Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only

  • 1.  SSL with LetsEncrypt Maximo 7.6

    Posted Wed January 17, 2024 01:32 PM

    I'm not a big expert in the installation of certificates. I have an out-of-the-box environment running out of port 9443 and 9080 (insecure).

    I want to enable SSL and let Maximo run out of port 443. I chose LetEncrypt,

    1.I got the privkey.pem and fullchain.pem files -> converted them into OpenSSL legacy-compatible .pfx file. 

    2. In Maximo 7.6 (windows) using ikeyman created a .kdb file and stashed it with a password -> imported the .pfx into personal certs and then added the fullchain.pem containing the intermediate and domain certs in the signer certs in ikeyman, closed the application after checking if everything was saved.

    To enable HTTPS on the default port 443: 

    In C:\Program Files\IBM\HTTPServer\conf\httpd.conf file. I edited the following

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    <VirtualHost *:443>
     SSLEnable
    </VirtualHost>
    KeyFile "C:\IBM\HTTPServer\key.kdb"

    1. Restarted the HTTP server

    2.WebSphere configuration

    Logged in to WebSphere console and navigated down to Environment > Virtual Hosts > maximo_host > Host Aliases.
    added 443 port. (enabled it in the firewall as well and checked if any other PID where 443 was being used, there were none)

    Navigated to Servers > Server Types > Web servers. Select webserver1 and click Generate Plug-in. Select webserver1 again and click Propagate Plug-in.
    Restarted MXServer in Servers > Server Types > WebSphere application servers.

    Tried to verity the connection by logging in at https://[domain]/maximo, but The site was not reachable in firefox I got a secure connection failed error and in Chrome the site was not reachable but https://[domain]:9443/maximo was working fine but without SSL. 

    Please advice.



    ------------------------------
    Yupendra Kumar Gadagalla Ramasubramanian
    ------------------------------



  • 2.  RE: SSL with LetsEncrypt Maximo 7.6

    Posted Thu January 18, 2024 02:01 AM

    Hi Yupendra, 

    Try this approach:

    Steps on Maximo VM for certificate creation or renewal:

    1. Download and unpack le32 from https://github.com/do-know/Crypt-LE/releases on target Windows VM into D:\IBM\HTTPServer\cert\
    2. Install OpenSSL using the following guide https://tecadmin.net/install-openssl-on-windows/

    3. Create and run the script d:\IBM\HTTPServer\cert\renew_certificate.bat with the following contents:

      @echo off
       
      set DOMAIN=<your domain name/DNS>
      set EMAIL=<your mail address>
      set ACME_PATH=D:\doclinks\.well-known\acme-challenge
      set PASSWORD=<your password>
       
      cd /d d:\IBM\HTTPServer\cert\
       
      echo ### Creating/updating the certificate request, key and certificate files
      rem Make sure to update the --domains parameter (your custom domain) and the --path parameter (.well-known should be located in your web server DocumentRoot). The parameter --live makes it work with Production LetsEncrypt server that will ban you after multiple erroneous attempts, so remove this parameter if you need to test!
      le32.exe --key account-key.txt --email %EMAIL% --csr domain-csr.txt --csr-key domain-key.txt --crt domain-crt.txt --domains %DOMAIN% --generate-missing --unlink --path %ACME_PATH% --live
       
      echo ### Generating a PKCS12 keystore
      rem This step requires OpenSSL, so either install openssl on Windows or copy all files to MacOS and run there
      call openssl pkcs12 -export -out domain.p12 -inkey domain-key.txt -in domain-crt.txt -name %DOMAIN% -password pass:%PASSWORD%
       
      echo ### Deleting old certificate from KDB keystore by label
      call ..\bin\gskcmd.bat -cert -delete -db maximo.kdb -pw %PASSWORD% -label %DOMAIN%
       
      echo ### Importing new certificate to KDB keystore from PKCS12 keystore
      call ..\bin\gskcmd.bat -cert -import -db domain.p12 -target maximo.kdb -pw %PASSWORD% -target_pw %PASSWORD%
       
      echo ### Setting new certificate as default
      call ..\bin\gskcmd.bat -cert -setdefault -db maximo.kdb -label %DOMAIN% -pw %PASSWORD%
       
      echo ### Restarting IBM HTTP service
      net stop IBMHTTPServerV9.0 && net start IBMHTTPServerV9.0
       
      echo ### Done
    4. Run "Task Scheduler" and create a task to run the script d:\IBM\HTTPServer\cert\renew_certificate.bat on schedule once every 2 months. Please note that the Letsencrypt certificate expires in 90 days.
    5. In case of the initial setup (not renewal of the certificate), the keystore will be missing the root certificate "DST Root CA X3" so you'll see "SSL0208E: SSL Handshake Failed, Certificate error" in the error.log. This issue is explained here. So you will need to export the root certificate as a cer file and then add it as a "Signer Certificate" in IBM Key Management utility. Restart IBM HTTP Server service after that.

    IBM HTTP server configuration

     

    Backup <his_inst_path>\conf\httpd.conf file and open it with text editor.
    To disable HTTP you have 2 methods:

    Block the use of port 80

    This will give you an error when you don't use https in the url.

    To disable HTTP you have to remove or comment out the following line:

    Listen 0.0.0.0:80

    Blocking port 80 is a BAD practice! In particular, it will make it impossible to pass HTTP verification while renewing LetsEncrypt certificates. The preferred way is to configure redirect from 80 to 443 as shown below. 

    Redirect everything to port 443 (SSL)

    This will redirect you to the https port 443 even if you only typed http or even left that out and only typed the servername/maximo

    Just add this at the end of the httpd.conf file

    Redirect
    #-------------
    # Addition Redirect
    #-------------
    LoadModule rewrite_module modules/mod_rewrite.so
    RewriteEngine On
    # Logging useful to see what happens when the web server tries a redirect. RewriteLog* commands might be unavailable in new versions of HTTPServer, so comment out if not working.
    #RewriteLog logs/rewrite.log
    #RewriteLogLevel 1
    # When the port is not 443 is (ssl)...
    RewriteCond %{SERVER_PORT} !^443$
    #...redirect to same page but with SSL
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
    #-----------------

    To enable HTTPS on the default port 443 paste the following rows:

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    <VirtualHost *:443>
     SSLEnable
    </VirtualHost>
    KeyFile "D:\IBM\HTTPServer\certificates\maximo.kdb"
    SSLDisable

    Verify the path of the maximo.kdb file matches with the one you have generated before.
    Restart IBM HTTP Server by following sequence:

    > Stop Admin Server
    > Stop HTTP Server
    > Start Admin Server
    > Start HTTP Server

    WebSphere Application Server configuration

    Login to WebSphere Application Server console and navigate down to Environment > Virtual Hosts > maximo_host > Host Aliases.
    Verify that port 443 is present. Add it if missing. You may also wish to remove port 80 and other unused ports.
    Navigate to Servers > Server Types > Web servers. Select webserver1 and click Generate Plug-in. Select webserver1 again and click Propagate Plug-in.
    Continue from ISC console, restart MXServer in Servers > Server Types > WebSphere application servers.
    Verify the connection by logging in at https://[MXHOST]/maximo, where [MXHOST] is the host name of the HTTP server.

    Now your server is running in SSL.



    ------------------------------
    Jan-Willem Steur
    Manager Business Development
    ZNAPZ b.v.
    Breda
    +31 6 25639950
    Jan-Willem
    ------------------------------

    Original Message


  • 3.  RE: SSL with LetsEncrypt Maximo 7.6

    Posted Thu January 18, 2024 02:27 AM

    Hi Yuprenda,

    One thing I do, but i don't see in your steps, is re-apply the Virtual Hosts to the MAXIMO application after the modification of the host aliasses, like in the screenshot below.

    Also check the plugin.cfg.xml for the existence of the 443 port to see if the plugin has been generated correctly. 

    Click the 'view' button to see the xml file.

    Maybe this helps.



    ------------------------------
    Gertjan Zomerdijk
    Gemba Services b.v.
    ------------------------------

    Original Message


Related Content