Implementing SSL on IBM WebSphere / HTTP Server 7.1

First, you need an SSL cert issued by certificate authority. (VeriSign for example)

Second, bind the SSL to your HTTP server

Third, you gonna need to redo your SSOP service to HTTPS for logins only, or HTTPS always. (Need I mention do an export to any service before making any changes?)

Thanks for responding, Jimmy. You've helped me in the past on some issues and I appreciate your input.



So here is what I've done so far and where I'm at. All work has been done on my Lawson TEST environment server, named wchlaw9appdev02.



(1) Using the Key Management Utility provided with IBM HTTP Server, I created a Key database file named Lawson.kdb using the "CMS" database type. I stashed the password for the key database to an external file (Lawson.sth). Lastly, I generated a new self-signed certificate named Lawson and than extracted that certificate into an external file (Lawson.arm). This left me with four files: Lawson.arm, Lawson.kdb, Lawson.rdb, and Lawson.sth.

(2) My next step was to update the httpd.conf file for IBM HTTP Server. I added a second virtual host entry that almost mirrors the original entry, with the added entries needed to enable SSL. After stopping and restarting IBM WebSphere and HTTP Server, I went into the admin console of IBM WebSphere and verified my two virtual hosts for my web server matched what was entered in my httpd.conf file. I generated and propagated my plug-in file as needed.

(3) Lastly, I ran SSOCONFIG to update the protocol assertion. I set the primary SSOP service to "Use HTTPS for login only". I then stopped and restarted my Lawson environment as well as IBM WebSphere and IBM HTTP Server.

(4) With everything back up, I first tested non-SSL functionality. When loading the Lawson Portal via port 80, I am presented with a "Blocked Content" warning using Internet Explorer 8. I accepted the warning and was able to log into Lawson with no issues (other than a red address bar to indicate the certificate warning). I then tried logging into Lawson Portal via port 443. I received a warning indicating "There is a problem with this website's security certificate", which I expected. After acknowledging the warning, I was able to login into Lawson Portal with no issues.



So based on the above, I assume that SSL functionality is working as this is normal behavior when using a self-signed certificate. Moving on....



My server security team then obtained a new trusted certificate for use with Lawson. I was able to add this certificate to my key repository created in Step 1 above. At the same time, I deleted the Lawson.arm certificate.



I again stopped and restarted my Lawson environment and all IBM WebSphere / HTTP services. Once all services were restarted, I tried logging into the Lawson Portal via ports 80 and 443. In both cases, I get a generic HTTP error saying the website could not load (or something to that effect). It wasn't until I went back into my key manager utility and added back a self-signed certificate that I was able to get back into Lawson as described in step (4) above.



Now regarding the trusted certificate that I was provided. This key is named Lawson.protection1.com as this is the name of the server that will be created for me that will reside outside of our company's firewall. At the moment, our internal DNS is redirecting calls to this URL to the IP address of my Lawson TEST server. However, because the trusted key is looking for a CN value of Lawson.protection1.com, my guess is that this is why I am running into problems when using this key.



I also went back into SSOCONFIG and created a new endpoint for the new server (Lawson.protection1.com) to use port 443 for HTTPS, assigned the endpoint to the SSOP and IOS services, and created an endpoint group (Lawson_Group), adding the new endpoint to the new group.



After recycling the Lawson environment and WebSphere / HTTP Server, I am still unable to log into Portal using the new key. I must have the Lawson self-signed certificate in my key repository before Lawson Portal will load.



As mentioned before, I really know very little about SSL and how to implement it. Can anyone please review my notes above and advise me on how I might proceed?

Your IBM HTTP webserver is on AIX? Linux? Solaris? Windows?

Our environment consists of one combination application / web server and a separate database server.  The app server contains the Lawson environment as well as IBM WebSphere and HTTP Server.

We are Windows Server 2008 and SQL-Server 2008.