How to install an SSL certificate on IHS (IBM HTTP Server)
I have received this request yesterday and today I have struggled with this configuration. So, now if you are in a hurry, I think you can configure an SSL in 5 minutes. So let’s go through the steps:
* TIPS
TIP 1 – Create a .sh script for creating the db, for importing certificates and for receiving the signed key.
TIP 2 – gsk7cmd command supports -Xms1024m -Xmx2048m options for adding extra heap memory to java. This is very usefull because some times you end up with OutOfMemory errors.
TIP3 – After creating the request you can see the request by list request certificates in the keystore, after receiving the signed certificate the certificate request is removed. Don’t worry, this is normal.
TIP4 – SL0208E: SSL Handshake Failed, Certificate validation error. This error is related to the Root Class3 certificate. Don’t forget to import it to the keystore.
Step 1 – Configure your environment variables
Using command line (as almost on every server)
Step 1 – Configure your environment
export JAVA_HOME=/java/jre
export PATH=/java/jre/bin:$PATH
Step 2 – Create a new key store database:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -keydb -create -db keystore -pw 1234 -type cms -stash
Step3 – Create a new Key Request:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -certreq -create -db keystore.kdb -pw 1234 –
label keystorelabel -dn “CN=subdomain.yourcompany.com,O=Company Name,OU=OrganizationUnit,L=Sao Paulo,ST=Sao Paulo,C=BR” -size 2048 -file keyrequest.csr
Step3 – Import primary and secondary intermediate certsign public keys
access this link and copy the primary and secondary intermediate keys
http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
copy the Primary Intermediate CA Certificate and save in a file called
primary.crt
copy the Secondary Intermediate CA Certificate and save in a file called
secondary.crt
access Verisign link and choose your product. The most common is “Standard SSL”
Access your product. After accessing your product link, it will be displayed the Class 3 Public Primary Certification Authority. Copy the certificate and store it in a file called
rootclasscert.crt
so now you have the 3 certificates:
primary.crt
secondary.crt
rootclasscert.crt
Step 4 – Import primary, secondary and rootclasscert into your keystore.kdb database
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label primary -format ascii -trust enable -file primary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label secondary -format ascii -trust enable -file secondary.crt
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -add -db keystore.
kdb -pw 1234 -label rootclasscert -format ascii -trust enable -file rootclasscert.crt
Step 5 – Send your request file keyrequest.csr to Verisign so to receive a signed certificate.
This step is atomic. You access your Verisign account and copy and paste the request key and Verisign will send the signed certificate by email at the same time.
Step 6 – Receive the file and store it in your database
Copy the content of the cert.cer or copy the attached file to your server and issue the following command:
IHS_ROOT_DIR/gsk7/bin/gsk7cmd -Xms1024m -Xmx2048m -cert -receive -file cert.cer -db keystore.kdb -pw 1234 -format ascii -default_cert yes
Step 7 – Configure your IHS to point to the new keystore
Example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
< virtualhost your.ip.address.number:443 >
ServerName your.ip.address.number
SSLEnable
SSLProtocolDisable SSLv2
KeyFile YOUR_PATH/SSL/keystore.kdb
< /virtualhost>
SSLDisable
Step 8 – Stop and Start IHS.
IHS_ROOT_DIR/bin/adminctl stop
IHS_ROOT_DIR/bin/apachectl stop
IHS_ROOT_DIR/bin/adminctl start
IHS_ROOT_DIR/bin/apachectl start
check your server now using https://yourserver/
Recent Comments