5.2. Configure SSL for clients and servers, for example, create certificates, populate trust stores and modify certificate expiration.

5.2. Configure SSL for clients and servers, for example, create certificates, populate trust stores and modify certificate expiration.
Prev	Chapter 5. Security configuration and Maintenance	Next


	[WAS_8.5_ADMIN_GUIDE]

Enable SSL between HTTP Server (Web Plugin) and the WebSphere Application Server

To secure the connection between the IBM HTTP Server and a requesting Web browser, you must import certificates into the IBM HTTP Server key store. There are different types of certificates that you can use. This procedure describes how to import the self-signed certificate that is shipped with the IBM Websphere Application Server into the IBM HTTP Server plug-in. This is just one of the methods you can use. You could also import a certificate purchased from a third-party Certificate Authority (CA), or create and use a new self-signed certificate.

To import the public IBM WebSphere Application Server certificate into the IBM HTTP Server plug-in, complete the following steps:

Extract the default Personal Certificate
1. Login to the WebSphere Application Server Administrative Console
2. Select Security > SSL certificate and key management > Key Stores and certificates
3. Select NodeDefaultKeyStore for a stand-alone deployment or CellDefaultKeyStore for a Network Deployment.
4. Click Personal Certificates, select the default check box, and then click Extract.
5. Give the extracted file a path and name, such as: /tmp/cellRootSigner.arm
  NORE: The convention is to give the file a .arm extension.
6. Leave encoding set to Base64.
7. Click OK.
Locate your keyring *.kdb file
1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is stored by searching for the WebSpherePluginConfig line. It should look something like this:
```
WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
											
```
2. Find the directory in which the key database file (*.kdb) is stored by searching for the term "keyring" in the plugin-cfg.xml file. For example:
```
<Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>

											 
```
  NOTE: this location as you will need to use it later.
Add the extracted certificate to your key database file
NOTE: as alternative you can do the same also from WAS admin console (ISC).
1. Go to the directory for the key management utility iKeyman and start it:
```
cd /opt/IBM/HTTPServer/bin
./ikeyman
											
```
2. Click Key Database File > Open, and then select a key database type of CMS.
3. Specify the filename and location you found above. For example: plugin-key.kdb and /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
4. Click OK, and then enter the password.
  NOTE: If you have not given this file another password, the default password from WebSphere Application Server is WebAS (case sensitive).
5. Click Personal Certificates drop down and then select Signer Certificates.
6. Click Add.
7. Browse to the file you exported with the extension *.arm, select it, then Open and click OK. Supply a name if prompted.
8. Select Key Database File > Save As and save to the original location.
9. Select Key Database File > Exit.
10. Restart the IBM HTTP Server.