Getting started quickly with secure connections

This section provides information to help you get started with secure connections. This information includes how to obtain certificates, create self-signed certificates and set up the Secure Sockets Layer (SSL) using the Administration Server. Links to related topics appear at the end of this section.

• Obtaining certificates
• Buying a certificate from an external certificate authority provider
• Creating a self-signed certificate
• Setting up Secure Sockets Layer using the IBM Administration Server
• Starting a second secure virtual host
• Finding related information

Obtaining certificates

When you set up secure connections, associate your public key with a digitally signed certificate from a certificate authority (CA), designated as a trusted CA on your server.

You can obtain a certificate two ways:

• Buy a certificate from an external CA provider
• Create a self-signed certificate

Buying a certificate from an external certificate authority provider

You can buy a signed certificate by submitting a certificate request to a CA provider. The IBM HTTP Server supports several external certificate authorities. By default, many CAs exist as trusted CAs on the IBM HTTP Server. See Listing trusted CAs on the IBM HTTP Server for a list.

Use IKEYMAN to create a new key pair and certificate request to send to an external CA. Then define SSL settings in the Security folder in the Administration Server.

Creating a self-signed certificate

To create a self-signed certificate, you can use your key management utility (IKEYMAN), or you can purchase certificate authority software from a CA provider.

Setting up Secure Sockets Layer using the IBM Administration Server

To set up Secure Sockets Layer (SSL) using the Administration Server:

1. Set up the security module:
• Click Basic Settings.
• Click Module Sequence (Scope: Global).
• Click Add.
• Click Select a module to add, and open the drop-down list. Go to the bottom of the list and click ibm_ssl from the list. The module dynamic link library (DLL) appears to the right.
• Click Apply.
• Click Close.
• Click Submit.


2. Set up secure host IP and an additional port for the secure server.
• Click Basic Settings.
• Click Advanced Properties (Scope: Global).
• Click Add, to the Specify additional ports and IP addresses field. Leave the IP address field empty and enter 443 in the Port field.
• Click Apply.
• Click Close.
• Click Submit.


3. Set up the virtual host structure for the secure server.
• Click Configuration Structure.
• Click Create Scope (Scope: Global).
• Click Virtual Host in the Select a valid scope to insert within the scope selected in the right panel field.
• Click the virtual host IP address, or fully qualified domain name.
• Enter the virtual host port (443).
• Enter the server name.
• Leave alternate names for host blank.
• Click Submit.


4. Set up the virtual host document root for the secure server.
• Click Basic Settings.
• Click Core Settings (Scope: <Virtual host you are working with>).
• Enter the server name, as a fully qualified domain name.
• Enter the document root directory name.
• Click Submit.


5. Set the key file and SSL timeout values for the secure server.
• Click Security.
• Click Server Security (Scope: Global and Virtual Host).
• Click the Enable SSL radio No button. (Disables SSL for Global scope).
• Enter the path and key file file name.
• Enter a Timeout value for SSL Version 2 session IDs (100 secs).
• Enter a Timeout value for SSL Version 3 session IDs (1000 secs).
• Click Submit.


6. Enable SSL and select mode of client authorization.
• Click Security.
• Click Host Authorization (Scope: Virtual Host) <Host IP addr:443>.
• Click Enable SSL radio Yes button, which enables SSL for Virtual Secure Host.
• Click Mode of client authorization to be used radio button none.
• Click Submit.


7. Restart the server.

Starting a second secure virtual host

To start a second secure virtual host:

1. Set up the virtual host structure for the secure server.
• Click Configuration Structure.
• Click Create Scope (Scope: Global).
• Click Virtual Host for the Select a valid scope to insert within the scope selected in the right panel: field.
• Enter the virtual host IP address, or fully qualified domain name.
• Enter the virtual host port (443).
• Enter the server name and leave Alternate names for host blank.
• Click Submit.


2. Enable SSL and select the mode of client authorization.
• Click Security.
• Click Host Authorization (Scope: Virtual Host <Host IP addr:443>).
• Click Enable SSL radio Yes button, which enables SSL for Virtual Secure Host.
• Click Mode of client authorization to be used radio button none.
• Click Submit.


3. Set up the virtual host document root for the secure server.
• Click Basic Settings.
• Click Core Settings (Scope: <Virtual Host you are working with>).
• Enter the server name as a fully qualified domain name.
• Enter the document root directory name.
• Click Submit.

     (Back to the top)