For optimal security, configure SSL communication between
servers in a Kerberos junction deployment.
This topic provides an overview of the steps to configure a WebSphere® cluster environment
to use SSL to communicate between WebSEAL, IBM® HTTP Server (IHS), WebSphere Application Server Plug-in, WebSphere Application Server
and Tivoli® Federated Identity
Manager. These steps do not address SSL communication between the
client and WebSEAL or to the back-end Web server. No changes to these
standard SSL configurations are necessary for Kerberos junction support.
Tip: Consider deploying a working configuration without
SSL prior to adding SSL.
For each component, create a public/private key pair, and extract
the public key to a known location.
On the WebSEAL server:
- Copy the IHS public key to the WebSEAL system
- Use the ikeyman utility to add the IHS public key. When
there is more then one IHS proxy in the environment, complete this
task for each IHS server.
- Configure appropriate values for the following [tfim-cluster:cluster] variables:
server, ssl-keyfile, ssl-keyfile-stash. Optionally configure the
ssl-valid-server-dn variable if applicable.
For more information,
see Planning WebSEAL Kerberos junction configuration.
- Restart WebSEAL to activate the changes made to the WebSEAL configuration
file.
On the IBM HTTP Server:
- Copy the WebSEAL public key to the IHS system.
- Use the ikeyman utility on IHS to add the WebSEAL public key.
- Copy the WebSphere public
key from the WebSphere Deployment
Manager (dmgr) system to the IHS system.
- Use the ikeyman utility on IHS to add the WebSphere public key.
- Update the httpd.conf file to configure or add a virtual host
to support SSL connections.
- Restart IHS to activate the changes.
- When your deployment includes multiple IHS proxies, repeat the
above steps for each IHS proxy.
On the WebSphere plug-in
located on the IHS server:
- Copy the WebSphere public
key to the plug-in system.
- Use the ikeyman utility for the plug-in to add the WebSphere public key.
- Copy the WebSphere node
public key from the WebSphere node
to the plug-in server.
- Use the ikeyman utility for the plug-in to add the WebSphere node public key.
- When your deployment includes multiple plug-ins, repeat the above
steps for each plug-in.
On the WebSphere Network
Deployment Manager (dmgr):
- Ensure that the public key for the plug-in is located in a file
path that can be accessed through the WebSphere administration console.
- Use the WebSphere console
to add the public key for the plug-in to the CellDefaultTrustStore.
- When your deployment includes multiple plug-ins, repeat the above
steps for each plug-in.
- Ensure that the public key for Node is located in a file path
that can be accessed through the WebSphere administration
console.
- Use the WebSphere console
to add the public key for the Node to the CellDefaultTrustStore.
- When your deployment includes multiple nodes, repeat the above
steps for each nodes.
- Configure client authentication if appropriate for your deployment.
On the WebSphere Node:
- Ensure that the public key for the Deployment Manager (dmgr) is
located in a file path that can be accessed through the WebSphere administration console.
- Use the WebSphere console
to add the dmgr public key to the NodeDefaultTrustStore.
- When your deployment includes multiple nodes, repeat the above
steps for each nodes.