IBM Support

SSL virtual hosting in IBM HTTP Server

Troubleshooting


Problem

SSL virtual hosting capabilities in IBM HTTP Server.

Resolving The Problem

Virtual Hosting comes in two forms in IBM HTTP Server. Each form has special considerations when used in combination with SSL.
 
  • IP-Based virtual hosting
    • Each VirtualHost stanza is configured with a different IP address and port combination.   
    • If a certificate is used for multiple hostnames without unique IP/Port combinations,  it  must have multiple or wildcard SubjectAltName extensions.
    • All SSL configuration directives behave intuitively, selected by the local interface and port that handles the underlying connection.
      • KeyFile or SSLServerCert can be used to select a unique certificate.
The following example shows two SSL IP-based virtual hosts that share a single IP/port combination. See the embedded comments for differences between releases.
 
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
 
# If the local address matches, use the specified SSL settings.
# DNS, routing, and load balancers must arrange for www.example.com to map to 192.168.1.111
<VirtualHost 192.168.1.111:443>
  SSLEnable
  ServerName www.example.com
  KeyFile ...
  SSLServerCert ..
</VirtualHost>
# If the local address matches, use the specified SSL settings.
# DNS, routing, and load balancers must arrange for www.example.com to map to 192.168.1.222
<VirtualHost 192.168.1.222:443>
  SSLEnable
  ServerName OTHER.example.com
  KeyFile ...
  SSLServerCert ..
</VirtualHost>

 
  • Name-Based virtual hosting
    • A single IP/port combination is shared between multiple virtual hosts, differentiated by unique ServerName and ServerAlias
    • If a certificate is used for multiple hostnames without unique IP/Port combinations,  it  must have multiple or wildcard SubjectAltName extensions.
      • In IHS 9.0 (and later), SSLServerCert can be used to select an alternate certificate based on the requested hostname
    • Most common SSL configuration directives are ONLY effective when specified in the first listed virtual host ("default name-based vhost") that shares each IP/port combination
      • Examples: SSLCipherSpec, KeyFile, SSLProtocolEnable, SSLClientAuth, SSLProtocolEnable, SSLProtocolDisable
        Nearly every non-SSL Apache configuration directive can be used intuitively within the non-default name-based virtual hosts

    The following example shows two SSL name-based virtual hosts that share a single IP/port combination.
     
    IHS 8.5.5 and earlier, no SSL customization is possible in additional virtual hosts
    Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
    
    NameVirtualHost  *:443
    
    # This is the "default" (first listed) name-based virtualhost for all addresses
    <VirtualHost *:443
      SSLEnable
     
      ServerName www.example.com 
      # Perform all normal SSL configuration in the default virtual host
      SSLCipherSpec TLSv12 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
      SSLProtocolDisable TLSv10
    </VirtualHost>
    
    # Second, non-default virtual host. Same IP:PORT
    <VirtualHost *:443>
      SSLEnable
      ServerName OTHER.example.com
      # No other SSL directives should be used, but other Apache directives can be  used.
      DocumentRoot /var/www/other.example.com
    </VirtualHost>
    IHS 9.0 and later, SSLServerCert can vary in additional virtual hosts
    Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
    
    # This is the "default" (first listed) name-based virtualhost for all addresses
    <VirtualHost *:443
      SSLEnable SNI
     
      ServerName www.example.com 
      # Perform all normal SSL configuration in the default virtual host
      SSLCipherSpec TLSv12 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
      SSLProtocolDisable TLSv10
      SSLServerCert www-label
    </VirtualHost>
    
    # Second, non-default virtual host. Same IP:PORT
    <VirtualHost *:443>
      SSLEnable
      ServerName OTHER.example.com
      # No other SSL directives should be used, but other Apache directives can be  used.
      SSLServerCert other-label
      DocumentRoot /var/www/other.example.com
    </VirtualHost>

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0 8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0;8.5;9.0;7.0;6.1;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg21045922