WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Tue November 28, 2023 07:58 PM
    Edited by Ismael Gutierrez Tue November 28, 2023 08:00 PM

    Hello to all

    It's the first time that I have to configure SSL in HTTT Server. I have made the csr file (by using openssl linux utility) to send it, I recieved a .cer file from a CA. Below are the commands used to create the kdb and so on

    ../bin/gskcapicmd -keydb -create -db certihs01qa/certihs01qa.kdb -pw kdbihs01qa -stash

    ../bin/gskcapicmd -cert -add -db certihs01qa/certihs01qa.kdb -stashed -file certihs01qa/certihs01qa.cer -label certihs01qa

    I have validated the certificate in the KDB with:

    ../bin/gskcapicmd -cert -list -db  certihs01qa/certihs01qa.kdb -stashed

    Certificates found
    * default, - personal, ! trusted
    !       certihs01qa

    When I want to set it as default by executing the command:

    ../bin/gskcmd -cert -setdefault -label certihs01qa -db certihs01qa/certihs01qa.kdb

    an error message appears:

    The database doesn't contain a key entry with label 'certihs01qa'.
    Check the label and try again.

    An error message in the HTTP log error file appears:

    [11037] SSL0223E: SSL Handshake Failed, No certificate.

    I am about to blow, I have read a lot of documents and I haven´t find the solution.

    Can you help me please? What am I doing wrong or different?

    Thanks a lot!!!



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------



  • 2.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 03:47 AM
    Edited by LI MIN YU Wed November 29, 2023 03:55 AM

    SSL0223E: SSL Handshake Failed, No certificate.

    It's mean you do not have a default personal certificate!

    Which version of you IBM HTTP Server?

    ../bin/gskcapicmd -cert -list -db  certihs01qa/certihs01qa.kdb -stashed

    Certificates found
    * default, - personal, ! trusted
    !       certihs01qa

    There are showing certihs01qa signer certificate is the trusted signer certificate. but don't have any *default  -personal certificate.

    such as 

    !       certihs01qa
    *-      SelfSigned

    You can create a self signed personal certificate by issue cmd:

    ../bin/gskcmd -cert -create -label SelfSigned -db certihs01qa\certihs01qa.kdb -pw kdbihs01qa -dn "CN=www.Java2Class.net" -expire 3650 -default_cert yes

    and Which version of your Web Server Plug-ins for IBM WebSphere Application Server if you will connect to WAS or Liberty?



    ------------------------------
    LI MIN YU
    ------------------------------

    Original Message


  • 3.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 12:42 PM

    Thanks for your answer Li

    The versions are:
    WAS ND 8.5.5 FP 10
    IHS 8.5.5
    Web Server Plug-ins 8.5.5

    All the configuration is for IBM WebSphere Portal

    Thanks



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------

    Original Message


  • 4.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 06:00 AM

    You added the public certificate but not the private key,  You need to add the private key with that name to the keystore.  

    Brian



    ------------------------------
    Brian S Paskin
    Sr. Technology Engineer
    IBM Cloud Engineering
    ------------------------------

    Original Message


  • 5.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 12:46 PM

    Thanks for answering Brian



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------

    Original Message


  • 6.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Thu November 30, 2023 01:44 AM

    Hello Ismael,

    here is how I setup SSL on my test HTTP server:

    ##
## Create the key database. Should not make a difference if you use gskcmd or gskcapicmd
/opt/IBM/HTTPServer/bin/gskcmd -keydb -create -db /tmp/ihs02-key.kdb -pw start123. -type cms -expire 3650 -stash
##
## Create a self signed certificate in the key database
/opt/IBM/HTTPServer/bin/gskcmd -cert -create -db /tmp/ihs02-key.kdb -pw start123. -label ihs02 -size 2048 -default_cert no -expire 3650 -dn "CN=ihs02.hhue.at,OU=R&D,O=2i,L=Vienna,ST=Vienna,C=AT"

    Then in the httpd.conf:

    :
:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443

<VirtualHost *:443>
 SSLEnable
 SSLProtocolEnable TLSv12
 SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
 ##### SSLTrace
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
##
## SSKServerCert must match the label of the certificate you want to use for this connection in the kdb
 SSLServerCert ihs02
 SSLClientAuthGroup validClientCerts  Country=DE
 ServerName ihs02.hhue.at
</VirtualHost>

KeyFile /opt/IBM/HTTPServer/conf/ihs02-key.kdb
SSLDisable

    That should do for the test. 

    Hope this helps, Hermann



    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------

    Original Message