IBM Support

SSL virtual hosting in IBM HTTP Server

Troubleshooting


Problem

SSL virtual hosting capabilities in IBM HTTP Server.

Resolving The Problem

Virtual Hosting comes in two forms in IBM HTTP Server. Each form has special considerations when used in combination with SSL.
 
  • IP-Based virtual hosting
    • Each VirtualHost stanza is configured with a different IP address and port combination.   
    • If a certificate is used for multiple hostnames without unique IP/Port combinations,  it  must have multiple or wildcard SubjectAltName extensions.
    • All SSL configuration directives behave intuitively, selected by the local interface and port that handles the underlying connection.
      • KeyFile or SSLServerCert can be used to select a unique certificate.
The following example shows two SSL IP-based virtual hosts that share a single IP/port combination. See the embedded comments for differences between releases.
 
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
 
# If the local address matches, use the specified SSL settings.
# DNS, routing, and load balancers must arrange for www.example.com to map to  192.168.1.111
<VirtualHost 192.168.1.111:443>
  SSLEnable
  ServerName www.example.com
  KeyFile ...
  SSLServerCert ..
</VirtualHost>

# If the local address matches, use the specified SSL settings.
# DNS, routing, and load balancers must arrange for www.example.com to map to  192.168.1.222
<VirtualHost 192.168.1.222:443>
  SSLEnable
  ServerName OTHER.example.com
  KeyFile ...
  SSLServerCert ..
</VirtualHost>

 
  • Name-Based virtual hosting
    • A single IP/port combination is shared between multiple virtual hosts, differentiated by unique ServerName and ServerAlias
    • If a certificate is used for multiple hostnames without unique IP/Port combinations,  it  must have multiple or wildcard SubjectAltName extensions.
      • In IHS 9.0 (and later), SSLServerCert can be used to select an alternate certificate based on the requested hostname
    • Most common SSL configuration directives are ONLY effective when specified in the first listed virtual host ("default name-based vhost") that shares each IP/port combination
      • Examples: SSLCipherSpec, KeyFile, SSLProtocolEnable, SSLClientAuth, SSLProtocolEnable, SSLProtocolDisable
        Nearly every non-SSL Apache configuration directive can be used intuitively within the non-default name-based virtual hosts

The following example shows two SSL name-based virtual hosts that share a single IP/port combination. See the embedded comments for differences between releases.
 
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb

# IHS 8.5.5 and earlier requires this
NameVirtualHost  192.168.100:443

# This is the "default" (first listed) name-based virtualhost for  192.168.1.100:443 
<VirtualHost 192.168.1.100:443>
  # In IHS 9.0 and later, "SNI" can be appended to "SSLEnable" to allow
  # additional virtual hosts sharing this IP:PORT to specify a different
  # SSLServerCert
  SSLEnable
 
  ServerName www.example.com 
  # Perform all normal SSL configuration in the default virtual host
  SSLCipherSpec TLSv12 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  SSLProtocolDisable TLSv10
</VirtualHost>

# Second, non-default virtual host. Same IP:PORT
<VirtualHost 192.168.1.100:443>
  SSLEnable
  ServerName OTHER.example.com
  # IHS 9.0 (and later) only: If the default virtual host enabled SNI,
  # and the requested hostname matches this ServerName, the specified
  # SSLServerCert will be used
  SSLServerCert other-cert
  # No other SSL directives should be used.
  DocumentRoot /var/www/other.example.com
</VirtualHost>

 


Cross reference information
Product Component Platform Version Edition
WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows, z/OS 8.0, 8.5, 9.0, 7.0, 6.1, 6.0

Document information

More support for: IBM HTTP Server

Component: Not Applicable

Software version: 7.0, 8.0, 9.0 8.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #: 1045922

Modified date: 17 July 2019