RE: [cinjug-users] https login page

[Griffiths Glen D Contr MSG/SLR <Glen.Griffiths@xxxxxxxxxxxx>]

Jason,

 

It has been over a year since I configured WAS 5 SSL so I don't remember all the details but here are the directions that I used:

 

Configuring IBM HTTP Server for SSL Mutual Authentication

IBM HTTP Server, as of version 1.3.24, supports SSL version 3 and version 2 and

TLS version 1. IBM HTTP Server is based on the Apache Web server, still for

SSLconfiguration it is necessary to use the IBM-supplied SSL modules, rather than

the OpenSSL varieties. This document will describe configuration of IBM HTTP

Server, although it is entirely possible that another supported Web server is used in

its place.

SSL is disabled by default and it is necessary to modify a configuration file and

generate a server side certificate using the IKeyMan tool provided with IBM HTTP

Server in order to enable SSL.

Steps for this task

1. For a single server, enable SSL on IBM HTTP Server (port 443,for example).

2. To set up certificates complete the following:

Start the IKeyMan tool. To start the tool, click Start > Programs > IBM HTTP

Server > Start Key Management Utility. Refer to Requesting a CA-signed

personal certificate, Creating a certificate signing request (CSR), Receiving a

CA-signed personal certificate, Extracting a Public Certificate for use in a

Truststore

3. Create a key database. Click Key Database File >New.

4. Type a file name, serverkey.kdb , for example, and the path for location. Click

OK.

5. Type a password, check the Stash the password to a file box, and then click

OK.

6. The Verisign Test CA Root Certificate is in the set of signer certificates shipped

with the IKeyMan for IBM HTTP Server.

7. Obtain a personal certificate for IBM HTTP Server : choose Personal

Certificate Requests in the pull-down menu of IKeyMan. Click New. The

Create New Key and Certificate Request panel appears. Fill in the following

information:

v Key Label - Server_Cert

v Common Name - droplet.austin.ibm.com

v Organization - IBM

v Country - US

v file name - Server_certreq.arm

a. Go to URL http://www.verisign.com , click on Get Free Trial SSL ID.

Complete the profile information, click Submit, and click Continue twice.

8. Use Notepad to edit the request file Server_certreq.arm , and copy the entire

contents of the file into the browser request panel. Click Continue.

9. VeriSign displays the Personal Certificate in the browser. Copy and paste this

certificate into a file, for example Server_Cert.arm . Choose the Personal

Chapter 2. Securing applications and their environment 227

Certificate option from the pull-down menu in IKeyMan. Click Receive.

Specify the filename as Server_Cert.arm , and click OK. Close serverkey.kdb .

10. To allow IBM HTTP Server to support https, say at port 443, enable SSL on

IBM HTTP Server. Modify the configuration file of IBM HTTP Server,

<IHS_HOME>/conf/httpd.conf , although SSL can be enabled through the HTTP

Server Administration console also. Open the file <IHS_HOME>/conf/httpd.conf

and then add the following lines into the file above the line:

Alias /IBMWebAS/"<install_root >/web"

LoadModule ibm_ssl_module modules/IBMModuleSSL128.dll

LoadModule ibm_app_server_http_module

<install_root >/bin/mod_ibm_app_server_http.dll

Listen 443

<VirtualHost droplet.austin.ibm.com:443>

ServerName droplet.austin.ibm.com

DocumentRoot <install_root >\htdocs

SSLEnable

#SSLClientAuth required

SSLDisable

Keyfile <IHS_HOME>/serverkey.kdb

Note: You need to change the host name and the path for the key file

accordingly. Also, you must modify the Web server to support client

certificates. Uncomment the directive shown above in httpd.conf file .

SSLClientAuth required

11. Restart IBM HTTP Server.

12. Test SSL between a browser and IBM HTTP Server by accessing the following

URL: https://droplet.austin.ibm.com .

??Welcome to the IBM HTTP Server"´¬-"²ª›appears on the browser.

13. If SSLClientAuth directive is set to required, your browser should prompt you

to select a personal certificate.

14. To enable the Application Server to communicate with IBM HTTP Server

using port 443, by adding the host alias on the default_host. Click

Environment > Virtual Hosts > default host > Host Aliases > New.

Enter the following in the appropriate fields:

v host name - *

v port type - 443

15. Click Apply and Save to write to security.xml .

16. Click Update Web Server Plugin, and then click OK.

17. Restart WebSphere Application Server.

18. Test your connection by accessing the following:

https://droplet.austin.ibm.com:443/snoop.

 

 

I created a self-signed certificate.  The instructions are in the help file that comes with the install of the IBM HTTP Server.

Good Luck

 

Glen

-----Original Message-----
From: Jason Kretzer/STAR BASE Consulting Inc. [mailto:JKretzer@xxxxxxxxxxxxxxx]
Sent: Wednesday, April 21, 2004 1:30 PM
To: users@xxxxxxxxxx
Subject: [cinjug-users] https login page

Hello all,

Thanks to everyone for their replies to my last question.  I did end up using the following code for it.

URL url = "" URL("https://someWebSite.com/giveXML.jsp?someparam=paramOne");

InputStreamReader isr = new InputStreamReader(url.openStream());
BufferedReader br = new BufferedReader(isr);


Then read the xml file one line at a time.




For my current question, I need to have my login.html page be https so that the POSTing of the form will not be sent plain text to the servlet.  I am using WebSphere 5 for this.  

Anyone give me a start on this?

Thanks,

-Jason