Embed Size (px)
Citation preview
How to Enable SSL between IHS and WAS for Lotus Connections
Overview
This document describes how to utilize Secure Sockets Layer (SSL) to secure the Lotus Connections
application in your environment. SSL supplies a more secure data transmission for Lotus Connections users.
The purpose of this document is:
1. To describe what SSL offers
2. To describe what Lotus Connections is, and
3. How to enable SSL between the HIS (IBM HTTP Server) and WAS (WebSphere™ Application Server)
components employed by Lotus Connections.
Introduction
SSL is a protocol that provides privacy and integrity between two communicating applications using TCP/IP.
The data going back and forth between client and server is encrypted using a symmetric algorithm.
A public-key algorithm (RSA) is used for the exchange of the encryption keys and for digital signatures.
Public key cryptography defines an algorithm that uses two keys, each of which may be used to encrypt a
message. If one key is used to encrypt a message, the other must be used to decrypt it. This makes it possible
to receive secure messages by simply publishing one key (the public key) and keeping the other undisclosed
(the private key).
IBM Lotus Connections is social software for business that empowers employees to be more innovative and
helps them execute quickly by using dynamic networks of co-workers, partners and customers. This
demonstration highlights the 5 integrated, Web 2.0-based collaboration features of Lotus Connections,
including:
• Profiles - Lets employees tap into the knowledge capital within the organization, and makes it easy to
establish new business contacts.
• Blogs - Helps people connect with each other - within and outside the enterprise - and build
communities of shared interest.
• Dogear - Gives people a better way to manage their own bookmarks, and makes it easier than ever to
share information and accelerate innovation.
• Communities - Provides a common point of collaboration for people who share a particular interest,
responsibility, or expertise.
• Activities - Makes it easier to share and manage tasks, track team progress, and share best practices
with others.
Topology:
Configuration Steps:
Section 1: Enable IHS to utilize a secured HTTP port
Find the .kdb file used by IHS in Plug-in.xml file
Open config file : <IHS_Install_Path>\Plugins\config\webserver1\Plug-in.xml
Find the section shown below: pay attention to the string in Green
<Transport Hostname="venturacn08.cn.ibm.com" Port="9443" Protocol="https">
<Property Name="keyring"
Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb"/>
<Property Name="stashfile"
Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth"/>
</Transport>
Edit httpd.conf file
Open config file : <IHS_Install_Path>\conf\httpd.conf
Add the whole section shown below in Red into the end of the file
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName venturacn08.cn.ibm.com
SSLEnable
</VirtualHost>
SSLDisable
Keyfile "<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb"
SSLStashFile "<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth"
Save and exit
Restart IHS and verify no error occurs
Test your configuration:
Access https://<Your_IHS_Server_Host>:80 via browser and you can see the IHS front page.
Section 2. Import the WAS certificate into IHS key store database
Find kdb used by IHS in Plug-in.xml file
Open config file :<IHS_Install_Path>\Plugins\config\webserver1\Plugin-cfg.xml
Find the section shown below: pay attention to the string in Green
<Transport Hostname="venturacn08.cn.ibm.com" Port="9443" Protocol="https">
<Property Name="keyring"
Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb"/>
<Property Name="stashfile"
Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth"/>
</Transport>
Locate that IHS use plugin-key.kdb as default
Find .kdb file used by WAS.
Open WAS admin console : http://<Your_WAS_Server_Host>:9060/admin
Trace Application servers > server1 > Web container transport chains > WCInboundDefaultSecure >
SSL inbound channel(SSL_2) to open the window shown below (Figure 1)
Figure 1
Click NodeDefaultSSLSettings (Figure 2)
Figure 2:
Find which key store is in use.
Click on Key stores and certificates (Figure 3)
Figure 3
Find the path belonging to NodeDefaultKeyStore (Figure 4)
Figure 4:
Open WAS Ikeyman to extract certificate
Key in Ikeyman.bat under C:\WebSphere\AppServer\bin in command line to open Ikeyman utility
Open NodeDefaultKeyStore file
Click Key Database File -> Open
In the file select dialog, select PKCS12 in Key database type field
Click Browse.. to open
C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\<Your _Cell>\nodes\<Your_Node>\key.p12
Click OK
When prompted input password, key in WebAS
Select the default cert under Personal Certificates
Click Extract Certificate...
Key in cert file name : WASKeyP12cert.arm, then select a location : C:\
Click OK
Close Ikeyman
Add WAS cert into IHS key database.
From Windows, click Start -> All Programs -> IBM HTTP Server V6.1 -> Start Key Management Utility to
open Ikeyman
Open plugin-key.kdb
When prompted to input password, key in: WebAS
Under Singer Certificate
Click Add...
Click Browse... to open C:\WASKeyP12cert.arm
When prompted to enter a label, Key in WASKeyP12 Cert
Click OK
Close Ikeyman
Restart IHS and make sure no error occurs
Test your configuration
Access https://<Your_IHS_Server_Host>/activities via browser
Verify you can see the page
