Steps for updating the IBM HTTP Server - Powered by Apache configuration files
PKI Services ships sample IBM® HTTP
Server - Powered by Apache configuration
files
- The main configuration file (httpd.conf)
- Virtual host files:
- vhost80.conf - Virtual Host file for non-SSL requests
- vhost443.conf - Virtual Host file for SSL requests with server authentication
- vhost1443.conf - Virtual Host file for SSL requests with client authentication
Table 1 summarizes the virtual host files that are used for normal HTTP traffic and SSL traffic with specific ports.
Virtual host configuration file | Protocol | SSL | Server authentication | Client authentication | Port number |
---|---|---|---|---|---|
vhost80.conf | HTTP | No | No | No | 80 |
vhost443.conf | HTTPS | Yes | Yes | No | 443 |
vhost1443.conf | HTTPS | Yes | Yes | Yes | 1443 |
Before you begin
- You must perform these steps only if you are configuring IBM HTTP Server - Powered by Apache for PKI Services for the first time. If you are using IBM HTTP Server - Powered by Apache and you are now updating the configuration for use with PKI Services, some of the following steps are not required.
- This information assumes that you used the installer program (bin/install_ihs) to install IBM HTTP Server - Powered by Apache. You must know the installation directory for the server instance, which is referred to as ihs-install-dir in the sample commands. (This directory must be different from the product directory, usually /usr/lpp/ihsa_zos).
- You must know the file system installation directory (the file system directory where the MVS™ programmer installed PKI Services), called pki-install-dir in the commands that follow. The default is /usr/lpp/pkiserv/. The MVS programmer was asked to record any changes to the defaults; see Table 1.
- You must know the following LDAP information. Record the information
in the rightmost column of Table 2. Note: The default name of the LDAP server configuration file is ds.conf for the LDAP server that is provided by IBM Tivoli® Directory Server.
Table 2. LDAP information you need for tailoring IBM HTTP Server - Powered by Apache configuration LDAP information Explanation Value Administrator's distinguished name The distinguished name to use for LDAP binding. (For a definition of distinguished name, see Table 1.) The LDAP administrator defines the administrator's distinguished name with the adminDN keyword in the LDAP server configuration file. For example, the value is "cn=Admin" in adminDN "cn=Admin" Administrator password The password to use for LDAP binding. The LDAP programmer can set this password in several ways; for example: - By specifying the password as a TDBM entry by using the userPassword attribute in the ldif2tdbm load utility
- By using the adminPW keyword in the LDAP server configuration file (not suggested)
LDAP fully qualified domain name The IP address on which the LDAP server is listening, for example, ldap.widgets.com. See Table 1 for a definition of fully qualified domain name. LDAP port The port for LDAP, for example, 389 in ldap.widgets.com:389
Procedure
Perform the following steps to update the IBM HTTP Server - Powered by Apache configuration files:- Copy the IBM HTTP
Server - Powered by Apache directives
from the PKI Services samples configuration file, pki-install-dir/samples/httpd.conf to the HTTP
server configuration file, ihs-install-dir/conf/httpd.conf, and make the following updates.Note: The file pki-install-dir/samples/httpd.conf is not a complete httpd.conf file. It contains only the directives that might not be present in your httpd.conf file and that might be unique to the PKI Services CGI scripts and programs.
- Use the load module directive to add the required modules to the
list of modules, if they do not exist:
- rewrite_module modules/mod_rewrite.so
- authnz_saf_module modules/mod_authnz_saf.so
- ibm_ssl_module modules/mod_ibm_ssl.so
- alias_module modules/mod_alias.so
- Add the addtype directives to your list of addtypes if they do not exist:
AddType application/x-x509-user-cert .cer AddType application/x-x509-ca-cert .der AddType application/octet-stream .msi AddType application/pkix-crl .crl
- Copy the Keyfile and the Include directives as is, replacing any existing values.
- If your organization customized the value of web_ring (see Table 1), change SSLring in the Keyfile directive in the following line to the customized value:
Keyfile /saf SSLring
- Use the load module directive to add the required modules to the
list of modules, if they do not exist:
- If the virtual host files (vhost80.conf, vhost443.conf, vhost1443.conf) do not exist, create them by copying them from pki-install-dir/samples to ihs-install-dir/conf/vhost80.conf, ihs-install-dir/conf/vhost443.conf,
and ihs-install-dir/conf/vhost1443.conf. For example, assuming the default pki-install-dir and an ihs-install-dir of /etc/websrv1, the following command copies
all three vhost files to the /etc/websrv1/conf directory:
cp /usr/lpp/pkiserv/samples/vhost*.conf /etc/websrv1/conf
- Make the following updates to each of the virtual host files:
- Change all instances of server-domain-name to the fully qualified domain name of your web server. For example, www.ibm.com. (For information about your web server's fully qualified domain name, see Table 1.)
- Change all instances of application-root to the value of pki-install-dir, which is usr/lpp/pkiserv by default.
- If necessary, change the environment variable _PKISERV_CONFIG_PATH to identify the runtime directory of your CA domain. (See Table 1.)
- (Optional) If you intend to have a dedicated set of administrators
for each CA domain, add an environment variable that specifies the
runtime directory for each administrative domain. (See Table 1.)Example:
SetEnv _PKISERV_CONFIG_PATH_PKIServ "/etc/pkiserv"
Note: In the vhost80.conf file, which defines directives for non-SSL requests, a Listen directive is not specified. It is assumed that the Listen directive is defined in the main httpd.conf file that tells the server to accept incoming requests on the specified port. If you do not have a Listen directive in the httpd.conf file, add the Listen 80 directive on the line before the VirtualHost *:80 directive in the vhost80.conf file. - Perform the following step to update the vhost443.conf virtual host configuration file.
- If your organization customized the value of web_ring (see Table 1), change SSLring in the Keyfile directive in the following line to the customized value:
Keyfile /saf SSLring
- If your organization customized the value of web_ring (see Table 1), change SSLring in the Keyfile directive in the following line to the customized value:
- Perform the following steps to update the vhost1443.conf virtual host configuration file.
- If your organization customized the value of web_ring (see Table 1), change SSLring in the Keyfile directive in the following line to the customized value:
Keyfile /saf SSLring
- If you would like the IBM HTTP Server to preform revocation checking,
add the following directives after the SSLClientAuth directive:
- SSLCRLHostName
- SSLCRLPort
- SSLCRLUserID
- SSLStashfile
Note: SSLStashfile is the fully qualified path to the file that contains the password for the user name on the LDAP server. This directive is not required for an anonymous bind. Use it when you specify a user ID. Use the sslstash command, which is in the bin directory of IBM HTTP Server, to create your CRL password stash file. Specify the password that you use to log in to your LDAP server as the password on the sslstash command. The format of the sslstash command is:
where:sslstash [-c] file function password
- -c
- Creates a new stash file. If not specified, an existing file is updated.
- file
- Is the fully qualified name of the file to create or update.
- function
- Indicates the function for which the password is to be used. Valid values include crl and crypto.
- password
- Is the password to stash.
- If your organization customized the value of web_ring (see Table 1), change SSLring in the Keyfile directive in the following line to the customized value: