IBM HTTP Server

IBM HTTP Server

Installation

Ensure you have the IBM Developer Kit, Java Technology Edition Version 1.4, installed on your machine. Files included

* gskit.sh
* setup.jar
* A GSKit run-time executable:
* Linux for Intel: gsk7bas_295-7.0-1.10.i386.rpm
Go to the directory where you uncompressed the install image and type
java -jar setup.jar
To do a silent installation, type:
java -jar setup.jar -silent -options silent.res
To customize the install options, edit the silent.res text file. All options are set to true
by default. To disable an option, set its value to false
* Choose the language in which to run the installation.
* The license agreement accept
* The default directory : /opt/IBMHIHS/
* Type of installation : typical
cd IHS

./install launches the installer HTTP Server 6.0

Accept License agreement
Next

Install Directory Directory name
/opt/IBMIHS

Select Custom
Product Installation
HTTPServer base
Security

Click Next

IBM Http Server communicates using the port numbers below

HTTP Port 80
HTTP Administration Port 8008

Click Next

IBM HTTP Server 6.0 will be installed in the following location:
/opt/IBMIHS with the following features:
HTTPServer base Security

Next

Installalation Completed
Then a checkbox to launch the Websphere Application server
launch the WebSphere Application Server – Plugin Install
Uninstall the IBM http Server
Go to the directory where you installed the IBM HTTP Server. Change to the_uninst directory
Type java -jar uninstall.jar
Silent uninstall type java -jar uninstall.jar -silent
Looking at known problems on the UNIX platform

Getting the suexec module to work
The suexec module does not work unless IBM HTTP Server V2.0 is installed to the default location.
Running the /<ihs install root>/bin/httpd command
Source the /<ihs install root>/bin/envvars file first to ensure you can run the /<ihs install root>/bin/httpd command to start the IBM HTTP Server. To source the envvars file, enter . /<ihs install root>/bin/envvars at the
command line. The envvars file contains the path to the libraries needed to run the /<ihs install root>/bin/httpd command.
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html

Enabling access to the administration server using the htpasswd utility

The administration server is installed with authentication enabled. This means that the administration server will not accept a connection without a valid user ID and password. This is done to protect the IBM HTTP Server
configuration file from unauthorized access.

Procedure
Launch the htpasswd utility that is shipped with the administration server. This utility creates and updates the files used to store user names andpassword for basic authentication of users who access your Web server. Locate htpasswd in the bin directory.
./htpasswd -cm <install_dir>/conf/admin.passwd [login name]
where <install_dir> is the IBM HTTP Server installation directory and [login name] is the user ID that you use to log into the administration server.
Results
The password file is referenced in the admin.conf file with the AuthUserFile directive.

Running the setupadm script (/opt/IBMIHS/bin/setupadm)

The setupadm script establishes permissions for configuration file updates. About this task

You cannot update the configuration files after a default server installation, unless you run the setupadm script, or you set permissions manually.

The setupadm script prompts you for the following input:

* User ID – The user ID that you use to log on to the administration server. The script creates this user ID.
* Group name – The administration server accesses the configuration files and authentication files
through group file permissions. The script creates the specified group through this script.
* Directory – The directory where you can find configuration files and authentication files.
* File name – The following file groups and file permissions change:
o Single file name
o File name with wildcard
o All (default) – All of the files in the specific directory
o Processing – The setupadm script changes the group and file permissions of the configuration files
and authentication files.
The administration server requires read and write access to configuration files and authentication files to perform Web server configuration data administration. In addition to the Web server files, you must change the
permissions to the targeted plug-in configuration files.
Setting Permissions manually

Once you have created a user and group, set up file permissions as follows:

1. Update the permissions for the targeted IBM HTTP Server conf directory.
At a command prompt, change to the directory where you installed IBM HTTP Server.
Type the following commands:
chgrp <group_name> <directory_name>
chmod g+rw <directory_name>

2. Update the file permission for the targeted IBM HTTP Server configuration files.
At a command prompt, change to the directory that contains the configuration files.
Type the following commands:
chgrp <group_name> <file_name>
chmod g+rw <file_name>

3. Update the admin.conf configuration file for the IBM HTTP Server administration server.
Change to the IBM HTTP Server administration server admin.conf directory.
Search for the following lines in the admin.conf file:

User nobody
Group nobody

3. Change those lines to reflect the user ID and unique group name

4. Update the file permission for the targeted plug-in configuration files.
1. At a command prompt, change to the directory that contains the plug-in configuration files.
2. Type the following commands:
chgrp <group_name> <file_name>
chmod g+rw <file_name>

Key differences from the Apache HTTP Server

IBM HTTP Server is based on the Apache HTTP Server. IBM HTTP Server includes the following additional features not available in the Apache HTTP Server:

Support for the WebSphere administrative console.
InstallShield for multiple platforms enables consistent installation of the IBM HTTP Server on different platforms.
Dynamic content generation with FastCGI.
Operational differences between Apache and IBM HTTP Server
The apachectl command is the only supported command to start IBM HTTP Server. You cannot directly invoke the httpd command because it will not find the required libraries. The apachectl command is the preferred command to start Apache V2.0 and higher, but the httpd command might work on the Apache server as expected, depending on the platform and how Apache was built. You can specify httpd options on the apachectl command line.
IBM HTTP Server supports the suEXEC program, which provides for execution of CGI scripts under a particular user ID.
If you use the suEXEC program, you must install the IBM HTTP Server to the default installation directory only. The suEXEC program uses the security model which requires that all configuration paths are hard-coded in theexecutable file, and the paths chosen for IBM HTTP Server are those of the default installation directory.
When an Apache user chooses an installation location for Apache at compile time, the suEXEC program is pre-built with the chosen paths, so this issue is seen by the Apache users.
Customers need to use the suEXEC program with arbitrary configuration paths can build it with Apache on their platform and use the generated suEXEC binary with IBM HTTP Server. Customers must save and restore their custom suEXEC file when applying IBM HTTP Server maintenance.

Configuring IBM HTTP Server

Special considerations for IBM HTTP Server.
The IBM HTTP Server and administration server configuration files, httpd.conf and admin.conf respectively, support only single-byte characters (SBCS). This restriction applies to all operating system platforms.

Learn about FastCGI

FastCGI is an interface between Web servers and applications which combines some of the performance characteristics of native Web server modules with the Web server independence of the Common Gateway Interface (CGI) programming interface. IBM HTTP Server provides FastCGI support with the mod_fastcgi module. The mod_fastcgi module implements the capability for IBM HTTP Server to manage FastCGI applications and to allow them to process requests.

A FastCGI application typically uses a programming library such as the FastCGI development kit from http://www.fastcgi.com/. IBM HTTP Server does not provide a FastCGI programming library for use by FastCGI applications.

Example of mod_fastcgi configuration

Load the mod_fastcgi module into the server, and then configure FastCGI using the FastCGI directives.
The following directive is required to load mod_fastcgi into the server
LoadModule fastcgi_module modules/mod_fastcgi.so

A complete configuration example for UNIX and Linux platforms. In this example, the /opt/IBM/HTTPServer/fcgi-bin/ directory contains FastCGI applications, including the echo.exe application. Requests from Web browsers for the /fcgi-bin/echo URI will be handled by the FastCGI echo.exe application

LoadModule fastcgi_module modules/mod_fastcgi.so
<IfModule mod_fastcgi.c>
ScriptAlias /fcgi-bin/ “/opt/IBM/HTTPServer/fcgi-bin/”

<Directory “/opt/IBM/HTTPServer/fcgi-bin/”
AllowOverride None
Options +ExecCGI
SetHandler fastcgi-script
</Directory>

FastCGIServer “/opt/IBM/HTTPServer/fcgi-bin/echo” -processes 1
</IfModule>

IBM HTTP Server remote administration
IBM HTTP Server remote administration using WebSphere Application Server Network Deployment: You can administer and configure IBM HTTP Server using the WebSphere Administrative Console. The IBM HTTP Server installation includes the IBM administration server, which installs by default during a typical IBM
HTTP Server installation. When you install IBM HTTP Server on a machine without the WebSphere Application Server, the IBM administration server is necessary for administration. In order for the IBM administration server to handle requests for the administration of IBM HTTP Server, the IBM administration server must be started and defined to an unmanaged WebSphere Application Server node. Administration of IBM HTTP Server is available without the IBM administration server if the IBM HTTP Server is installed on a machine with a WebSphere managed node.

You must define IBM HTTP Server through the WebSphere administrative console. Once defined, an administrator can administer and configure IBM HTTP Server through the WebSphere administrative console. Administration includes the ability to start and stop the IBM HTTP Server. You can display and edit the
IBM HTTP Server configuration file, and you can view the IBM HTTP Server error and access logs. The plug-in configuration file can be generated for IBM HTTP Server and propagated to the remote or locally-installed IBM HTTP Server.

On Linux platforms – troubleshooting:
/opt/IBM/HTTPServer/logs/error_log
Setting Up SSL and Certs
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp

Steps for this task

Use the IBM HTTP Server IKEYMAN utility to create a CMS key database file and self signed server certificate.
Enable SSL directives in the IBM HTTP Server httpd.conf configuration file .
Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.so configuration directive.
Create an SSL virtual host stanza in the httpd.conf file using the following examples and directives.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
</IfModule>
SSLDisable
KeyFile “c:/Program Files/IBM HTTP Server/key.kdb”

 

Setting up SSL enabled https

On Sql,
/opt/IBMIHS/conf/http.conf.sql

Edit the file to include
ServerName sql
ServerRoot “/opt/IBMIHS”
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

<IfModule mod_ibm_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
</IfModule>
SSLDisable
KeyFile “/opt/IBMIHS/keys/key.kdb”
User wasadmin
Group wwwwas

DocumentRoot “/opt/IBMIHS/htdocs/en_US”
ServerAdmin seela@cse.yorku.ca
To generate the key.kdb file /opt/IBMIHS/bin/ikeyman sets up a graphical interface
Select Key Database File
New
Gui: key database type – select CMS
Filename key.kdb
Location: /opt/IBMIHS/keys
Passwd : root passwd
Confirm

Set expiration time: 1460 Days
Stash the password file:
Two files are generated:
key.kdb
key.sth

But now start the apache server /opt/IBMIHS/bin
./apachectl -k stop
./apachectl -k start -f /opt/IBMIHS/conf/httpd.conf.sql

Testing the web browser https://sql.cs.yorku.ca will not work

Disabled the firewall
/sbin/iptables -F
(-F option is to flush the tables)

Now we can connect

Add firewalls rules
/etc/sysconfig/iptables – added the following lines
-A RH-Firewall-1-INPUT -s 192.168.9.0/255.255.255.0 -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.9.0/255.255.255.0 -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.9.0/255.255.255.0 -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.9.0/255.255.255.0 -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j ACCEPT

 

Secure Sockets Layer protocol
SSL ensures the data that is transferred between a client and a server remains private. This protocol enables the client to authenticate the identity of the server. SSL Version 3, requires authentication of the client identity.
When your server has a digital certificate, SSL-enabled browsers can communicate securely with your server, using SSL
SSL uses a security handshake to initiate a secure connection between the client and the server.
During the handshake, the client and server agree on the security keys to use for the session

After the handshake, SSL encrypts and decrypts all the information in both the HTTPS request and the server response, including:

* The URL requested by the client
* The contents of any submitted form
* Access authorization information, like user names and passwords
* All data sent between the client and the server

HTTPS represents a unique protocol that combines SSL and HTTP. Specify https:// as an anchor in HTML documents that link to SSL-protected documents
A client user can also open a URL by specifying https:// to request an SSL-protected document.

Because HTTPS (HTTP + SSL) and HTTP are different protocols and use different ports (443 and 80, respectively), you can run both SSL and non-SSL requests simultaneously. This capability enables you to provide information to users without security, while providing specific information only to browsers making
secure requests.

Uninstalling the IBM HTTP Server

This section contains procedures for uninstalling the IBM HTTP Server. The uninstaller program is customized for each product installation, with specific disk locations and routines for removing installed features. The uninstaller program does not remove configuration and log files

Steps for this task
1. Stop IBM HTTP Server.
2. Change directories to the directory where you installed the IBM HTTP Server, then go to the
_uninst directory
3. Double-click uninstall to launch the uninstaller program. You can also choose to do a silent uninstall
by running the uninstall -silent command. The uninstall process on Linux and UNIX systems does
not automatically uninstall the GSKit. You have to uninstall the GSKit manually by using the
native uninstall method.
4. Click Next to begin uninstalling the product.The Uninstaller wizard displays a Confirmation panel that
lists the product and features that you are uninstalling
5. Click Next to continue uninstalling the product. The Uninstaller wizard deletes existing profiles first.
After deleting profiles, the Uninstaller wizard deletes core product files by component.
6. Click Finish to close the wizard after the wizard removes the product.

Result

The IBM HTTP Server uninstallation is now complete. The removal is logged in the ihs_install_directory/ihsv6_uninstall.log file.
Starting and stopping IBM HTTP Server

You can use the WebSphere administrative console to start and stop IBM HTTP Server. You can also use commands. See the following topics for more information:
Choose to do a silent uninstall by running the uninstall -silent command. The uninstall process on Linux and UNIX systems does not automatically uninstall the GSKit. You have to uninstall the GSKit manually by using the native uninstall method.
Click Next to begin uninstalling the product.The Uninstaller wizard displays a Confirmation panel that lists the product and features that you are uninstalling.
Click Next to continue uninstalling the product. The Uninstaller wizard deletes existing profiles first. After deleting profiles, the Uninstaller wizard deletes core product files by component.
Click Finish to close the wizard after the wizard removes the product.

Result

The IBM HTTP Server uninstallation is now complete. The removal is logged in the ihs_install_directory/ihsv6_uninstall.log file.
You can use the WebSphere administrative console to start and stop IBM HTTP Server. You can also use commands. See the following topics for more information:

* Starting and stopping IBM HTTP Server with the WebSphere Application Server administrative console
* Starting IBM HTTP Server on Linux and UNIX platforms
* Starting IBM HTTP Server on Windows operating systems

Starting IBM HTTP Server on Linux and UNIX platforms

* /opt/IBMIHS/bin/apachectl start|stop

To start IBM HTTP Server using an alternate configuration file, run the
apachectl -k start -f path_to_configuration_file command.
To stop IBM HTTP Server using an alternate configuration file, run the
apachectl -k stop -f path_to_configuration_file command