在網(wǎng)上看到兩篇不錯的手記,覺得有用,轉(zhuǎn)來,有需要的朋友們可以享用.

在IHS上配置SSL
原文地址: http://cdalong.spaces.live.com/blog/cns!127ab823c1bd7f1f!168.entry

之前一直都沒做過這方面的配置，但是覺得說不定什么時候用得著，就問了配過的同事，自己也在網(wǎng)上找了些資料了解了大概的過程。但是大部分都沒有寫明是在IHS的哪個版本上作的，于是想試試在IHS61上面是不是也是同樣的做法。參考的資料包括：
1.IHS User's Guide中的Chapter 5中的securing communications
2.WebSphere Application Server V6.1 Security Handbook(sg246316).pdf中的7.2和7.3
其中7.2介紹了Browser和IHS的SSL配置，也是我試驗的內(nèi)容；7.3講的是IHS plugin和WAS的SSL配置。
3.WebSphere Security Fundamentals(redp3944).pdf
筆記本上本來就有一個WAS61的環(huán)境，于是裝上IHS和plugin開始試驗。可能是太久沒有用IHS了，都忘記了怎樣將IHS加到DM的console中進(jìn)行管理。一開始以為就是把webserver的定義建起來就可以了，一啟動就產(chǎn)生了一個FFDC，打開一看說是沒找到webserver1的定義，詳細(xì)信息如下：
------Start of DE processing------ = [07-1-26 15:48:29:228 CST] , key = javax.management.MBeanException com.ibm.ws.management.AdminServiceImpl.invoke 679
Exception = javax.management.MBeanException
Source = com.ibm.ws.management.AdminServiceImpl.invoke
probeid = 679
Stack Dump = javax.management.MBeanException: Exception thrown in RequiredModelMBean while trying to invoke operation launchProcess
?at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1116)
?。。。
Caused by: com.ibm.websphere.management.exception.AdminException: Server, webserver1, not found.
?。。。
突然記起以前做的時候好像是要運(yùn)行一個IHS安裝過程中自己生成的腳本的，試試看。在PLUGIN_HOME\bin找到configurewebserver1.bat拷貝至DM_PROFILE\bin直接執(zhí)行，webserver1的啟動停止都OK了。
接下來開始在本次試驗的主要工作：
1、使用ikeyman生成CMS key database file，雖然好像除了CMS外還有其他的類型但是好像看到某本redbook上說了IHS只能使用CMS的。創(chuàng)建了mykey.kdb后再給運(yùn)行IHS的機(jī)器發(fā)一個證書，直接在ikeyman中新建自簽署證書就可以了，創(chuàng)建的證書會出現(xiàn)在個人證書列表中，最后不要忘了轉(zhuǎn)儲密碼（Stash the password to a file）.
ihs_610.pdf中描述如下：
Create a new key database as follows:
1. Start the IKEYMAN user interface. Refer to Starting the Key Management utility for platform-specific instructions.
2. Click key database file from the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.
3. Enter your password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file. Click OK. The new key database should display in the IKEYMAN utility with default signer certificates. Ensure that there is a functional, non-expiring signer certificate for each of your personal certificates.

Creating a self-signed certificate
It usually takes two to three weeks to get a certificate from a well known certificate authority (CA). While waiting for a certificate to be issued, use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients and the server. Use this procedure if you act as your own CA for a private Web network. Complete the following steps to create a self-signed certificate:
1. If you have not created the key database, see Creating a new key database for instructions.
2. Start the IKEYMAN user interface.
3. Click Key Database File from the main UI, and then click Open.
4. Enter your key database name in the Open dialog box, or click the key.kdb file, if you use the default. Click OK.
5. In the Password Prompt dialog box, enter your correct password and click OK.
6. Click Personal Certificates in the Key Database content frame, and click the New Self-Signed radio button.
7. Enter the following information in the Password Prompt dialog box: v Key label: Enter a descriptive comment to identify the key and certificate in the database.
v Key size: Choose your level of encryptions from the drop-down menu.
v Common Name: Enter the fully qualified host name of the Web server as the common name. Example: www.myserver.com.
v Organization Name: Enter your organization name.
v Optional: Organization Unit v Optional: Locality
v Optional: State/Province
v Optional: Zip code
v Country: Enter a country code. Specify at least two characters. Example: US Certificate request file name, or use the default name.
v Validity Period
8. Click OK.
其實在生產(chǎn)環(huán)境中應(yīng)該是創(chuàng)建完key database后將CA發(fā)的證書（如*.cer）導(dǎo)入，自己做試驗的話自簽一個就可以了，并不影響配置和實現(xiàn)。
2、修改http.conf。
以下是我在http.conf中增加的：
# SSL config
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
?Listen 443
?<VirtualHost *:443>
??SSLEnable
?</VirtualHost>
</IfModule>
SSLDisable
KeyFile "C:/IBM/HTTPServer/bin/mykey.kdb"
一開始看到IBM中國的論壇上說NT環(huán)境的話load一個XXX.dll，但是打開IHS_HOME\modules看到了一大堆的so，而且原來的http.conf中也load了不少so，找redbook上寫的應(yīng)該沒錯。改完保存重新啟動IHS，一切OK。
下面開始驗證，就拿snoop來試一試吧。打開http://...:9080/snoop，顯示正常。試試http://.../snoop，等了半天沒出來。troubleshooting的時間到了，很明顯request沒有被plugin轉(zhuǎn)發(fā)給WAS，重新生成插件看看。在DM console中找到“環(huán)境--更新全局 Web 服務(wù)器插件配置”，更新完之后原來http.conf中的WebSpherePluginConfig指向的文件并沒有更新，難道是插件位置不對？修改為DM_HOME\config\cells\plugin-cfg.xml，這回IHS讀到新的插件了，但是老覺得“更新全局 Web 服務(wù)器插件配置”中的全局好像大對勁。搞了半天沒找對地方，更新webserver1的插件應(yīng)該是在“服務(wù)器--Web服務(wù)器”中的這回應(yīng)該沒錯了，再試還是老樣子。突然想起來之前做過的另一個試驗給server1加上了80偵聽，動手把IHS改成81。修改了Listen 0.0.0.0:81和ServerName szd610-286.boshi.com.cn:81兩行。奇怪的是原來IHS占著80，server1啟動時也不會報錯。重起webserver1和server1后80和81都正常啟動了，http://...:81/snoop和http://.../snoop訪問正常，訪問https://.../snoop出來兩個安全警報，確定后終于看到了snoop。