IBM Software Group Setting Up SSL From Client to Web Server and Plugin to WAS Harold Fanning (hfanning@us.ibm.com) WebSphere L2 Support 12 December 2012
Agenda Secure Socket Layer (SSL) from a Client to an IBM HTTP Server (IHS) web server and WebSphere Application Server (WAS) is a 2 part SSL configuration SSL Terminology IHS web server uses a key data base (.kdb) file vs a WAS Keystore SSL from Client to IHS web server The.kdb passwords and stash (.sth) file SSL from WebSphere Plugin to WAS Chained certificates Cipher negotiation Tips and Troubleshooting 2 of 43
SSL from client to WAS Before you begin, it is important to note that you do not have a secure network connection until you have created a key for secure network communications and received a certificate from a Certificate Authority (CA) that is designated as a trusted CA on your server. Part 1 SSL session from client to IHS web server Client to web server where the web server is the SSL server. ikeyman GUI for Interactive Key Managment GSKit IBM Global Security Kit Part 2 SSL session from WebSphere Plugin to WAS Plugin to WAS. Plugin is the client and WAS is SSL server WAS Administrator console JSSE Java Secure Socket Extension 3 of 43
Client H HTTPS SSL (1) IBM HTTP Server key.kdb WebSphere Plugin plugin-key.kdb HTTPS SSL (2) WebSphere Application Server keystore 4 of 43
Terminology IBM Software Group Client receives personal certificate from the server Server Client must verify and accept the personal certificate Personal certificate unique to this host assigned by a Certificate Authority (CA) Signer certificate The CA certificate or intermediate certificate Intermediate certificate used if chained certificates.kdb key database for holding certificates. Holds both signer and personal certificates..sth stash file, encrypted file to hold password to open a.kdb.rdb request database when requesting a certificate, must match to receive the certificate. ikeyman - utility is a tool for key databases containing digital certificates and keys. 5 of 43
Terminology cont. Keystore holds personal certificates Truststore holds signer certificates QoP Quality of protection. Used to configure client authentication. Level of Cipher also found here Cipher Cryptography settings, defines level of security. Strong cipher can mean performance trade off. Provided by group strong, medium and weak or custom selection. 6 of 43
How SSL works? 7
Setting up SSL from client to IBM HTTP web server Configure SSL in the IHS web server's HTTPD.conf configuration file The IBM GSKit is installed local to IHS install directory ikeyman GUI, included in installation Create the kdb, rdb, sth key.kdb - /<IHS install>/ default To store the web server personal certificate required by the client. Request a personal certificate Receive personal certificate Note: V6.1.0 and earlier used global installed GSKit 8 of 43
Update personal certificate Open / create key.kdb - <IHS install directory> Create a key database file and certificates needed to authenticate the Web server during an SSL handshake The ikeyman GUI, which is included within the IHS distribution, can be used to create a key database file (for example default: key.kdb). This is needed to store personal and signer server certificates required by the client browser during an SSL handshake. Create a stash file (key.sth) to store the password for IHS to open the key database. This is required because IHS is not capable of prompting for a password. Note if expiration time is not checked there is no expiraton. This is preferred to avoid all connections lost at one time 9 of 43
Request a Personal certificate Issue personal certificate request Builds a key.rdb to request the personal certificate. Use this file to request Personal certificate from a CA. The Personal certificate returned must be received by the same host that made the request. Creates a file to use for making the request from a trusted CA. 10 of 43
Update SIGNER certificate Go to the Signer certificate list for Intermediate and Root certificates Populate Will add all supplied well known CA signer certificate(s). Add - signer certificate(s). add provided one if not a well known CA. Extract - Extracts a signer certificate from a keystore, and stores the certificate in a file. 11 of 43
Update personal certificate Go to Personal certificate list Receive - Reads a certificate that comes from a certificate authority (CA) into a keystore. Import - Imports a certificate from a keystore to a keystore. Note: The signer certificate of the personal certificate must be added first in order to add the personal certificate 12 of 43
Sample SSL directives in the httpd.conf LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 443 <VirtualHost IP address :443> ServerName fully qualified name /* Required if multiple SSL hostnames or sitenames*/ SSLEnable SSLServerCert namex /* Required and unique for each host if multiple hostnames */ /VirtualHost> SSLDisable KeyFile C:/Program Files/IBM/HTTPServer/key.kdb /* This is also where the key.rdb and key.sth are kept but path not needed here */ Note1: Scope is Global host or virtual host stanza. All host names must have unique IP and be registered with DNS. Therefore VirtualHost stanza required for each Virtual host name / IP Note2: Wildcard is not recommended to simplify identifying the IP binding to the hostname and IP address 13 of 43
Additional SSL directives in the httpd.conf SSLServerCert Label name required when there are multiple certificates with multiple SSL virtual hosts. Use to bind the Virtual host using the correct IP and the certificate that goes with that IP. If this directive is absent, then the default certificate is used. SSLClientAuth - Mutual authentication, Client would send us personal. There we need their signer in key.kdb signer list. SSLCipherSpec Used to limit the cipher encryption level allowed. If the client does not allow the Cipher access is denied. SSLCipherRequire SSLV2Timeout 100 SSLV3Timeout 1000 /* Timeouts for SSL version 2 sessions*/ /* Timeouts for SSL version 3 sessions*/ Note: For a complete list of SSL directives go to the infocenter 14 of 43
Setting up SSL from Plugin to WAS Is it required? If there is no https transport configured to WAS, the plugin will downgrade to use the http transport from plugin to WAS. This may be OK if the web servers are in same DMZ or physical server as the application servers. On the WAS Admin console go to Servers => Application Servers => server => Ports For the WC_defaulthost_secure go to the link for View associated transports Select the transport and unselect the Enable box 15 of 43
Setting up SSL from Plugin to WAS 16 of 43
Setting up SSL from Plugin to WAS When https is required WAS admin console plugin-key.kdb is installed by default when a https transport is configured WAS has personal certificate with self signed signer certificate. Populate the signer list with signer certificate of the trusted Certificate Authorities or the one received from the personal certificate assignment. 17 of 43
SSL between Plug-in and WebSphere Application Server HTTP Server (IBM Http Server, IIS, etc) (Plugin for WAS) installation required for plugin communication. By default plugin use plugin-cfg.xml plugin-key.kdb plugin-key.sth WebSphere Application Server NodeDefaultKeyStore NodeDefaultTrustStore WAS_HOME/profiles/profileName/config/cells/cellName/nodes/nodeName key.p12 and trust.p12 18
IBM Software Group Setting up SSL from Plugin to WAS WebSphere Plugin will install on the webserver with a default pluginkey.kdb file and plugin-key.sth file This file will have a default password of WebAS. It is expired as of 04/26/2012 and the password must be updated. There is a self signed personal certificate that is also expired and a new one would need to be created if client authentication is configured at the WAS admin console This is not the same.kdb file that the IHS web server is using and therefore requires the stash file so that IHS is able to open the file for https transports. This.kdb is only in use if the propagate has never been issued from the WAS Admin console. 19 of 43
Setting up SSL from Plugin to WAS WebSphere 7.0 ships with a keyfile that is preconfigured to work with the DummyKeyring.jks file or.p12 that the WebSphere Application Server uses for SSL enablement. All these files are installed in the WebSphere etc directory. If you have a HTTPS Transport defined in the application server that is enabled for SSL all you have to do is regenerate the plugin config file and the transport will be added to the plugin configuration for you. By default, it will configure the plugin for SSL using the keyfile/stashfile shipped with WAS. The password for this keyfile is WebAS. 20 of 43
Setting up SSL from Plugin to WAS Go to plugin properties and propagate plugin-key.kdb to web server. Web server is managed or unmanaged. 21 of 43
Setting up SSL from Plugin to WAS If for some reason you want to enable the plugin manually all you would need to do is add the following stanza to the server definition you want to use SSL. <Transport Hostname="APP_SERVER_HOST" Port="APP_SERVER_SSL_PORT" Protocol="HTTPS> <Property name="keyring" value="app_server_root/etc/pluginkey.kdb"/> <Property name="stashfile" value="app_server_root/etc/pluginkey.sth"/> </Transport> 22 of 43
Setting up SSL from Plugin to WAS The plugin keystore (plugin-key.kdb) must have a signer in the signer list that matches the correct SSL signer certificate. It must match the signer of the WAS personal certificate. The Plugin-key.kdb must have signer certificate for every WebSphere Node. The Plugin-cfg.xml could be updated to use the same key.kdb file that is used by IHS web server. This is strongly discouraged. 23 of 43
From WAS admin console Go to: Security > SSL certificate and key management > Manage endpoint security configurations. Click on WAS node (NodeDefaultSSLSettings) Click on Key stores and certificates on the right side Click on NodeDefaultKeyStore Click on Personal certificates on the right side 24 of 43
You will see a chained certificate. The personal certificate is the first one in the chain. The signer certificate is the second one in the chain. Note the CN in the signer certificate. Also look at the serial number of the signer certificate. Go back to the Key store and certificates page. Click on NodeDefaultTrustStore Click on Signer certificates Find the signer that matches the serial number, click on Extract 25 of 43
Find the signer that matches the serial number, click on Extract Enter a temporary path and filename (for example: /tmp/noderootsigner.arm). Click OK. Go back to the Manage endpoint security configurations page. 26 of 43
Find the node which contains the web server definition. You will need to look inside the node and look inside the servers folder to find the web server (for example: webserver1). Click on the web server name. Click on Key stores and certificates on the right side. Click on CMSKeyStore (this is a link to the plugin-key.kdb file). Click on Signer certificates. 27 of 43
Click Click Add. Add. Click add Enter an Alia Enter an Alias like "NodeRootSigner", and enter the path and filename from (for example: /tmp/noderootsigner.arm). Click OK. Click Add. Enter an Alias like "NodeRootSigner", and enter the path and filename from step 7 (for example: /tmp/noderootsigner.arm). Click OK. 28 of 43
Click Add. Save changes, go to Servers > Server Types > WebServers, click on the web server name (webserver1) and go to Plugin properties. Enter an Alia Copy to web server key store directory. Click Add. Enter an Alias like "NodeRootSigner", and enter the path and filename from step 7 (for example: /tmp/noderootsigner.arm). Click OK. 29 of 43
IBM Software Group Propagate to web server Path to.kdb (plugin-key.kdb) is found in the plugin-cfg.xml (from httpd.conf) Path to.sth (plugin-key.sth) is also required <Server Name="server1" ConnectTimeout="5" ExtendedHandshake="false" ServerIOTimeout="60" LoadBalanceWeight="1" MaxConnections="-1" WaitForContinue="false"> <Transport Hostname="IBM-7LL06ACAMCV" Port="9080" Protocol="http"/> <Transport Hostname="IBM-7LL06ACAMCV" Port="9443" Protocol="https"> <Property name="keyring" value= "C:\Program Files\IBM\HTTPServer\Plugins/etc/plugin-key.kdb"/> <Property name="stashfile" value= "C:\Program Files\IBM\HTTPServer\Plugins/etc/plugin-key.sth"/> </Transport> </Server> 30 of 43
Cipher Negotiation IHS web server has a built-in list of cipher specifications to use for communicating with clients over SSL. The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IHS and the client. Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. You can use the SSLCipherSpec directive to provide a customized list of cipher specifications that are supported by the Web server in order to avoid the selection of cipher specifications that are considered too weak or too computationally intensive. See InfoCenter for list of supported Cipher specs for SSL version 2, SSL version 3 and TLS version 1.0. 31 of 43
Tips and Troubleshooting Personal Certificates may have intermediate signers. All must be in the signer list. Pinging 9.37.235.27 with 32 bytes of data: 32 of 43
Tips and Troubleshooting Identify the root by the certificate that is signed by itself This screen shot shows a CA root certificate that is not trusted To correct you would need to add the Corp-Root-CA signer list In this example add it to the IE browser Pinging 9.37.235.27 with 32 bytes of data: 33 of 43
Tips and Troubleshooting.kdb Password expires Sans certificates Subject Alternative Names let you protect multiple host names with a single SSL certificate Break it down by trying to hit IHS splash screen first https://ihs.server.com /* default port is :443 */ Hit WAS secure port directly https://was.server.com:9443 You can use browser to display the certificate and compare it with the certificate signer in IHS key.kdb If you receive an error message stating that "All the signer certificates must exist in the key database", then go back and confirm that the Root Signer certificate and Intermediate Signer Certificate, if used, are both in the key database 34 of 43
Tips and Troubleshooting The following error is logged in the plug-in log file: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) Key size 2048 Pinging 9.37.235.27 with 32 bytes of data: 35 of 43
Using other tools to look at certificates OpenSSL Windows Copy certificate to.cer file and double click on windows server. Microsoft Windows Certificate panel requires this file type. 36 of 43
Viewing Certificate in IKEYMAN Note: This is a self signed certificate because issued to and issued by match Template DocumentationWebSphere Support Technical 37 of 43
KDB Password Expiration In addition to the certificate, the keystore (.kdb) that the certificate is stored in, may have a password that is set to expire. Prompted to set password during keystore creation. Newer versions of ikeyman allow you to check the password expiration date. Template DocumentationWebSphere Support Technical 38 of 43
Converting p12 to CMS IBM's SSL is NOT OpenSSL as used in Apache. The SSL certificate database on an Apache HTTP Server is a different format than what is used by IBM. The process involves moving the Apache certificate into a.p12 file (PKCS12 format) to import into the IBM HTTP Server.KDB file (CMS format) key database. http://www-01.ibm.com/support/docview.wss?uid=swg21283831 39 of 43
Summary IBM Software Group SSL from a Client to a WebSphere Application Server (WAS) application is a 2 part SSL configuration IHS web server uses.kdb vs WAS Keystore SSL from Client to IHS web server is server and sends personal certificate The KDB passwords and.sth file SSL from WebSphere Plugin to WAS Plugin is Client and needs WAS signer Entire chain certificate of chained certificates must be in signer list. Cipher negotiation IBM's SSL is NOT OpenSSL as used in Apache. 40 of 43
Additional WebSphere Product Resources Guide to properly setting up SSL within the IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21179559 GSK_BAD_CERT error http://www-01.ibm.com/support/docview.wss?uid=swg21433593 Using ikeyman to update certificates https://www-304.ibm.com/support/docview.wss?uid=swg21045925 Unable to add signer or personal certificates to the Key Management Utility.kdb file http://www-01.ibm.com/support/docview.wss?uid=swg21452459 41 of 43
Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Join the Global WebSphere Community: http://www.websphereusergroup.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html Template DocumentationWebSphere Support Technical 42 of 43
Connect with us! 1. Get notified on upcoming webcasts Send an e-mail to wsehelp@us.ibm.com with subject line wste subscribe to get a list of mailing lists and to subscribe 2. Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to wsehelp@us.ibm.com 3. Be connected! Connect with us on Facebook Connect with us on Twitter Template DocumentationWebSphere Support Technical 43 of 43
Questions and Answers 44 of 43