Enable SSL between HTTP Server (Web Plugin) and the WebSphere Application Server
To secure the connection between the IBM HTTP Server and a requesting Web browser, you must import certificates into the IBM HTTP Server key store. There are different types of certificates that you can use. This procedure describes how to import the self-signed certificate that is shipped with the IBM Websphere Application Server into the IBM HTTP Server plug-in. This is just one of the methods you can use. You could also import a certificate purchased from a third-party Certificate Authority (CA), or create and use a new self-signed certificate.
To import the public IBM WebSphere Application Server certificate into the IBM HTTP Server plug-in, complete the following steps:
Extract the default Personal Certificate
Login to the WebSphere Application Server Administrative Console
Select Security > SSL certificate and key management > Key Stores and certificates
Select NodeDefaultKeyStore for a stand-alone deployment or CellDefaultKeyStore for a Network Deployment.
Click Personal Certificates, select the default check box, and then click Extract.
Give the extracted file a path and name, such as: /tmp/cellRootSigner.arm
NORE: The convention is to give the file a .arm
extension.
Leave encoding set to Base64
.
Click OK.
Locate your keyring *.kdb
file
In the httpd.conf
file, find the directory in which the
plugin-cfg.xml
file is stored by searching for the
WebSpherePluginConfig
line. It should look something like this:
WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
Find the directory in which the key database file (*.kdb
) is stored
by searching for the term "keyring
" in the
plugin-cfg.xml
file. For example:
<Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>
NOTE: this location as you will need to use it later.
Add the extracted certificate to your key database file
NOTE: as alternative you can do the same also from WAS admin console (ISC).
Go to the directory for the key management utility iKeyman and start it:
cd /opt/IBM/HTTPServer/bin ./ikeyman
Click Key Database File > Open, and then select a key database type of CMS.
Specify the filename and location you found above. For example: plugin-key.kdb
and /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
Click OK, and then enter the password.
NOTE: If you have not given this file another password,
the default password from WebSphere Application Server is WebAS
(case sensitive).
Click Personal Certificates drop down and then select Signer Certificates.
Click Add.
Browse to the file you exported with the extension
*.arm
, select it, then Open and click
OK. Supply a name if prompted.
Select Key Database File > Save As and save to the original location.
Select Key Database File > Exit.
Restart the IBM HTTP Server.
![]() ![]() ![]() |