Re: [U2] AIX 5.3 IBMIHS Web Server
Only one virtual host and I followed these instructions as linked, plus a half dozen other things when this did not work. (I started with these instructions.) On Wed, Feb 20, 2013 at 3:00 PM, Brian Whitehorn < brian.whiteh...@tollgroup.com> wrote: > Kevin, > > Do you have more than one Virtual Host defined? If so, it would appear > that each requires a separate IP to be bound. > > Not sure if you've already come across this link, but contains some > documentation for setting up SSL with IBM HTTP Server: > http://www-01.ibm.com/support/docview.wss?uid=swg21179559 > > HTH. > > Regards, > Brian. > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org [mailto: > u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Thursday, 21 February 2013 8:35 AM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Where does one get this magical GUI? I wonder, John, if I am unable to > procure such an animal if I sent you my key file if you could see if you > could nominate a default for me? > > On Wed, Feb 20, 2013 at 1:58 PM, John Hester wrote: > > > This would be an IBM support issue rather than Rocket since you're > > dealing specifically with IHS. You might want to check with the > > customer to see if they're currently under maintenance. There's a good > > chance they are if the IHS install was recent because AFAIK you can't > > even get the installation files without a support login. > > > > One other thing you might try is using the iKeyman GUI to create the > > keystore database rather than the command line utility. That's what I > > always use. You can run it via an X session, or locally on Windows > > desktop. I typically create and test a keystore locally on my desktop > > and copy the kdb file to the server when I'm sure it's working > > correctly. The iKeyman interface is fairly intuitive, and it's easy to > > designate a default cert with the click of a button. > > > > -John > > > > -----Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Tuesday, February 19, 2013 6:23 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > I tried checking for a default certificate and it reports "null". The > > KDB file has the GSK certs and my cert - that's it, and when I follow > > the instructions to set up my cert as the default, it gives me a cryptic > > "I'm sorry Dave, I can't do that" kind of message. > > > > This is on a customer's system, and they don't have any good paths to > > contact Rocket, as their vendor is entirely unresponsive which is why > > they work with us in the first place, and we're not a var. So I post > > here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... > > there've been a number of very good Rocket folks helping out here over > > the years. > > (Apologies for anyone I missed.) > > > > -K > > > > On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > > > > > I doubt the unqualified listen has any connection. It sounds like > > > something's corrupt in the kdb file. If you only have one cert in the > > > > > file, you might try removing the SSLServerCert directive altogether. > > > Normally one cert in the database is marked as the default to use when > > > > > none is specified, and if you only have one, that should be it. I > > > would also create a new kdb file from scratch just to make sure it's > > clean. > > > > > > If it still won't work after that, I'd suggest opening a case with IBM > > > > > support if you have a current entitlement. I open cases with them all > > > > > the time for issues with new software installations, and they're > > > always very responsive. > > > > > > -John > > > > > > -Original Message- > > > From: u2-users-boun...@listserver.u2ug.org > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > > Sent: Tuesday, February 19, 2013 4:03 PM > > > To: U2 Users List > > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > > > Yes, I have both the LoadModule and Listen, though my Listen is > > > unqualified, like this: > > > > > > Listen 443 > > > > > > The error I'm getting in the logs tells me there
Re: [U2] AIX 5.3 IBMIHS Web Server
You should find an executable script named ikeyman in [IHS root]/bin. Just enter "[IHS root]/bin/ikeyman" to launch it rather than using the java command. If I remember correctly, it's best to specify the full path. But by all means, send me the kdb file off-list and I'll open it up on my workstation and set the default. That should only take a few minutes. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, February 20, 2013 1:35 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester wrote: > This would be an IBM support issue rather than Rocket since you're > dealing specifically with IHS. You might want to check with the > customer to see if they're currently under maintenance. There's a > good chance they are if the IHS install was recent because AFAIK you > can't even get the installation files without a support login. > > One other thing you might try is using the iKeyman GUI to create the > keystore database rather than the command line utility. That's what I > always use. You can run it via an X session, or locally on Windows > desktop. I typically create and test a keystore locally on my desktop > and copy the kdb file to the server when I'm sure it's working > correctly. The iKeyman interface is fairly intuitive, and it's easy > to designate a default cert with the click of a button. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 6:23 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > I tried checking for a default certificate and it reports "null". The > KDB file has the GSK certs and my cert - that's it, and when I follow > the instructions to set up my cert as the default, it gives me a > cryptic "I'm sorry Dave, I can't do that" kind of message. > > This is on a customer's system, and they don't have any good paths to > contact Rocket, as their vendor is entirely unresponsive which is why > they work with us in the first place, and we're not a var. So I post > here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... > there've been a number of very good Rocket folks helping out here over > the years. > (Apologies for anyone I missed.) > > -K > > On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > > > I doubt the unqualified listen has any connection. It sounds like > > something's corrupt in the kdb file. If you only have one cert in > > the > > > file, you might try removing the SSLServerCert directive altogether. > > Normally one cert in the database is marked as the default to use > > when > > > none is specified, and if you only have one, that should be it. I > > would also create a new kdb file from scratch just to make sure it's > clean. > > > > If it still won't work after that, I'd suggest opening a case with > > IBM > > > support if you have a current entitlement. I open cases with them > > all > > > the time for issues with new software installations, and they're > > always very responsive. > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Tuesday, February 19, 2013 4:03 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > Yes, I have both the LoadModule and Listen, though my Listen is > > unqualified, like this: > > > > Listen 443 > > > > The error I'm getting in the logs tells me there is no key for "api" > > or " > > api.client.com" (I've tried both) despite the fact that gsk7cmd > > shows that the certificate absolutely is in there. That's what's > > vexing; I can see the certificate, but for some reason Apache cannot. > > > > You don't suppose the unqualified Listen might have something to do > > with it, do you? > > > > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester > > wrote: > > > > > Kevin, I have both chained and self-signed certs on various servers. >
Re: [U2] AIX 5.3 IBMIHS Web Server
Kevin, Do you have more than one Virtual Host defined? If so, it would appear that each requires a separate IP to be bound. Not sure if you've already come across this link, but contains some documentation for setting up SSL with IBM HTTP Server: http://www-01.ibm.com/support/docview.wss?uid=swg21179559 HTH. Regards, Brian. -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Thursday, 21 February 2013 8:35 AM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester wrote: > This would be an IBM support issue rather than Rocket since you're > dealing specifically with IHS. You might want to check with the > customer to see if they're currently under maintenance. There's a good > chance they are if the IHS install was recent because AFAIK you can't > even get the installation files without a support login. > > One other thing you might try is using the iKeyman GUI to create the > keystore database rather than the command line utility. That's what I > always use. You can run it via an X session, or locally on Windows > desktop. I typically create and test a keystore locally on my desktop > and copy the kdb file to the server when I'm sure it's working > correctly. The iKeyman interface is fairly intuitive, and it's easy to > designate a default cert with the click of a button. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 6:23 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > I tried checking for a default certificate and it reports "null". The > KDB file has the GSK certs and my cert - that's it, and when I follow > the instructions to set up my cert as the default, it gives me a cryptic > "I'm sorry Dave, I can't do that" kind of message. > > This is on a customer's system, and they don't have any good paths to > contact Rocket, as their vendor is entirely unresponsive which is why > they work with us in the first place, and we're not a var. So I post > here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... > there've been a number of very good Rocket folks helping out here over > the years. > (Apologies for anyone I missed.) > > -K > > On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > > > I doubt the unqualified listen has any connection. It sounds like > > something's corrupt in the kdb file. If you only have one cert in the > > > file, you might try removing the SSLServerCert directive altogether. > > Normally one cert in the database is marked as the default to use when > > > none is specified, and if you only have one, that should be it. I > > would also create a new kdb file from scratch just to make sure it's > clean. > > > > If it still won't work after that, I'd suggest opening a case with IBM > > > support if you have a current entitlement. I open cases with them all > > > the time for issues with new software installations, and they're > > always very responsive. > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Tuesday, February 19, 2013 4:03 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > Yes, I have both the LoadModule and Listen, though my Listen is > > unqualified, like this: > > > > Listen 443 > > > > The error I'm getting in the logs tells me there is no key for "api" > > or " > > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > > that the certificate absolutely is in there. That's what's vexing; I > > can see the certificate, but for some reason Apache cannot. > > > > You don't suppose the unqualified Listen might have something to do > > with it, do you? > > > > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester > > wrote: > > > > > Kevin, I have both chained and self-signed certs on various servers. > > > The example from my workstation is a self-signed cert. Self-signed > > > is > > > > >
Re: [U2] AIX 5.3 IBMIHS Web Server
Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester wrote: > This would be an IBM support issue rather than Rocket since you're > dealing specifically with IHS. You might want to check with the > customer to see if they're currently under maintenance. There's a good > chance they are if the IHS install was recent because AFAIK you can't > even get the installation files without a support login. > > One other thing you might try is using the iKeyman GUI to create the > keystore database rather than the command line utility. That's what I > always use. You can run it via an X session, or locally on Windows > desktop. I typically create and test a keystore locally on my desktop > and copy the kdb file to the server when I'm sure it's working > correctly. The iKeyman interface is fairly intuitive, and it's easy to > designate a default cert with the click of a button. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 6:23 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > I tried checking for a default certificate and it reports "null". The > KDB file has the GSK certs and my cert - that's it, and when I follow > the instructions to set up my cert as the default, it gives me a cryptic > "I'm sorry Dave, I can't do that" kind of message. > > This is on a customer's system, and they don't have any good paths to > contact Rocket, as their vendor is entirely unresponsive which is why > they work with us in the first place, and we're not a var. So I post > here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... > there've been a number of very good Rocket folks helping out here over > the years. > (Apologies for anyone I missed.) > > -K > > On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > > > I doubt the unqualified listen has any connection. It sounds like > > something's corrupt in the kdb file. If you only have one cert in the > > > file, you might try removing the SSLServerCert directive altogether. > > Normally one cert in the database is marked as the default to use when > > > none is specified, and if you only have one, that should be it. I > > would also create a new kdb file from scratch just to make sure it's > clean. > > > > If it still won't work after that, I'd suggest opening a case with IBM > > > support if you have a current entitlement. I open cases with them all > > > the time for issues with new software installations, and they're > > always very responsive. > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Tuesday, February 19, 2013 4:03 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > Yes, I have both the LoadModule and Listen, though my Listen is > > unqualified, like this: > > > > Listen 443 > > > > The error I'm getting in the logs tells me there is no key for "api" > > or " > > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > > that the certificate absolutely is in there. That's what's vexing; I > > can see the certificate, but for some reason Apache cannot. > > > > You don't suppose the unqualified Listen might have something to do > > with it, do you? > > > > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester > > wrote: > > > > > Kevin, I have both chained and self-signed certs on various servers. > > > The example from my workstation is a self-signed cert. Self-signed > > > is > > > > > actually less prone to error because you don't have to worry about > > > importing the intermediate certs into the keystore database. The > > > only > > > > > other thing I know to suggest at the moment is verify you're loading > > > > the IBM ssl module and listening on port 443: > > > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > > > Are you getting any errors in the IHS SSL logs, either at server > > > startup or when you attempt to browse to port 44
Re: [U2] AIX 5.3 IBMIHS Web Server
This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports "null". The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic "I'm sorry Dave, I can't do that" kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > I doubt the unqualified listen has any connection. It sounds like > something's corrupt in the kdb file. If you only have one cert in the > file, you might try removing the SSLServerCert directive altogether. > Normally one cert in the database is marked as the default to use when > none is specified, and if you only have one, that should be it. I > would also create a new kdb file from scratch just to make sure it's clean. > > If it still won't work after that, I'd suggest opening a case with IBM > support if you have a current entitlement. I open cases with them all > the time for issues with new software installations, and they're > always very responsive. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 4:03 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Yes, I have both the LoadModule and Listen, though my Listen is > unqualified, like this: > > Listen 443 > > The error I'm getting in the logs tells me there is no key for "api" > or " > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > that the certificate absolutely is in there. That's what's vexing; I > can see the certificate, but for some reason Apache cannot. > > You don't suppose the unqualified Listen might have something to do > with it, do you? > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester > wrote: > > > Kevin, I have both chained and self-signed certs on various servers. > > The example from my workstation is a self-signed cert. Self-signed > > is > > > actually less prone to error because you don't have to worry about > > importing the intermediate certs into the keystore database. The > > only > > > other thing I know to suggest at the moment is verify you're loading > > the IBM ssl module and listening on port 443: > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > Are you getting any errors in the IHS SSL logs, either at server > > startup or when you attempt to browse to port 443? > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Monday, February 18, 2013 5:04 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache > > with > > > some odd configuration SSL setup in particular is completely > different. > > > > John (Hester), I can see the cert in the key file (through the > > gsk7cmd > > command) but with the name api.client.com
Re: [U2] AIX 5.3 IBMIHS Web Server
Good thinking Peter, but I've made sure permissions and owner are correct. As to the environment path, I'll have to check that... now that you mention it I don't recall how the key file is integrated into the Apache config. Maybe the problem isn't the key in the file, but perhaps the key file itself? On Tue, Feb 19, 2013 at 8:04 PM, Peter Cheney wrote: > Perhaps a silly question but it's not something as simple as file > permissions or owner/group membership or environment path is it? > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org [mailto: > u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Wednesday, 20 February 2013 10:03 > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Yes, I have both the LoadModule and Listen, though my Listen is > unqualified, like this: > > Listen 443 > > The error I'm getting in the logs tells me there is no key for "api" or " > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > that the certificate absolutely is in there. That's what's vexing; I can > see the certificate, but for some reason Apache cannot. > > You don't suppose the unqualified Listen might have something to do with > it, do you? > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester wrote: > > > Kevin, I have both chained and self-signed certs on various servers. > > The example from my workstation is a self-signed cert. Self-signed is > > actually less prone to error because you don't have to worry about > > importing the intermediate certs into the keystore database. The only > > other thing I know to suggest at the moment is verify you're loading > > the IBM ssl module and listening on port 443: > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > Are you getting any errors in the IHS SSL logs, either at server > > startup or when you attempt to browse to port 443? > > > > -John > > > > -----Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Monday, February 18, 2013 5:04 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > > some odd configuration SSL setup in particular is completely different. > > > > John (Hester), I can see the cert in the key file (through the gsk7cmd > > command) but with the name api.client.com it cannot be found. I even > > recreated the cert as "api" (without dots) because I found a page that > > said that the dots could be causing problems, but still no love. It > > seems I've done everything correctly but still it just can't find a > > combination that works. I'm wondering if the problem here is the fact > > that it's a self-signed cert without a chain? Are you using a > > self-signed cert here? > > Do you have other certs in your key file that may represent a chain > > for the self-signed cert? > > > > Thank you gentlemen for the insight. Most appreciated. > > > > -K > > > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > > > > > It sounds like you've done all you need to for basic IHS SSL > > > functionality. As long as api.client.com matches the name you gave > > > the certificate via ikeyman, and you have the KeyFile directive, you > > > should be OK. There are a lot of other options you can add for > > > optimization and browser compatibility, but I don't think leaving > > > any of those out would break it outright. Here's my working IHS > > > config from the development server on my Windows workstation for > comparison: > > > > > > > > > SSLEnable > > > SSLProtocolDisable SSLv2 > > > SSLServerCert is12.momtex.com > > > > > > Options +Includes > > > AddType text/html .shtml > > > AddOutputFilter INCLUDES .shtml > > > > > > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > > SSLDisable > > > > > > -John > > > > > > -Original Message- > > > From: u2-users-boun...@listserver.u2ug.org > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > > King > > > Sent: Saturday, February 16, 2013 4:02 PM > > > To: U2 Users List > > > Subject: [U2] AIX 5.3 IBMIHS Web
Re: [U2] AIX 5.3 IBMIHS Web Server
Perhaps a silly question but it's not something as simple as file permissions or owner/group membership or environment path is it? -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, 20 February 2013 10:03 To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for "api" or " api.client.com" (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester wrote: > Kevin, I have both chained and self-signed certs on various servers. > The example from my workstation is a self-signed cert. Self-signed is > actually less prone to error because you don't have to worry about > importing the intermediate certs into the keystore database. The only > other thing I know to suggest at the moment is verify you're loading > the IBM ssl module and listening on port 443: > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > Are you getting any errors in the IHS SSL logs, either at server > startup or when you attempt to browse to port 443? > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Monday, February 18, 2013 5:04 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > some odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that > said that the dots could be causing problems, but still no love. It > seems I've done everything correctly but still it just can't find a > combination that works. I'm wondering if the problem here is the fact > that it's a self-signed cert without a chain? Are you using a > self-signed cert here? > Do you have other certs in your key file that may represent a chain > for the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave > > the certificate via ikeyman, and you have the KeyFile directive, you > > should be OK. There are a lot of other options you can add for > > optimization and browser compatibility, but I don't think leaving > > any of those out would break it outright. Here's my working IHS > > config from the development server on my Windows workstation for comparison: > > > > > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > documentation I've found on the web is byzantine at best and it > > would be fine if the > > > commands actually worked, but I keep getting odd error messages and > > stalled at every turn. > > > > I've upgrade the GSK so that the server will start with SSL enabled, > > I > > > have a virtual host configured, but I have no clue how to tie a > > specific certificate to the VirtualHost. Well, let's say I have > > clues, but nothing is working. Here's the stanza I > > have > > > set up in > > httpd.conf: > > > > > > SSLEnable > >
Re: [U2] AIX 5.3 IBMIHS Web Server
I tried checking for a default certificate and it reports "null". The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic "I'm sorry Dave, I can't do that" kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester wrote: > I doubt the unqualified listen has any connection. It sounds like > something's corrupt in the kdb file. If you only have one cert in the > file, you might try removing the SSLServerCert directive altogether. > Normally one cert in the database is marked as the default to use when > none is specified, and if you only have one, that should be it. I would > also create a new kdb file from scratch just to make sure it's clean. > > If it still won't work after that, I'd suggest opening a case with IBM > support if you have a current entitlement. I open cases with them all > the time for issues with new software installations, and they're always > very responsive. > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 4:03 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > Yes, I have both the LoadModule and Listen, though my Listen is > unqualified, like this: > > Listen 443 > > The error I'm getting in the logs tells me there is no key for "api" or > " > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > that the certificate absolutely is in there. That's what's vexing; I > can see the certificate, but for some reason Apache cannot. > > You don't suppose the unqualified Listen might have something to do with > it, do you? > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester > wrote: > > > Kevin, I have both chained and self-signed certs on various servers. > > The example from my workstation is a self-signed cert. Self-signed is > > > actually less prone to error because you don't have to worry about > > importing the intermediate certs into the keystore database. The only > > > other thing I know to suggest at the moment is verify you're loading > > the IBM ssl module and listening on port 443: > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > Are you getting any errors in the IHS SSL logs, either at server > > startup or when you attempt to browse to port 443? > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Monday, February 18, 2013 5:04 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > > > some odd configuration SSL setup in particular is completely > different. > > > > John (Hester), I can see the cert in the key file (through the gsk7cmd > > command) but with the name api.client.com it cannot be found. I even > > recreated the cert as "api" (without dots) because I found a page that > > > said that the dots could be causing problems, but still no love. It > > seems I've done everything correctly but still it just can't find a > > combination that works. I'm wondering if the problem here is the fact > > > that it's a self-signed cert without a chain? Are you using a > > self-signed cert here? > > Do you have other certs in your key file that may represent a chain > > for the self-signed cert? > > > > Thank you gentlemen for the insight. Most appreciated. > > > > -K > > > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester > wrote: > > > > > It sounds like you've done all you need to for basic IHS SSL > > > functionality. As long as api.client.com matches the name you gave > > > the certificate via ikeyman, and you have the KeyFile directive, you > > > > should be OK. There are a lot of other options you can add for > > > optimization and br
Re: [U2] AIX 5.3 IBMIHS Web Server
I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for "api" or " api.client.com" (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester wrote: > Kevin, I have both chained and self-signed certs on various servers. > The example from my workstation is a self-signed cert. Self-signed is > actually less prone to error because you don't have to worry about > importing the intermediate certs into the keystore database. The only > other thing I know to suggest at the moment is verify you're loading > the IBM ssl module and listening on port 443: > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > Are you getting any errors in the IHS SSL logs, either at server > startup or when you attempt to browse to port 443? > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Monday, February 18, 2013 5:04 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > some odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that > said that the dots could be causing problems, but still no love. It > seems I've done everything correctly but still it just can't find a > combination that works. I'm wondering if the problem here is the fact > that it's a self-signed cert without a chain? Are you using a > self-signed cert here? > Do you have other certs in your key file that may represent a chain > for the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave > > the certificate via ikeyman, and you have the KeyFile directive, you > > should be OK. There are a lot of other options you can add for > > optimization and browser compatibility, but I don't think leaving > > any of those out would break it outright. Here's my working IHS > > config from the development server on my Windows workstation for comparison: > > > > > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > documentation I've found on the web is byzantine at best and it > > would be fine if the > > >
Re: [U2] AIX 5.3 IBMIHS Web Server
Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for "api" or " api.client.com" (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester wrote: > Kevin, I have both chained and self-signed certs on various servers. > The example from my workstation is a self-signed cert. Self-signed is > actually less prone to error because you don't have to worry about > importing the intermediate certs into the keystore database. The only > other thing I know to suggest at the moment is verify you're loading the > IBM ssl module and listening on port 443: > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so > Listen 0.0.0.0:443 > > Are you getting any errors in the IHS SSL logs, either at server startup > or when you attempt to browse to port 443? > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Monday, February 18, 2013 5:04 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > some odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that > said that the dots could be causing problems, but still no love. It > seems I've done everything correctly but still it just can't find a > combination that works. I'm wondering if the problem here is the fact > that it's a self-signed cert without a chain? Are you using a > self-signed cert here? > Do you have other certs in your key file that may represent a chain for > the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave > > the certificate via ikeyman, and you have the KeyFile directive, you > > should be OK. There are a lot of other options you can add for > > optimization and browser compatibility, but I don't think leaving any > > of those out would break it outright. Here's my working IHS config > > from the development server on my Windows workstation for comparison: > > > > > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation > > I've found on the web is byzantine at best and it would be fine if the > > > commands actually worked, but I keep getting odd error messages and > > stalled at every turn. > > > > I've upgrade the GSK so that the server will start with SSL enabled, I > > > have a virtual host configured, but I have no clue how to tie a > > specific certificate to the VirtualHost. Well, let's say I have > > clues, but nothing is working. Here's the stanza I have > > > set up in > > httpd.conf: > > > > > > SSLEnable > > SSLClientAuth None > > SSLServerCert api.client.com > > ServerName api.client.com > > DocumentRoot /usr/www > > > > Order Allow,Deny > > Allow From All > > > > ErrorLog logs/api_error.log > > CustomLog logs/api_error.log common > > > > I've been able to generate a CSR and create a se
Re: [U2] AIX 5.3 IBMIHS Web Server
Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as "api" (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > It sounds like you've done all you need to for basic IHS SSL > functionality. As long as api.client.com matches the name you gave > the certificate via ikeyman, and you have the KeyFile directive, you > should be OK. There are a lot of other options you can add for > optimization and browser compatibility, but I don't think leaving any > of those out would break it outright. Here's my working IHS config > from the development server on my Windows workstation for comparison: > > > SSLEnable > SSLProtocolDisable SSLv2 > SSLServerCert is12.momtex.com > > Options +Includes > AddType text/html .shtml > AddOutputFilter INCLUDES .shtml > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > SSLDisable > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Saturday, February 16, 2013 4:02 PM > To: U2 Users List > Subject: [U2] AIX 5.3 IBMIHS Web Server > > Might anyone have any tips or tricks for getting SSL to work on the > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation > I've found on the web is byzantine at best and it would be fine if the > commands actually worked, but I keep getting odd error messages and > stalled at every turn. > > I've upgrade the GSK so that the server will start with SSL enabled, I > have a virtual host configured, but I have no clue how to tie a > specific certificate to the VirtualHost. Well, let's say I have > clues, but nothing is working. Here's the stanza I have > set up in > httpd.conf: > > > SSLEnable > SSLClientAuth None > SSLServerCert api.client.com > ServerName api.client.com > DocumentRoot /usr/www > > Order Allow,Deny > Allow From All > > ErrorLog logs/api_error.log > CustomLog logs/api_error.log common > > I've been able to generate a CSR and create a self-signed certificate, > and it would appear that I've even successfully imported that > certificate into my key database, as demonstrated by this command: > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > api.client.com" -pw "password" > > ...which produces the following output... > > Label: api.client.com > Key Size: 512 > Version: X509 V1 > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > CLIENT City, ST, US > Subject: api.client.com > CLIENT > City, ST, US > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > April 17, 2032 7:06:08 PM EDT > Fingerprint: ... > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > But even though this certificate is in the keyfile (and yes, I have a > KeyFile directive elsewhere in the httpd.conf file pointing to the > client.kdb file) I can't seem to associate it to the virtual host. > What am I missing? > >
Re: [U2] AIX 5.3 IBMIHS Web Server
I believe on the open source config I posted, it was a "signed" certificate. But you can get them for free here. http://www.startssl.com/ On Mon, Feb 18, 2013 at 8:04 PM, Kevin King wrote: > John (Thompson)... This IHS Apache is definitely a cracked Apache with some > odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that said > that the dots could be causing problems, but still no love. It seems I've > done everything correctly but still it just can't find a combination that > works. I'm wondering if the problem here is the fact that it's a > self-signed cert without a chain? Are you using a self-signed cert here? > Do you have other certs in your key file that may represent a chain for > the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave the > > certificate via ikeyman, and you have the KeyFile directive, you should > > be OK. There are a lot of other options you can add for optimization > > and browser compatibility, but I don't think leaving any of those out > > would break it outright. Here's my working IHS config from the > > development server on my Windows workstation for comparison: > > > > > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -Original Message- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation > > I've found on the web is byzantine at best and it would be fine if the > > commands actually worked, but I keep getting odd error messages and > > stalled at every turn. > > > > I've upgrade the GSK so that the server will start with SSL enabled, I > > have a virtual host configured, but I have no clue how to tie a specific > > certificate to the VirtualHost. Well, let's say I have clues, but > > nothing is working. Here's the stanza I have set up in > > httpd.conf: > > > > > > SSLEnable > > SSLClientAuth None > > SSLServerCert api.client.com > > ServerName api.client.com > > DocumentRoot /usr/www > > > > Order Allow,Deny > > Allow From All > > > > ErrorLog logs/api_error.log > > CustomLog logs/api_error.log common > > > > I've been able to generate a CSR and create a self-signed certificate, > > and it would appear that I've even successfully imported that > > certificate into my key database, as demonstrated by this command: > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > api.client.com" -pw "password" > > > > ...which produces the following output... > > > > Label: api.client.com > > Key Size: 512 > > Version: X509 V1 > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > > CLIENT City, ST, US > > Subject: api.client.com > > CLIENT > > City, ST, US > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > > April 17, 2032 7:06:08 PM EDT > > Fingerprint: ... > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > > > But even though this certificate is in the keyfile (and yes, I have a > > KeyFile directive elsewhere in the httpd.conf file pointing to the > > client.kdb file) I can't seem to associate it to the virtual host. What > > am I missing? > > > > (And yes, I'm aware this is not specifically a U2 question but I need > > this to provide web connectivity to a Unidata machine from a
Re: [U2] AIX 5.3 IBMIHS Web Server
John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as "api" (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester wrote: > It sounds like you've done all you need to for basic IHS SSL > functionality. As long as api.client.com matches the name you gave the > certificate via ikeyman, and you have the KeyFile directive, you should > be OK. There are a lot of other options you can add for optimization > and browser compatibility, but I don't think leaving any of those out > would break it outright. Here's my working IHS config from the > development server on my Windows workstation for comparison: > > > SSLEnable > SSLProtocolDisable SSLv2 > SSLServerCert is12.momtex.com > > Options +Includes > AddType text/html .shtml > AddOutputFilter INCLUDES .shtml > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > SSLDisable > > -John > > -Original Message- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Saturday, February 16, 2013 4:02 PM > To: U2 Users List > Subject: [U2] AIX 5.3 IBMIHS Web Server > > Might anyone have any tips or tricks for getting SSL to work on the > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation > I've found on the web is byzantine at best and it would be fine if the > commands actually worked, but I keep getting odd error messages and > stalled at every turn. > > I've upgrade the GSK so that the server will start with SSL enabled, I > have a virtual host configured, but I have no clue how to tie a specific > certificate to the VirtualHost. Well, let's say I have clues, but > nothing is working. Here's the stanza I have set up in > httpd.conf: > > > SSLEnable > SSLClientAuth None > SSLServerCert api.client.com > ServerName api.client.com > DocumentRoot /usr/www > > Order Allow,Deny > Allow From All > > ErrorLog logs/api_error.log > CustomLog logs/api_error.log common > > I've been able to generate a CSR and create a self-signed certificate, > and it would appear that I've even successfully imported that > certificate into my key database, as demonstrated by this command: > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > api.client.com" -pw "password" > > ...which produces the following output... > > Label: api.client.com > Key Size: 512 > Version: X509 V1 > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > CLIENT City, ST, US > Subject: api.client.com > CLIENT > City, ST, US > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > April 17, 2032 7:06:08 PM EDT > Fingerprint: ... > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > But even though this certificate is in the keyfile (and yes, I have a > KeyFile directive elsewhere in the httpd.conf file pointing to the > client.kdb file) I can't seem to associate it to the virtual host. What > am I missing? > > (And yes, I'm aware this is not specifically a U2 question but I need > this to provide web connectivity to a Unidata machine from a Rackspace > hosted server. So in a way... it sorta is U2 related.) > > Help? > ___ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > ___ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] AIX 5.3 IBMIHS Web Server
It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml KeyFile "C:/IBM/HTTPServer/key.kdb" SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the stanza I have set up in httpd.conf: SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Order Allow,Deny Allow From All ErrorLog logs/api_error.log CustomLog logs/api_error.log common I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " api.client.com" -pw "password" ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] AIX 5.3 IBMIHS Web Server
The two might be able to behave together... although I'm not a 100% positive (so don't quote me on that). I know the pware packages go to great lengths to install themselves off in a separate space so as not to clobber any IBM specific software. http://pware.hvcc.edu/documentation.html Sorry for the 4 and 5 posts. I guess my brain only works in small little increments on Monday morning. On Mon, Feb 18, 2013 at 8:24 AM, John Thompson wrote: > Of course, if the customer doesn't have IBM support, then you might want > to try the open source stuff on AIX. > > You can find a lot of good "pre-compiled' packages here (they plug right > into the AIX package manager) > http://pware.hvcc.edu/ > > They claim that their AIX 6 stuff works on 7 > http://pware.hvcc.edu/downloads.html > > > On Mon, Feb 18, 2013 at 8:22 AM, John Thompson wrote: > >> Also I remember having to have three parts with openssl on Linux. >> >> SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt >> SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key >> >> Then I remember having to merge two files together to create the chain >> file (just using a basic unix cat command I believe) >> >> SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt >> >> I remember these two links being helpful: >> Of course its all openssl based. Not sure how the gsk stuff works with >> IBM. >> >> http://jasoncodes.com/posts/startssl-free-ssl >> >> http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ >> >> >> >> On Mon, Feb 18, 2013 at 8:14 AM, John Thompson wrote: >> >>> So I'm guessing you aren't using the open source version of apache, but, >>> the IBM AIX flavor of it. >>> Which I'm guessing is IHS. >>> >>> I've never worked with that before. >>> Does the customer have IBM support? Maybe they have some guru that can >>> send you an example? >>> >>> I have some notes on this on Linux. >>> >>> Here is an example of a virtual host section that did work with ssl on >>> Apache on Linux (open source). >>> It did not use gsk and ihs, but, openssl and open source apache. >>> >>> I included the comments because I thought it might help. >>> BUT, all you need are the un-commented lines. >>> >>> >>> >>> >>> #May need this if not included elsewhere in apache config files. >>> #NameVirtualHost *:443 >>> #Listen 443 >>> >>> >>> ServerAdmin some...@foo.com >>> ServerName foo.com >>> >>> DocumentRoot /var/www/somesite >>> >>> >>> #Disable Options we don't need >>> Options -Indexes +Includes -ExecCGI +FollowSymLinks >>> -MultiViews >>> AllowOverride None >>> Order allow,deny >>> allow from all >>> >>> >>> ErrorLog /var/log/apache2/error.log >>> >>> # Possible values include: debug, info, notice, warn, error, >>> crit, >>> # alert, emerg. >>> LogLevel warn >>> >>> CustomLog /var/log/apache2/ssl_access.log combined >>> >>> Alias /doc/ "/usr/share/doc/" >>> >>> Options Indexes MultiViews FollowSymLinks >>> AllowOverride None >>> Order deny,allow >>> Deny from all >>> Allow from 127.0.0.0/255.0.0.0 ::1/128 >>> >>> >>> # SSL Engine Switch: >>> # Enable/Disable SSL for this virtual host. >>> SSLEngine on >>> >>> # A self-signed (snakeoil) certificate can be created by >>> installing >>> # the ssl-cert package. See >>> # /usr/share/doc/apache2.2-common/README.Debian.gz for more >>> info. >>> # If both key and certificate are stored in the same file, >>> only the >>> # SSLCertificateFile directive is needed. >>> SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt >>> SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key >>> >>> # Server Certificate Chain: >>> # Point SSLCertificateChainFile at a file containing the >>> # concatenation of PEM encoded CA certificates which form the >>> # certificate chain for the server certificate. Alternatively >>> # the referenced file can be the same as SSLCertificateFile >>> # when the CA certificates are directly appended to the server >>> # certificate for convinience. >>> SSLCertificateChainFile >>> /etc/apache2/ssl/startssl.chain.class1.server.crt >>> >>> # Certificate Authority (CA): >>> # Set the CA certificate verification path where to find CA >>> # certificates for client authentication or alternatively one >>> # huge file containing all of them (file must be PEM encoded) >>> # Note: Inside SSLCACertificatePath you need hash symlinks >>> # to point to the certificate files. Use the provided >>> # Makefile to update the hash symlinks after changes. >>> #SSLCACertificatePath /etc/ssl/
Re: [U2] AIX 5.3 IBMIHS Web Server
Of course, if the customer doesn't have IBM support, then you might want to try the open source stuff on AIX. You can find a lot of good "pre-compiled' packages here (they plug right into the AIX package manager) http://pware.hvcc.edu/ They claim that their AIX 6 stuff works on 7 http://pware.hvcc.edu/downloads.html On Mon, Feb 18, 2013 at 8:22 AM, John Thompson wrote: > Also I remember having to have three parts with openssl on Linux. > > SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt > SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key > > Then I remember having to merge two files together to create the chain > file (just using a basic unix cat command I believe) > > SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt > > I remember these two links being helpful: > Of course its all openssl based. Not sure how the gsk stuff works with > IBM. > > http://jasoncodes.com/posts/startssl-free-ssl > > http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ > > > > On Mon, Feb 18, 2013 at 8:14 AM, John Thompson wrote: > >> So I'm guessing you aren't using the open source version of apache, but, >> the IBM AIX flavor of it. >> Which I'm guessing is IHS. >> >> I've never worked with that before. >> Does the customer have IBM support? Maybe they have some guru that can >> send you an example? >> >> I have some notes on this on Linux. >> >> Here is an example of a virtual host section that did work with ssl on >> Apache on Linux (open source). >> It did not use gsk and ihs, but, openssl and open source apache. >> >> I included the comments because I thought it might help. >> BUT, all you need are the un-commented lines. >> >> >> >> >> #May need this if not included elsewhere in apache config files. >> #NameVirtualHost *:443 >> #Listen 443 >> >> >> ServerAdmin some...@foo.com >> ServerName foo.com >> >> DocumentRoot /var/www/somesite >> >> >> #Disable Options we don't need >> Options -Indexes +Includes -ExecCGI +FollowSymLinks >> -MultiViews >> AllowOverride None >> Order allow,deny >> allow from all >> >> >> ErrorLog /var/log/apache2/error.log >> >> # Possible values include: debug, info, notice, warn, error, crit, >> # alert, emerg. >> LogLevel warn >> >> CustomLog /var/log/apache2/ssl_access.log combined >> >> Alias /doc/ "/usr/share/doc/" >> >> Options Indexes MultiViews FollowSymLinks >> AllowOverride None >> Order deny,allow >> Deny from all >> Allow from 127.0.0.0/255.0.0.0 ::1/128 >> >> >> # SSL Engine Switch: >> # Enable/Disable SSL for this virtual host. >> SSLEngine on >> >> # A self-signed (snakeoil) certificate can be created by >> installing >> # the ssl-cert package. See >> # /usr/share/doc/apache2.2-common/README.Debian.gz for more >> info. >> # If both key and certificate are stored in the same file, only >> the >> # SSLCertificateFile directive is needed. >> SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt >> SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key >> >> # Server Certificate Chain: >> # Point SSLCertificateChainFile at a file containing the >> # concatenation of PEM encoded CA certificates which form the >> # certificate chain for the server certificate. Alternatively >> # the referenced file can be the same as SSLCertificateFile >> # when the CA certificates are directly appended to the server >> # certificate for convinience. >> SSLCertificateChainFile >> /etc/apache2/ssl/startssl.chain.class1.server.crt >> >> # Certificate Authority (CA): >> # Set the CA certificate verification path where to find CA >> # certificates for client authentication or alternatively one >> # huge file containing all of them (file must be PEM encoded) >> # Note: Inside SSLCACertificatePath you need hash symlinks >> # to point to the certificate files. Use the provided >> # Makefile to update the hash symlinks after changes. >> #SSLCACertificatePath /etc/ssl/certs/ >> #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt >> >> # Certificate Revocation Lists (CRL): >> # Set the CA revocation path where to find CA CRLs for client >> # authentication or alternatively one huge file containing all >> # of them (file must be PEM encoded) >> # Note: Inside SSLCARevocationPath you need hash symlinks >> # to point to the certificate files. Use the provided >> # Makefile to update the hash symlinks after changes. >> #SSLCARevocationPath /etc/
Re: [U2] AIX 5.3 IBMIHS Web Server
Also I remember having to have three parts with openssl on Linux. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key Then I remember having to merge two files together to create the chain file (just using a basic unix cat command I believe) SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt I remember these two links being helpful: Of course its all openssl based. Not sure how the gsk stuff works with IBM. http://jasoncodes.com/posts/startssl-free-ssl http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ On Mon, Feb 18, 2013 at 8:14 AM, John Thompson wrote: > So I'm guessing you aren't using the open source version of apache, but, > the IBM AIX flavor of it. > Which I'm guessing is IHS. > > I've never worked with that before. > Does the customer have IBM support? Maybe they have some guru that can > send you an example? > > I have some notes on this on Linux. > > Here is an example of a virtual host section that did work with ssl on > Apache on Linux (open source). > It did not use gsk and ihs, but, openssl and open source apache. > > I included the comments because I thought it might help. > BUT, all you need are the un-commented lines. > > > > > #May need this if not included elsewhere in apache config files. > #NameVirtualHost *:443 > #Listen 443 > > > ServerAdmin some...@foo.com > ServerName foo.com > > DocumentRoot /var/www/somesite > > > #Disable Options we don't need > Options -Indexes +Includes -ExecCGI +FollowSymLinks > -MultiViews > AllowOverride None > Order allow,deny > allow from all > > > ErrorLog /var/log/apache2/error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > > CustomLog /var/log/apache2/ssl_access.log combined > > Alias /doc/ "/usr/share/doc/" > > Options Indexes MultiViews FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > Allow from 127.0.0.0/255.0.0.0 ::1/128 > > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > > # A self-signed (snakeoil) certificate can be created by > installing > # the ssl-cert package. See > # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. > # If both key and certificate are stored in the same file, only > the > # SSLCertificateFile directive is needed. > SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt > SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key > > # Server Certificate Chain: > # Point SSLCertificateChainFile at a file containing the > # concatenation of PEM encoded CA certificates which form the > # certificate chain for the server certificate. Alternatively > # the referenced file can be the same as SSLCertificateFile > # when the CA certificates are directly appended to the server > # certificate for convinience. > SSLCertificateChainFile > /etc/apache2/ssl/startssl.chain.class1.server.crt > > # Certificate Authority (CA): > # Set the CA certificate verification path where to find CA > # certificates for client authentication or alternatively one > # huge file containing all of them (file must be PEM encoded) > # Note: Inside SSLCACertificatePath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCACertificatePath /etc/ssl/certs/ > #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt > > # Certificate Revocation Lists (CRL): > # Set the CA revocation path where to find CA CRLs for client > # authentication or alternatively one huge file containing all > # of them (file must be PEM encoded) > # Note: Inside SSLCARevocationPath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCARevocationPath /etc/apache2/ssl.crl/ > #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl > > # Client Authentication (Type): > # Client certificate verification type and depth. Types are > # none, optional, require and optional_no_ca. Depth is a > # number which specifies how deeply to verify the certificate > # issuer chain before deciding the certificate is not valid. > #SSLVerifyClient require > #SSLVerifyDepth 10 > > # Access Control
Re: [U2] AIX 5.3 IBMIHS Web Server
So I'm guessing you aren't using the open source version of apache, but, the IBM AIX flavor of it. Which I'm guessing is IHS. I've never worked with that before. Does the customer have IBM support? Maybe they have some guru that can send you an example? I have some notes on this on Linux. Here is an example of a virtual host section that did work with ssl on Apache on Linux (open source). It did not use gsk and ihs, but, openssl and open source apache. I included the comments because I thought it might help. BUT, all you need are the un-commented lines. #May need this if not included elsewhere in apache config files. #NameVirtualHost *:443 #Listen 443 ServerAdmin some...@foo.com ServerName foo.com DocumentRoot /var/www/somesite #Disable Options we don't need Options -Indexes +Includes -ExecCGI +FollowSymLinks -MultiViews AllowOverride None Order allow,deny allow from all ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. # #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ # # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: #
[U2] AIX 5.3 IBMIHS Web Server
Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the stanza I have set up in httpd.conf: SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Order Allow,Deny Allow From All ErrorLog logs/api_error.log CustomLog logs/api_error.log common I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " api.client.com" -pw "password" ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users