[轉載]在IHS上配置SSL

[轉載]在IHS上配置SSL
在網上看到兩篇不錯的手記,覺得有用,轉來,有需要的朋友們可以享用.

在IHS上配置SSL
原文地址: http://cdalong.spaces.live.com/blog/cns!127ab823c1bd7f1f!168.entry

之前一直都没做过这方面的配置,但是觉得说不定什么时候用得着,就问了配过的同事,自己也在网上找了些资料了解了大概的过程。但是大部分都没有写明是在IHS的哪个版本上作的,于是想试试在IHS61上面是不是也是同样的做法。参考的资料包括:
1.IHS User's Guide中的Chapter 5中的securing communications
2.WebSphere Application Server V6.1 Security Handbook(sg246316).pdf中的7.2和7.3
其中7.2介绍了Browser和IHS的SSL配置,也是我试验的内容;7.3讲的是IHS plugin和WAS的SSL配置。
3.WebSphere Security Fundamentals(redp3944).pdf
笔记本上本来就有一个WAS61的环境,于是装上IHS和plugin开始试验。可能是太久没有用IHS了,都忘记了怎样将IHS加到DM的console中进行管理。一开始以为就是把webserver的定义建起来就可以了,一启动就产生了一个FFDC,打开一看说是没找到webserver1的定义,详细信息如下:
------Start of DE processing------ = [07-1-26 15:48:29:228 CST] , key = javax.management.MBeanException com.ibm.ws.management.AdminServiceImpl.invoke 679
Exception = javax.management.MBeanException
Source = com.ibm.ws.management.AdminServiceImpl.invoke
probeid = 679
Stack Dump = javax.management.MBeanException: Exception thrown in RequiredModelMBean while trying to invoke operation launchProcess
 at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1116)
 。。。
Caused by: com.ibm.websphere.management.exception.AdminException: Server, webserver1, not found.
 。。。
突然记起以前做的时候好像是要运行一个IHS安装过程中自己生成的脚本的,试试看。在PLUGIN_HOME\bin找到configurewebserver1.bat拷贝至DM_PROFILE\bin直接执行,webserver1的启动停止都OK了。
接下来开始在本次试验的主要工作:
1、使用ikeyman生成CMS key database file,虽然好像除了CMS外还有其他的类型但是好像看到某本redbook上说了IHS只能使用CMS的。创建了mykey.kdb后再给运行IHS的机器发一个证书,直接在ikeyman中新建自签署证书就可以了,创建的证书会出现在个人证书列表中,最后不要忘了转储密码(Stash the password to a file).
ihs_610.pdf中描述如下:
Create a new key database as follows:
1. Start the IKEYMAN user interface. Refer to Starting the Key Management utility for platform-specific instructions.
2. Click key database file from the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.
3. Enter your password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file. Click OK. The new key database should display in the IKEYMAN utility with default signer certificates. Ensure that there is a functional, non-expiring signer certificate for each of your personal certificates.
Creating a self-signed certificate
It usually takes two to three weeks to get a certificate from a well known certificate authority (CA). While waiting for a certificate to be issued, use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients and the server. Use this procedure if you act as your own CA for a private Web network. Complete the following steps to create a self-signed certificate:
1. If you have not created the key database, see Creating a new key database for instructions.
2. Start the IKEYMAN user interface.
3. Click Key Database File from the main UI, and then click Open.
4. Enter your key database name in the Open dialog box, or click the key.kdb file, if you use the default. Click OK.
5. In the Password Prompt dialog box, enter your correct password and click OK.
6. Click Personal Certificates in the Key Database content frame, and click the New Self-Signed radio button.
7. Enter the following information in the Password Prompt dialog box: v Key label: Enter a descriptive comment to identify the key and certificate in the database.
v Key size: Choose your level of encryptions from the drop-down menu.
v Common Name: Enter the fully qualified host name of the Web server as the common name. Example: www.myserver.com.
v Organization Name: Enter your organization name.
v Optional: Organization Unit v Optional: Locality
v Optional: State/Province
v Optional: Zip code
v Country: Enter a country code. Specify at least two characters. Example: US Certificate request file name, or use the default name.
v Validity Period
8. Click OK.
其实在生产环境中应该是创建完key database后将CA发的证书(如*.cer)导入,自己做试验的话自签一个就可以了,并不影响配置和实现。
2、修改http.conf。
以下是我在http.conf中增加的:
# SSL config
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
 Listen 443
 <VirtualHost *:443>
  SSLEnable
 </VirtualHost>
</IfModule>
SSLDisable
KeyFile "C:/IBM/HTTPServer/bin/mykey.kdb"
一开始看到IBM中国的论坛上说NT环境的话load一个XXX.dll,但是打开IHS_HOME\modules看到了一大堆的so,而且原来的http.conf中也load了不少so,找redbook上写的应该没错。改完保存重新启动IHS,一切OK。
下面开始验证,就拿snoop来试一试吧。打开 http://...:9080/snoop,显示正常。试试 http://.../snoop,等了半天没出来。troubleshooting的时间到了,很明显request没有被plugin转发给WAS,重新生成插件看看。在DM console中找到“环境--更新全局 Web 服务器插件配置”,更新完之后原来http.conf中的WebSpherePluginConfig指向的文件并没有更新,难道是插件位置不对?修改为DM_HOME\config\cells\plugin-cfg.xml,这回IHS读到新的插件了,但是老觉得“更新全局 Web 服务器插件配置”中的全局好像大对劲。搞了半天没找对地方,更新webserver1的插件应该是在“服务器--Web服务器”中的这回应该没错了,再试还是老样子。突然想起来之前做过的另一个试验给server1加上了80侦听,动手把IHS改成81。修改了Listen 0.0.0.0:81和ServerName szd610-286.boshi.com.cn:81两行。奇怪的是原来IHS占着80,server1启动时也不会报错。重起webserver1和server1后80和81都正常启动了,http://...:81/snoop和http://.../snoop访问正常,访问https://.../snoop出来两个安全警报,确定后终于看到了snoop。


IHS虚拟主机SSL配置
原文地址: http://blog.csdn.net/panda0083/archive/2007/06/06/1640890.aspx

由于websphere 的经典模式是将静态页面,图片与动态页面 分离,所以经常会遇到虚拟主机配置的问题。

常规的虚拟主机配置与apache的虚拟主机配置一样只需配置virual host标签,但是如果遇到两个虚拟主机都需要SSL通讯该如何配置呢?

下面给出配置方案

其实没有大家想得那么复杂,只需要针对每个虚拟主机对应得域名配置一个443的虚拟主机即可。

1,用ikeyman生成密钥

2,在httpd.conf中加入

NameVirtualHost 10.4.33.1:80
 <VirtualHost 10.4.33.1:80>
    DocumentRoot path1  
    ServerName domain1.cn
 </VirtualHost>
<VirtualHost 10.4.33.51:80>
    DocumentRoot  path2

    ServerName domain2.cn
    </VirtualHost>

<IfModule mod_ibm_ssl.c>
 Listen 443
 NameVirtualHost 10.4.33.51:443
 <VirtualHost 10.4.33.51:443>
 DocumentRoot path1
  ServerName domain1.cn
 SSLEnable
 </VirtualHost>
 <VirtualHost 10.4.33.51:443>
 DocumentRoot path2
  ServerName domain2.cn
 SSLEnable
 </VirtualHost>

 </IfModule>
 SSLDisable
 KeyFile "/opt/IBMIHS/bin/key.kdb"

你可能感兴趣的:([轉載]在IHS上配置SSL)