Question & Answer
Question
How do you configure IHS, webserver plugin and WAS to enforce the use of TLSv1.2 (SP800-131 security standard) ?
Answer
Prerequisites :
- IBM HTTP Server - 8.0.0.6 or later.
- IBM WebSphere Application Server - 8.0.0.6 or later.
- Web Server Plug-ins for IBM WebSphere Application Server - 8.0.0.6 or later.
- WebSphere Customization Toolbox - 8.0.0.6 or later.
Configuring IHS for SSL:
Follow instructions in the following document :
http://www.ibm.com/support/docview.wss?uid=swg21179559
Configuring the CCRC WAN Server and ClearQuest Web Server profiles to enforce the use of TLSv1.2:
Follow instructions in the following document: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.doc%2Fae%2Ftsec_config_strictsp300.html
Configuring the web server plugin :
For each profile :
- Use a browser to connect to the WebSphere Administration Console for this profile.
- In the console, navigate to Servers > Server Types > Web servers.
- Select the web server e.g. webserver1.
- Select Plug-in properties.
- Select Copy to Web server key store directory to configure the related plugin-key.kdb file with the correct personal and signer certificates.
- Open the plugin-key.kdb file (you can find its location in plugin-cfg.xml file, look for the value of "keyring" property) using utility such as IKeyMan. Pathname for plugin-cfg.xml can be found in IHS_HOME_DIRECTORY/conf/http.conf.
- Navigate to personal certificates, and select default certificate.
- Open the certificate for view/edit.
- At the bottom of the certificate, select the option Set the certificate as the default.
- Save plugin-key.kdb in its original location.
- Set StrictSecurity=true in the plugin-cfg.xml file. The path (e.g. WAS_HOME_DIRECTORY/Plugins/config/webserver1) is listed in httpd.conf. (NOTE: see http://www.ibm.com/support/docview.wss?rs=180&uid=swg1PM74603 for a PMR resolution.)
- The SSL signer certificate in the plug-in's keystore must match that from the WebSphere Application Server node for TLSv1.2 to function correctly.
Troubleshooting:
Problem :"GSK_ERROR_BAD_CERT" logged in the plugin log i.e. http-plugin.log (located in WAS_HOME_DIRECTORY
- Cause : The plug-in keystore does not have the correct SSL signer certificate to match with the SSL personal certificate from the WebSphere Application Server node.
Solution : Refer to http://www.ibm.com/support/docview.wss?uid=swg21433593
[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"CCRC WAN Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.0.0.8;8.0.1.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21648276