325 lines
18 KiB
HTML
325 lines
18 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="topic" />
|
|
<meta name="DC.Title" content="JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP Server (powered by Apache)" />
|
|
<meta name="abstract" content="This scenario discusses how to enable SSL protection." />
|
|
<meta name="description" content="This scenario discusses how to enable SSL protection." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzaiescenarios.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzaiejklenablessl" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP
|
|
Server (powered by Apache)</title>
|
|
</head>
|
|
<body id="rzaiejklenablessl"><a name="rzaiejklenablessl"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">JKL Toy company enables Secure Sockets Layer (SSL) protection on HTTP
|
|
Server (powered by Apache)</h1>
|
|
<div><p>This scenario discusses how to enable SSL protection.</p>
|
|
<div class="important"><span class="importanttitle">Important:</span> Information
|
|
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
|
It is recommended that you install the latest PTFs to upgrade to the latest
|
|
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
|
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
|
<div class="section"><h4 class="sectiontitle">Scenario</h4><p>The JKL Toy company (a fictitious company)
|
|
wants to enable Secure Sockets Layer (SSL) protection for a specific directory
|
|
on their HTTP Server (powered by Apache). The secured directory will contain
|
|
confidential corporate earnings information that only a select group of employees
|
|
and business associates will be able to access. The JKL Web administrator
|
|
has decided not to create and deploy user certificates to client browsers,
|
|
but rather use SSL so that all data exchanged with the browser is encrypted.
|
|
The JKL Web administrator will use a server certificate, basic password protection
|
|
(based upon existing iSeries™ user accounts), and standard SSL encryption
|
|
to provide access to the secured information. </p>
|
|
<div class="note"><span class="notetitle">Note:</span> Although JKL chooses
|
|
not to implement digital certificates, they must still register their HTTP
|
|
Server (powered by Apache) with the iSeries Digital Certificate Manager.</div>
|
|
</div>
|
|
<div class="section" id="rzaiejklenablessl__prerequisites"><a name="rzaiejklenablessl__prerequisites"><!-- --></a><h4 class="sectiontitle">Prerequisites</h4><ul><li>It is assumed you have read <a href="rzaiescenarios.htm">Scenarios for HTTP Server</a>.</li>
|
|
<li>It is assumed you have read and completed <a href="rzaiejklbasic.htm">JKL Toy Company creates an HTTP Server (powered by Apache)</a> or you have an existing HTTP Server (powered by Apache)
|
|
configuration.</li>
|
|
<li>It is assumed that a certificate authority (and certificate store) is
|
|
already established for the <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">iSeries Digital Certificate Manager</a>.</li>
|
|
<li>It is assumed you are familiar with Domain Name Servers (DNS).</li>
|
|
</ul>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Start the <span>IBM<sup>®</sup> Web Administration for i5/OS™ interface</span></h4><div class="note"><span class="notetitle">Note:</span> Enter
|
|
your <a href="rzaiesetauth.htm">Webmaster user profile username
|
|
and password</a> when prompted.</div>
|
|
<ol><li>Start a <a href="rzaieinstalling.htm#rzaieinstalling__web">Web
|
|
browser</a>.</li>
|
|
<li>Enter <strong>http://[iSeries_hostname]:2001</strong> in the location or URL field
|
|
.<p>Example: http://jkl_server:2001</p>
|
|
<div class="note"><span class="notetitle">Note:</span> If you have <a href="rzaiechangeport.htm">changed your port number for the <span>IBM Web Administration for i5/OS interface</span></a>,
|
|
replace port 2001 with your port number.</div>
|
|
</li>
|
|
<li>Click <strong>IBM HTTP
|
|
Server for iSeries</strong>.</li>
|
|
</ol>
|
|
<div class="note"><span class="notetitle">Note:</span> If the <span>IBM Web Administration for i5/OS interface</span> does
|
|
not start, see <a href="rzaieinstalling.htm">Install and test the HTTP Server</a>.</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Set up a name-based virtual host</h4><ol><li>Click the <strong>Manage</strong> tab.</li>
|
|
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
|
|
<li>Select your HTTP Server (powered by Apache) from the <strong>Server</strong> list.<p>Example:
|
|
JKLTEST</p>
|
|
</li>
|
|
<li>Select <strong>Global configuration</strong> from the <strong>Server area</strong> list.</li>
|
|
<li>Expand <strong>Server Properties</strong>.</li>
|
|
<li>Click <strong>Virtual Hosts</strong>.</li>
|
|
<li>Click the <strong>Name-based</strong> tab in the form.</li>
|
|
<li>Click <strong>Add</strong> under the <strong>Named virtual hosts</strong> table.</li>
|
|
<li>Select or enter an IP address in the <strong>IP address </strong>column.<div class="p">Example:
|
|
9.5.61.228<div class="note"><span class="notetitle">Note:</span> The IP address 9.5.61.288 used in this scenario is associated
|
|
with JKL Toy Company's iSeries hostname <strong>JKLEARNINGS</strong> and registered
|
|
by a Domain Name Server (DNS). You will need to choose a different IP address
|
|
and hostname. The <span>IBM Web Administration for i5/OS interface</span> provides
|
|
the IP addresses used by your iSeries system in the IP Address list; however,
|
|
you will need to provide the hostname associated with the address you choose.</div>
|
|
</div>
|
|
</li>
|
|
<li>Enter a port number in the <strong>Port</strong> column.<p>Example: 443</p>
|
|
<div class="note"><span class="notetitle">Note:</span> Specify
|
|
a port number other than the one currently being used for your HTTP Server
|
|
(powered by Apache) to maintain an SSL and non-SSL Web site.</div>
|
|
</li>
|
|
<li>Click <strong>Add</strong> under the <strong>Virtual host containers</strong> table in the <strong>Named
|
|
host</strong> column.<div class="note"><span class="notetitle">Note:</span> This is a table within the <strong>Named virtual hosts</strong> table
|
|
in the <strong>Named host</strong> column.</div>
|
|
</li>
|
|
<li>Enter the fully qualified server hostname for the virtual host in the <strong>Server
|
|
name</strong> column.<p>Example: www.JKLEARNINGS.org</p>
|
|
<div class="note"><span class="notetitle">Note:</span> Make sure the server
|
|
hostname you enter is fully qualified and associated with the IP address you
|
|
selected.</div>
|
|
</li>
|
|
<li>Enter a document root for the virtual host index file or welcome file
|
|
in the <strong>Document root</strong> column.<p>Example: /www/jkltest/earnings/</p>
|
|
<div class="note"><span class="notetitle">Note:</span> You
|
|
are specifying a document root that will be created below. Remember the document
|
|
root you have entered; you will be asked to enter the document root again
|
|
when creating a new directory.</div>
|
|
</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Set up Listen directive for virtual host</h4><ol><li>Expand <strong>Server Properties</strong>.</li>
|
|
<li>Click <strong>General Server Configuration</strong>.</li>
|
|
<li>Click the <strong>General Settings</strong> tab in the form.</li>
|
|
<li>Click <strong>Add</strong> under the <strong>Server IP addresses and ports to listen</strong> on
|
|
table.</li>
|
|
<li>Select the IP address you entered for the virtual host in the <strong>IP address</strong> column.<p>Example:
|
|
9.5.61.288</p>
|
|
</li>
|
|
<li>Enter the port number you entered for the virtual host in the <strong>Port</strong> column.<p>Example:
|
|
443</p>
|
|
</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Set up the virtual host directories</h4><ol><li>Select the virtual host from the <strong>Server area</strong> list.</li>
|
|
<li>Expand <strong>HTTP Tasks and Wizards</strong>.</li>
|
|
<li>Click <strong>Add a Directory to the Web</strong>.</li>
|
|
<li>Click <strong>Next</strong>.</li>
|
|
<li>Select <strong>Static web pages and files</strong>.</li>
|
|
<li>Click <strong>Next</strong>.</li>
|
|
<li>Enter a directory name for the virtual host in the <strong>Name</strong> field.<p>Example:
|
|
/www/jkltest/earnings/</p>
|
|
</li>
|
|
<li>Click <strong>Next</strong>.</li>
|
|
<li>Enter an alias for the virtual host in the <strong>Alias</strong> field.<p>Example:
|
|
/earnings/</p>
|
|
</li>
|
|
<li>Click <strong>Next</strong>.</li>
|
|
<li>Click <strong>Finish</strong>.</li>
|
|
</ol>
|
|
<p>The document root and directory for the virtual host has been created.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Set up password protection via authentication</h4><ol><li>Select the directory under the virtual host from the <strong>Sever area</strong> list.<p>Example:
|
|
Directory /www/jkltest/earnings</p>
|
|
</li>
|
|
<li>Expand <strong>Server Properties</strong>.</li>
|
|
<li>Click <strong>Security</strong>.</li>
|
|
<li>Click the <strong>Authentication</strong> tab in the form.</li>
|
|
<li>Select <strong>Use OS/400<sup>®</sup> profile of client</strong> under <strong>User authentication
|
|
method</strong>.</li>
|
|
<li>Enter <strong>Projected Earnings</strong> in the <strong>Authentication name or realm</strong> field.</li>
|
|
<li>Select <strong>Default server profile</strong> from the <strong>OS/400 user profile to
|
|
process requests</strong> list under <strong>Related information</strong>. When selected,
|
|
the value <strong>%%SERVER%%</strong> will be placed in the field.</li>
|
|
<li>Click <strong>Apply</strong>.</li>
|
|
<li>Click the <strong>Control Access</strong> tab in the form.</li>
|
|
<li>Click <strong>All authenticated users (valid user name and password)</strong> under <strong>Control
|
|
access based on who is making the request</strong>.</li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Enable SSL for the virtual host</h4><ol><li>Select the virtual host from the <strong>Sever area</strong> list.<p>Example: Virtual
|
|
Host *:443</p>
|
|
</li>
|
|
<li>Expand <strong>Server Properties</strong>.</li>
|
|
<li>Click <strong>Security</strong>.</li>
|
|
<li>Click the <strong>SSL with Certificate Authentication</strong> tab in the form.</li>
|
|
<li>Select <strong>Enable SSL</strong> under <strong>SSL</strong>.</li>
|
|
<li>Select <strong>QIBM_HTTP_SERVER_[server_name]</strong> from the <strong>Server certificate
|
|
application name</strong> list.<p>Example: QIBM_HTTP_SERVER_JKLTEST</p>
|
|
<div class="note"><span class="notetitle">Note:</span> Remember
|
|
the name of the server certificate. You will need to select it again in the
|
|
Digital Certificate Manager.</div>
|
|
</li>
|
|
<li>Select <strong>Do not request client certificate for connection</strong> under <strong>Client
|
|
certificates when establishing the connection</strong>.</li>
|
|
<li>Click <strong>OK</strong>.</li>
|
|
</ol>
|
|
<p>The HTTPS_PORT provides a specific environment variable value that
|
|
is passed to CGI programs . This field is not used in this scenario.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Associate system certificate with HTTP Server (powered by
|
|
Apache)</h4><p>The application name (created during the SSL process) is
|
|
assigned a system certificate via the iSeries Digital Certificate Manager
|
|
(DCM). During the process of enabling SSL for a virtual host, an iSeries server
|
|
certificate must be assigned to the application name used when configuring
|
|
SSL. This task is accomplished via the Digital Certificate Manager interface
|
|
(accessed from the iSeries Tasks screen). See <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">iSeries Digital Certificate Manager</a> for
|
|
more information.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> The following steps will require a user profile
|
|
with higher levels of authority than those documented for the Webmaster profile.
|
|
Web browsers will need to be restarted using the higher authority profile
|
|
to authenticate.</div>
|
|
<ol><li>Click the <strong>Related Links</strong> tab.</li>
|
|
<li>Click <strong>Digital Certificate Manager</strong>.</li>
|
|
<li>Click <strong>Select a Certificate Store</strong>.</li>
|
|
<li>Select <strong>*SYSTEM</strong>.</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Enter a password in the Certificate store password field.</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Click <strong>Manage Applications</strong>.</li>
|
|
<li>Select <strong>Update certificate assignment</strong>.</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Select <strong>Server</strong>.</li>
|
|
<li>Click <strong>Continue</strong>.</li>
|
|
<li>Select the appropriate application name.<div class="note"><span class="notetitle">Note:</span> Select the application name
|
|
created while enabling SSL for the virtual host directory.<p>Example: QIBM_HTTP_SERVER_JKLTEST</p>
|
|
</div>
|
|
</li>
|
|
<li>Click <strong>Update Certificate Assignment</strong>.</li>
|
|
<li>Select the appropriate certificate.</li>
|
|
<li>Click <strong>Assign New Certificate</strong>. This assigns the certificate to the
|
|
application name selected in the previous step.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Restart your HTTP Server (powered by Apache)</h4><p>Select
|
|
one of the following methods below:</p>
|
|
<p><strong>Manage one server</strong></p>
|
|
<ol><li>Click the <strong>Manage</strong> tab.</li>
|
|
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
|
|
<li>Select your HTTP Server from the Server list.</li>
|
|
<li>Click the <strong>Stop</strong> icon if the server is running.</li>
|
|
<li>Click the <strong>Start</strong> icon.</li>
|
|
</ol>
|
|
<p><strong>Manage all servers</strong></p>
|
|
<ol><li>Click the <strong>Manage</strong> tab.</li>
|
|
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
|
|
<li>Select <strong>All Servers</strong> from the Server list.</li>
|
|
<li>Click the <span class="uicontrol">All HTTP Servers</span> tab.</li>
|
|
<li>Select your HTTP Server name in the table.<p>Example: JKLTEST</p>
|
|
</li>
|
|
<li>Click <strong>Stop</strong> if the server is running.</li>
|
|
<li>Click <strong>Start</strong>.</li>
|
|
</ol>
|
|
<div class="note"><span class="notetitle">Note:</span> If your HTTP Server (powered by Apache) does not start, see <a href="rzaietrouble.htm">Troubleshoot</a>.</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Test your HTTP Server (powered by Apache)</h4><ol><li>Start a new Web browser.</li>
|
|
<li>Enter <strong>https://[virtual_hostname_name]:[port]</strong> in the location or
|
|
URL field.<p>Example: https://www.JKLEARNINGS.org:443</p>
|
|
</li>
|
|
</ol>
|
|
<p>You will be challenged for a user name and password. After entering
|
|
an appropriate iSeries user name and password, you will see a sample homepage
|
|
(created by the Serve New Directory wizard) with the browser's security padlock
|
|
icon enabled. The padlock indicates that SSL is enabled. </p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">View your HTTP Server (powered by Apache)
|
|
configuration</h4><p>Your configuration will look similar if you used the
|
|
given example in this and previous examples.</p>
|
|
<ol><li>Click the <strong>Manage</strong> tab.</li>
|
|
<li>Click the <strong>HTTP Servers</strong> subtab.</li>
|
|
<li>Select your HTTP Server (powered by Apache) from the <strong>Server</strong> list.<p>Example:
|
|
JKLTEST</p>
|
|
</li>
|
|
<li>Expand <strong>Tools</strong>.</li>
|
|
<li>Click <strong>Display Configuration File</strong>.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="section"><pre>LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
|
|
Listen *:1975
|
|
Listen 9.5.61.228:443
|
|
DocumentRoot /www/jkltest/htdocs
|
|
ServerRoot /www/jkltest
|
|
Options -ExecCGI -FollowSymLinks -SymLinksIfOwnerMatch -Includes -IncludesNoExec -Indexes -MultiViews
|
|
NameVirtualHost 9.5.61.228:443
|
|
AccessFileName .htaccess
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{Cookie}n \"%r\" %t" cookie
|
|
LogFormat "%{User-agent}i" agent
|
|
LogFormat "%{Referer}i -> %U" referer
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
CustomLog logs/access_log combined
|
|
SetEnvIf "User-Agent" "Mozilla/2" nokeepalive
|
|
SetEnvIf "User-Agent" "JDK/1\.0" force-response-1.0
|
|
SetEnvIf "User-Agent" "Java/1\.0" force-response-1.0
|
|
SetEnvIf "User-Agent" "RealPlayer 4\.0" force-response-1.0
|
|
SetEnvIf "User-Agent" "MSIE 4\.0b2;" nokeepalive
|
|
SetEnvIf "User-Agent" "MSIE 4\.0b2;" force-response-1.0
|
|
DirectoryIndex index.html
|
|
<Directory />
|
|
Order Deny,Allow
|
|
Deny From all
|
|
</Directory>
|
|
<Directory /www/jkltest/htdocs>
|
|
Order Allow,Deny
|
|
Allow From all
|
|
</Directory>
|
|
<VirtualHost 9.5.61.228:443>
|
|
ServerName www.JKLEARNINGS.org
|
|
DocumentRoot /www/jkltest/earnings/
|
|
SSLEnable
|
|
SSLAppName QIBM_HTTP_SERVER_JKLTEST
|
|
SSLClientAuth None
|
|
<Directory /www/jkltest/earnings>
|
|
Order Allow,Deny
|
|
Allow From all
|
|
Require valid-user
|
|
PasswdFile %%SYSTEM%%
|
|
UserID %%SERVER%%
|
|
AuthType Basic
|
|
AuthName "Projected Earnings"
|
|
</Directory>
|
|
Alias /earnings/ /www/jkltest/earnings/
|
|
</VirtualHost></pre>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiescenarios.htm" title="This topic provides information on how to use the IBM Web Administration for i5/OS interface to set up or manage your HTTP Server, step-by-step. Each task is specific and includes a usable HTTP Server configuration file when completed.">Scenarios for HTTP Server</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |