WebSphere Application Server & Liberty

 View Only
  • 1.  Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Tue November 28, 2023 07:58 PM
    Edited by Ismael Gutierrez Tue November 28, 2023 08:00 PM

    Hello to all

    It's the first time that I have to configure SSL in HTTT Server. I have made the csr file (by using openssl linux utility) to send it, I recieved a .cer file from a CA. Below are the commands used to create the kdb and so on

    ../bin/gskcapicmd -keydb -create -db certihs01qa/certihs01qa.kdb -pw kdbihs01qa -stash

    ../bin/gskcapicmd -cert -add -db certihs01qa/certihs01qa.kdb -stashed -file certihs01qa/certihs01qa.cer -label certihs01qa

    I have validated the certificate in the KDB with:

    ../bin/gskcapicmd -cert -list -db  certihs01qa/certihs01qa.kdb -stashed

    Certificates found
    * default, - personal, ! trusted
    !       certihs01qa

    When I want to set it as default by executing the command:

    ../bin/gskcmd -cert -setdefault -label certihs01qa -db certihs01qa/certihs01qa.kdb

    an error message appears:

    The database doesn't contain a key entry with label 'certihs01qa'.
    Check the label and try again.

    An error message in the HTTP log error file appears:

    [11037] SSL0223E: SSL Handshake Failed, No certificate.

    I am about to blow, I have read a lot of documents and I haven´t find the solution.

    Can you help me please? What am I doing wrong or different?

    Thanks a lot!!!



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------



  • 2.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 03:47 AM
    Edited by LI MIN YU Wed November 29, 2023 03:55 AM

    SSL0223E: SSL Handshake Failed, No certificate.

    It's mean you do not have a default personal certificate!

    Which version of you IBM HTTP Server?

    ../bin/gskcapicmd -cert -list -db  certihs01qa/certihs01qa.kdb -stashed

    Certificates found
    * default, - personal, ! trusted
    !       certihs01qa

    There are showing certihs01qa signer certificate is the trusted signer certificate. but don't have any *default  -personal certificate.

    such as 

    !       certihs01qa
    *-      SelfSigned

    You can create a self signed personal certificate by issue cmd:

    ../bin/gskcmd -cert -create -label SelfSigned -db certihs01qa\certihs01qa.kdb -pw kdbihs01qa -dn "CN=www.Java2Class.net" -expire 3650 -default_cert yes

    and Which version of your Web Server Plug-ins for IBM WebSphere Application Server if you will connect to WAS or Liberty?



    ------------------------------
    LI MIN YU
    ------------------------------



  • 3.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 12:42 PM

    Thanks for your answer Li

    The versions are:
    WAS ND 8.5.5 FP 10
    IHS 8.5.5
    Web Server Plug-ins 8.5.5

    All the configuration is for IBM WebSphere Portal

    Thanks



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------



  • 4.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 06:00 AM

    You added the public certificate but not the private key,  You need to add the private key with that name to the keystore.  

    Brian



    ------------------------------
    Brian S Paskin
    Sr. Technology Engineer
    IBM Cloud Engineering
    ------------------------------



  • 5.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    Posted Wed November 29, 2023 12:46 PM

    Thanks for answering Brian



    ------------------------------
    Ismael Gutierrez E
    IT Consutant Senior

    Please, stay safe!
    Take care of you and your loved ones.
    ------------------------------



  • 6.  RE: Setting up SSL on IBM HTTP Server 8.5.5 issues

    IBM Champion
    Posted Thu November 30, 2023 01:44 AM

    Hello Ismael,

    here is how I setup SSL on my test HTTP server:

    ##
    ## Create the key database. Should not make a difference if you use gskcmd or gskcapicmd
    /opt/IBM/HTTPServer/bin/gskcmd -keydb -create -db /tmp/ihs02-key.kdb -pw start123. -type cms -expire 3650 -stash
    ##
    ## Create a self signed certificate in the key database
    /opt/IBM/HTTPServer/bin/gskcmd -cert -create -db /tmp/ihs02-key.kdb -pw start123. -label ihs02 -size 2048 -default_cert no -expire 3650 -dn "CN=ihs02.hhue.at,OU=R&D,O=2i,L=Vienna,ST=Vienna,C=AT"

    Then in the httpd.conf:

    :
    :
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    
    <VirtualHost *:443>
     SSLEnable
     SSLProtocolEnable TLSv12
     SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
     ##### SSLTrace
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    ##
    ## SSKServerCert must match the label of the certificate you want to use for this connection in the kdb
     SSLServerCert ihs02
     SSLClientAuthGroup validClientCerts  Country=DE
     ServerName ihs02.hhue.at
    </VirtualHost>
    
    KeyFile /opt/IBM/HTTPServer/conf/ihs02-key.kdb
    SSLDisable
    

    That should do for the test. 

    Hope this helps, Hermann



    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------