Websphere : How to Create Self Signed SSL Certificate for HTTPServer

What is SSL ?

• SSL (Secure Sockets Layer) is an encryption system used on servers to ensure privacy when transmitting data across internet.
• Server needs a public-private key pair and a certificate. The server uses its private key to sign messages to clients.
• To send its public key to clients, the server needs a certificate issued by a certification authority (CA). A certification authority (CA) is a trusted third party that issues certificates.

IBM’s way of SSL implementation :  IBM provides GSKit (Global Security Kit)
* GSKit provides SSL (Secure Socket Layer) functions for IBM Products
* GSKit provides IKeyman

IKeyman

• IKeyman (IBM Key Management Utility)
• Java-based application to manage keys and key databases
• Using IKeyman, you can  Create a new key database , Add root CA to your database,  Request and receive a certificate from a CA
• Set default keys
• Change password

How to Create Self Signed SSL Certificate?

Create a SSL directory under $HTTP_HOME/conf to store all SSL keys. Make sure this directory is secured.

[was61@Server1 conf]$ pwd
/opt/IBM/HTTPServer/conf
[was61@Server1 conf]$ mkdir ssl

Start $HTTPSever_home/bin/ikeyman tool

Apache Tomcat and many other Java applications expect to retrieve SSL/TLS certificates from a Java Key Store (JKS). Select JKS else PKCS2 on your preference.  I have gone for PKCS12  here,  http://en.wikipedia.org/wiki/PKCS

Navigate “Location” tab to SSL directory created earlier

It will prompt you for a password , enter value. You should have a screen as below.

Select “Personal Certificate Requests“ from drop-down options

Click on “new” to start a new self-signed certificate request

Fill up fields and click on OK

Ikeyman should list “Self-Signed” certificate as below

Double Click on “self-signed” Tab and you will be able to see certificate details

Now certificate is in place so let’s Amend SSL certificate configuration at httpd.conf

Edit $HTTPServer_HOME/httpd.conf and add following details

• Listen Server1:443
• Towards end of http.conf file add virtual host  details

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<VirtualHost  Server1:443>
SSLEnable
SSLClientAuth None
SSLServerCert self-signed    — Make sure this is same field as “Key-Label” at create SSL request
KeyFile “/opt/IBM/HTTPServer/conf/ssl/key.p12”
# SSLStashfile “/opt/IBM/HTTPServer/conf/ssl/key.sth”  — This file is required for “CMS key Database format”  but not for JKS/PKCS12
DocumentRoot “/opt/IBM/HTTPServer/htdocs/en_US”
LogLevel warn
LogFormat   “%h %l %u %t \”%r\” %>s %b %{HTTPS}e %{SSL_CIPHER}e %{SSL_CLIENT_DN}e” SSL
CustomLog “|/opt/IBM/HTTPServer/bin/rotatelogs /opt/IBM/HTTPServer/logs/ssl_access%d%m%Y.log 86400” SSL
ErrorLog  “|/opt/IBM/HTTPServer/bin/rotatelogs /opt/IBM/HTTPServer/logs/ssl_error%d%m%Y.log 86400”
</VirtualHost>

• Finally re-start HTTP server & monitor log  at /opt/IBM/HTTPServer/logs/ ssl_error.log

Try machine SSL URL https://Server1, It should send you a valid response.