How to Enable SSL between IHS and WAS for Lotus Connections

Overview This document describes how to utilize Secure Sockets Layer (SSL) to secure the Lotus Connections application in your environment. SSL supplies a more secure data transmission for Lotus Connections users. The purpose of this document is: 1. To describe what SSL offers 2. To describe what Lotus Connections is, and 3. How to enable SSL between the HIS (IBM HTTP Server) and WAS (WebSphere Application Server) components employed by Lotus Connections.

Introduction SSL is a protocol that provides privacy and integrity between two communicating applications using TCP/IP. The data going back and forth between client and server is encrypted using a symmetric algorithm. A public-key algorithm (RSA) is used for the exchange of the encryption keys and for digital signatures. Public key cryptography defines an algorithm that uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message, the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other undisclosed (the private key).

IBM Lotus Connections is social software for business that empowers employees to be more innovative and helps them execute quickly by using dynamic networks of co-workers, partners and customers. This demonstration highlights the 5 integrated, Web 2.0-based collaboration features of Lotus Connections, including: Profiles - Lets employees tap into the knowledge capital within the organization, and makes it easy to establish new business contacts. Blogs - Helps people connect with each other - within and outside the enterprise - and build communities of shared interest. Dogear - Gives people a better way to manage their own bookmarks, and makes it easier than ever to share information and accelerate innovation. Communities - Provides a common point of collaboration for people who share a particular interest, responsibility, or expertise. Activities - Makes it easier to share and manage tasks, track team progress, and share best practices with others.

Topology:

Configuration Steps: Section 1: Enable IHS to utilize a secured HTTP port Find the .kdb file used by IHS in Plug-in.xml file Open config file : <IHS_Install_Path>\Plugins\config\webserver1\Plug-in.xml Find the section shown below: pay attention to the string in Green <Transport Hostname="venturacn08.cn.ibm.com" Port="9443" Protocol="https"> <Property Name="keyring" Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb"/> <Property Name="stashfile" Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth"/> </Transport> Edit httpd.conf file Open config file : <IHS_Install_Path>\conf\httpd.conf Add the whole section shown below in Red into the end of the file LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 <VirtualHost *:443> ServerName venturacn08.cn.ibm.com

SSLEnable </VirtualHost> SSLDisable Keyfile "<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb" SSLStashFile "<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth" Save and exit Restart IHS and verify no error occurs Test your configuration: Access https://<Your_IHS_Server_Host>:80 via browser and you can see the IHS front page.

Section 2. Import the WAS certificate into IHS key store database

Find kdb used by IHS in Plug-in.xml file Open config file :<IHS_Install_Path>\Plugins\config\webserver1\Plugin-cfg.xml Find the section shown below: pay attention to the string in Green <Transport Hostname="venturacn08.cn.ibm.com" Port="9443" Protocol="https"> <Property Name="keyring" Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.kdb"/> <Property Name="stashfile"

Value="<IHS_Install_Path>\Plugins\config\webserver1\plugin-key.sth"/> </Transport> Locate that IHS use plugin-key.kdb as default

Find .kdb file used by WAS. Open WAS admin console : http://<Your_WAS_Server_Host>:9060/admin Trace Application servers > server1 > Web container transport chains > WCInboundDefaultSecure > SSL inbound channel(SSL_2) to open the window shown below (Figure 1)

Figure 1

Click NodeDefaultSSLSettings (Figure 2) Figure 2:

Find which key store is in use. Click on Key stores and certificates (Figure 3)

Figure 3

Find the path belonging to NodeDefaultKeyStore (Figure 4)

Figure 4:

Open WAS Ikeyman to extract certificate Key in Ikeyman.bat under C:\WebSphere\AppServer\bin in command line to open Ikeyman utility

Open NodeDefaultKeyStore file Click Key Database File -> Open In the file select dialog, select PKCS12 in Key database type field Click Browse.. to open C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\<Your _Cell>\nodes\<Your_Node>\key.p12 Click OK When prompted input password, key in WebAS

Select the default cert under Personal Certificates Click Extract Certificate... Key in cert file name : WASKeyP12cert.arm, then select a location : C:\ Click OK Close Ikeyman

Add WAS cert into IHS key database. From Windows, click Start -> All Programs -> IBM HTTP Server V6.1 -> Start Key Management Utility to open Ikeyman

Open plugin-key.kdb When prompted to input password, key in: WebAS

Under Singer Certificate Click Add... Click Browse... to open C:\WASKeyP12cert.arm When prompted to enter a label, Key in WASKeyP12 Cert Click OK Close Ikeyman

Restart IHS and make sure no error occurs Test your configuration Access https://<Your_IHS_Server_Host>/activities via browser Verify you can see the page