer/conf/plugin-cfg.xml
8443"/> ……. Makesurehttpsportisallowedtoaccess,andthekeyringandstashfileisspecified. 6.Configure$PAC_TOP/conf/server.xml 7.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security CMSkeystorecanbeconfiguredwhenusingtheIBMJREbutsomespecialconfigurationisrequired.TheCMSproviderisnotavailablebydefaultontheIBMJRE,thereforeitmustbeaddedtotheproviderlistinthejava.securityfileoftheIBMJRE. Pleasemakesureprovidernumberiscorrectinproviderlist: security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=org.apache.harmony.security.provider.PolicyProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.10=com.ibm.security.cmskeystore.CMSProvider 8.Restartservice source/$HTTPServer/bin/envvars ./$HTTPServer/bin/apachectlstop ./$HTTPServer/bin/apachectlstart pmcadminstop pmcadminstart 9.AccessPACby: https: //httpserver_ip/platform Case2-UsePKCS12ascertificate: Thestepsarebasicallysamewithcase1;hereweintroducethedifferentpartwhenenablex509asSSO. …………………… 3.Importp12keyintokey.kdb ./gskcmd-cert-import-db/opt/IBM/HTTPServer/bin/my.p12-pwLetmein-targetkey.kdb-target_pwLetmein ./gskcmd-cert-setdefault-db/opt/IBM/HTTPServer/bin/key.kdb-labeltestlable …………………… 6.Configure$PAC_TOP/conf/server.xml,andaddparameterclientAuthentication="true" …………………… Additionally,importmy.p12intoIBMJREtruststoreandyourbrowser $JAVA_HOME/bin/keytool-export-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-storetypePKCS12-keystoremy.p12 ${JAVA_HOME}/bin/keytool-import-noprompt-trustcacerts-aliastestlable-filemy.cert-keypasschangeit-storepasschangeit-keystore${JAVA_HOME}/lib/security/cacerts ThenyoucanuseaccessPACby: https: //ip/platform/framework/login/toNoFilterLogin.action Case3-UseCMSascertificate: 1.Createkeydatabase. Youcancreatekeydatabaseusefollowingtwoselections: Selection1(usecommand): Accessto$HTTPSServer/bin,execute: ./gskcapicmd-keydb-create-db/opt/IBM/HTTPServer/bin/key.kdb-pwLetmein–stash Selection2(useGUI): Accessto$HTTPSServer/bin,execute: ./ikeyman Note: pleaseselectstashtopasswordwhenpasswordprompt. 2.CreateSelf-signedcertificate. Thensettestlabelasdefaultcertificate,youcanclickview/editbuttontocheckwhetherit’sadefaultcertificate. 3.Configure$HTTPServer/conf/httpd.conf. Uncommentthefollowingcodeinhttpd.conf: LoadModuleibm_ssl_modulemodules/mod_ibm_ssl.so Listen443 443> SSLEnable KeyFile/opt/IBM/HTTPServer/bin/key.kdb SSLDisable 4.Configure$HTTPServer/conf/plugin-cfg.xml 8443"/> ……. Makesurehttpsportisallowedtoaccess,andthekeyringandstashfileisspecified. 5.Configure$PAC_TOP/conf/server.xmlandaddfollowingcodeintoserver.xml 6.Configure$PAC_TOP/jre/linux-x86_64/lib/security/java.security CMSkeystorecanbeconfiguredwhenusingtheIBMJREbutsomespecialconfigurationisrequired.TheCMSproviderisnotavailablebydefaultontheIBMJRE,thereforeitmustbeaddedtotheproviderlistinthejava.securityfileoftheIBMJRE. Pleasemakesureprovidernumberiscorrectinproviderlist: security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=org.apache.harmony.security.provider.PolicyProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO security.provider.10=com.ibm.security.cmskeystore.CMSProvider 7.Restartservice source/$HTTPServer/bin/envvars ./$HTTPServer/bin/apachectlstop ./$HTTPServer/bin/apachectlstart pmcadminstop pmcadminstart ∙MoreInformation
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- enable https for IBM HTTP Server
![提示](https://static.bdocx.com/images/bang_tan.gif)