Security should be enabled from
Webclient to WebServer (IBM Http Server )
WebSphere Plugin to WAS
WebClient to Webserver
Run ikeyman.bat and generate self-signed certificate(.kdb and .sth)
Modify httpd.conf in IHS
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
FileETag none
<VirtualHost mss13:443>
ServerName mss13
SSLEnable
SSLClientAuth none
Keyfile "c:\IBM\IHS\keys\ihscert.kdb"
SSLServerCert self-signed
SSLStashfile "c:\IBM\IHS\keys\ihscert.sth"
SSLV2Timeout 100
SSLV3Timeout 1000
ErrorLog "c:\IBM\IHS\logs\sslerror.log"
TransferLog "c:\IBM\IHS\logs\sslaccess.log"
</VirtualHost>
Restart IHS and check the connection Ex: https://mss
Wesphere Plugin to WAS:
@Plugin
Run ikeyman from /bin/
Generate self-signed certificate(.kdb and .sth will be generated)
Extract the certificate(.arm)
@WAS
Run ikeyman from profiles//bin
Generate self-signed certificate(.jks)
Extract the certificate(.arm)
Exchange certificates form WAS to plugin and plugin to WAS
@IHS
Run ikeyman from IHS/bin
Import certificate:
->Open the .kdb file using ikeyman
->select signer certificates from KeyDatabase content combo box
->click Add and select certificate(.arm) of the Websphere [Ex:C:\IHS\plugins\etc\keys]
close and exit ikeyman
@WebSphere
Run ikeyman from profiles//bin
Import certificate:
->Open the .jks file using ikeyman
->select signer certificates from KeyDatabase content combo box
->click Add and select certificate(.arm) of the IHS
close and exit ikeyman
@admin console
Start DMGR and open admin console
goto servers->application servers->
->Under Container settings->Web Container Transport Chains->WCInboundDefaultSecure->SSL Inbound Channel
->SSL configuration repertoire-celllevel
->New JSSE Repertoire
*Alias(any name)
*Securitylevel HIGH
*Key file name
*Key file password(give the path,name and password of the .jks file, which you have created using ikeyman)
*Trust file name
*Trust file password(give the path,name and password of the .jks file, which you have created using ikeyman(if you have created a separate trust file then you need to give the turst file name and pwd))
*Apply and OK->save and sync
->Now come back to SSL Inbound Channel configuration page
->Under SSL repertoire select the repertoire which you have just created
->save and sync
->Now click Environment->Virtual Hosts->default_host(if you have user-defined select that one)->Host Aliases->New->Port=443->save n sync
(if your wcdefaultsecure port is not here, then you need create one)
@command prompt
Generate plugin under dmgr[Ex: profiles\dmgr\bin>genplugincfg]
copy plugin-cfg.xml from dmgr to plugin config directory
change the .kdb and .sth files to the filenames what you have created under plugins keys
start IHS
Test IHS for https[Ex: https://mss/] you should IBM HTTP server page
Test Websphere secure connection directly[Ex: https://mss:/snoop]
Now, send a request for snoop servlet through webserver[Ex: https://mss/snoop]