Re: [U2] AIX 5.3 IBMIHS Web Server
Only one virtual host and I followed these instructions as linked, plus a half dozen other things when this did not work. (I started with these instructions.) On Wed, Feb 20, 2013 at 3:00 PM, Brian Whitehorn brian.whiteh...@tollgroup.com wrote: Kevin, Do you have more than one Virtual Host defined? If so, it would appear that each requires a separate IP to be bound. Not sure if you've already come across this link, but contains some documentation for setting up SSL with IBM HTTP Server: http://www-01.ibm.com/support/docview.wss?uid=swg21179559 HTH. Regards, Brian. -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto: u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Thursday, 21 February 2013 8:35 AM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester jhes...@momtex.com wrote: This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules
Re: [U2] AIX 5.3 IBMIHS Web Server
This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated
Re: [U2] AIX 5.3 IBMIHS Web Server
Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester jhes...@momtex.com wrote: This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still
Re: [U2] AIX 5.3 IBMIHS Web Server
Kevin, Do you have more than one Virtual Host defined? If so, it would appear that each requires a separate IP to be bound. Not sure if you've already come across this link, but contains some documentation for setting up SSL with IBM HTTP Server: http://www-01.ibm.com/support/docview.wss?uid=swg21179559 HTH. Regards, Brian. -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Thursday, 21 February 2013 8:35 AM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester jhes...@momtex.com wrote: This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM
Re: [U2] AIX 5.3 IBMIHS Web Server
You should find an executable script named ikeyman in [IHS root]/bin. Just enter [IHS root]/bin/ikeyman to launch it rather than using the java command. If I remember correctly, it's best to specify the full path. But by all means, send me the kdb file off-list and I'll open it up on my workstation and set the default. That should only take a few minutes. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, February 20, 2013 1:35 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester jhes...@momtex.com wrote: This would be an IBM support issue rather than Rocket since you're dealing specifically with IHS. You might want to check with the customer to see if they're currently under maintenance. There's a good chance they are if the IHS install was recent because AFAIK you can't even get the installation files without a support login. One other thing you might try is using the iKeyman GUI to create the keystore database rather than the command line utility. That's what I always use. You can run it via an X session, or locally on Windows desktop. I typically create and test a keystore locally on my desktop and copy the kdb file to the server when I'm sure it's working correctly. The iKeyman interface is fairly intuitive, and it's easy to designate a default cert with the click of a button. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 6:23 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun
Re: [U2] AIX 5.3 IBMIHS Web Server
I believe on the open source config I posted, it was a signed certificate. But you can get them for free here. http://www.startssl.com/ On Mon, Feb 18, 2013 at 8:04 PM, Kevin King ke...@precisonline.com wrote: John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label api.client.com -pw password ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users -- John Thompson ___ U2-Users mailing list U2-Users@listserver.u2ug.org
Re: [U2] AIX 5.3 IBMIHS Web Server
Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label api.client.com -pw password ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users
Re: [U2] AIX 5.3 IBMIHS Web Server
Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label api.client.com -pw password ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08
Re: [U2] AIX 5.3 IBMIHS Web Server
I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert
Re: [U2] AIX 5.3 IBMIHS Web Server
I tried checking for a default certificate and it reports null. The KDB file has the GSK certs and my cert - that's it, and when I follow the instructions to set up my cert as the default, it gives me a cryptic I'm sorry Dave, I can't do that kind of message. This is on a customer's system, and they don't have any good paths to contact Rocket, as their vendor is entirely unresponsive which is why they work with us in the first place, and we're not a var. So I post here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... there've been a number of very good Rocket folks helping out here over the years. (Apologies for anyone I missed.) -K On Tue, Feb 19, 2013 at 6:12 PM, John Hester jhes...@momtex.com wrote: I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean. If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent
Re: [U2] AIX 5.3 IBMIHS Web Server
Perhaps a silly question but it's not something as simple as file permissions or owner/group membership or environment path is it? -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, 20 February 2013 10:03 To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert
Re: [U2] AIX 5.3 IBMIHS Web Server
Good thinking Peter, but I've made sure permissions and owner are correct. As to the environment path, I'll have to check that... now that you mention it I don't recall how the key file is integrated into the Apache config. Maybe the problem isn't the key in the file, but perhaps the key file itself? On Tue, Feb 19, 2013 at 8:04 PM, Peter Cheney peter.che...@firstmac.com.auwrote: Perhaps a silly question but it's not something as simple as file permissions or owner/group membership or environment path is it? -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto: u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, 20 February 2013 10:03 To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for api or api.client.com (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester jhes...@momtex.com wrote: Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443: LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com
Re: [U2] AIX 5.3 IBMIHS Web Server
So I'm guessing you aren't using the open source version of apache, but,
the IBM AIX flavor of it.
Which I'm guessing is IHS.
I've never worked with that before.
Does the customer have IBM support? Maybe they have some guru that can
send you an example?
I have some notes on this on Linux.
Here is an example of a virtual host section that did work with ssl on
Apache on Linux (open source).
It did not use gsk and ihs, but, openssl and open source apache.
I included the comments because I thought it might help.
BUT, all you need are the un-commented lines.
/VirtualHost
IfModule mod_ssl.c
#May need this if not included elsewhere in apache config files.
#NameVirtualHost *:443
#Listen 443
VirtualHost *:443
ServerAdmin some...@foo.com
ServerName foo.com
DocumentRoot /var/www/somesite
Directory /var/www/somesite
#Disable Options we don't need
Options -Indexes +Includes -ExecCGI +FollowSymLinks
-MultiViews
AllowOverride None
Order allow,deny
allow from all
/Directory
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
Alias /doc/ /usr/share/doc/
Directory /usr/share/doc/
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
/Directory
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by
installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only
the
# SSLCertificateFile directive is needed.
SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt
SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile
/etc/apache2/ssl/startssl.chain.class1.server.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#Location /
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \
#and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \
#and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \
#and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#/Location
Re: [U2] AIX 5.3 IBMIHS Web Server
Also I remember having to have three parts with openssl on Linux. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key Then I remember having to merge two files together to create the chain file (just using a basic unix cat command I believe) SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt I remember these two links being helpful: Of course its all openssl based. Not sure how the gsk stuff works with IBM. http://jasoncodes.com/posts/startssl-free-ssl http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ On Mon, Feb 18, 2013 at 8:14 AM, John Thompson jthompson...@gmail.comwrote: So I'm guessing you aren't using the open source version of apache, but, the IBM AIX flavor of it. Which I'm guessing is IHS. I've never worked with that before. Does the customer have IBM support? Maybe they have some guru that can send you an example? I have some notes on this on Linux. Here is an example of a virtual host section that did work with ssl on Apache on Linux (open source). It did not use gsk and ihs, but, openssl and open source apache. I included the comments because I thought it might help. BUT, all you need are the un-commented lines. /VirtualHost IfModule mod_ssl.c #May need this if not included elsewhere in apache config files. #NameVirtualHost *:443 #Listen 443 VirtualHost *:443 ServerAdmin some...@foo.com ServerName foo.com DocumentRoot /var/www/somesite Directory /var/www/somesite #Disable Options we don't need Options -Indexes +Includes -ExecCGI +FollowSymLinks -MultiViews AllowOverride None Order allow,deny allow from all /Directory ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 /Directory # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth
Re: [U2] AIX 5.3 IBMIHS Web Server
Of course, if the customer doesn't have IBM support, then you might want to try the open source stuff on AIX. You can find a lot of good pre-compiled' packages here (they plug right into the AIX package manager) http://pware.hvcc.edu/ They claim that their AIX 6 stuff works on 7 http://pware.hvcc.edu/downloads.html On Mon, Feb 18, 2013 at 8:22 AM, John Thompson jthompson...@gmail.comwrote: Also I remember having to have three parts with openssl on Linux. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key Then I remember having to merge two files together to create the chain file (just using a basic unix cat command I believe) SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt I remember these two links being helpful: Of course its all openssl based. Not sure how the gsk stuff works with IBM. http://jasoncodes.com/posts/startssl-free-ssl http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ On Mon, Feb 18, 2013 at 8:14 AM, John Thompson jthompson...@gmail.comwrote: So I'm guessing you aren't using the open source version of apache, but, the IBM AIX flavor of it. Which I'm guessing is IHS. I've never worked with that before. Does the customer have IBM support? Maybe they have some guru that can send you an example? I have some notes on this on Linux. Here is an example of a virtual host section that did work with ssl on Apache on Linux (open source). It did not use gsk and ihs, but, openssl and open source apache. I included the comments because I thought it might help. BUT, all you need are the un-commented lines. /VirtualHost IfModule mod_ssl.c #May need this if not included elsewhere in apache config files. #NameVirtualHost *:443 #Listen 443 VirtualHost *:443 ServerAdmin some...@foo.com ServerName foo.com DocumentRoot /var/www/somesite Directory /var/www/somesite #Disable Options we don't need Options -Indexes +Includes -ExecCGI +FollowSymLinks -MultiViews AllowOverride None Order allow,deny allow from all /Directory ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 /Directory # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile
Re: [U2] AIX 5.3 IBMIHS Web Server
The two might be able to behave together... although I'm not a 100% positive (so don't quote me on that). I know the pware packages go to great lengths to install themselves off in a separate space so as not to clobber any IBM specific software. http://pware.hvcc.edu/documentation.html Sorry for the 4 and 5 posts. I guess my brain only works in small little increments on Monday morning. On Mon, Feb 18, 2013 at 8:24 AM, John Thompson jthompson...@gmail.comwrote: Of course, if the customer doesn't have IBM support, then you might want to try the open source stuff on AIX. You can find a lot of good pre-compiled' packages here (they plug right into the AIX package manager) http://pware.hvcc.edu/ They claim that their AIX 6 stuff works on 7 http://pware.hvcc.edu/downloads.html On Mon, Feb 18, 2013 at 8:22 AM, John Thompson jthompson...@gmail.comwrote: Also I remember having to have three parts with openssl on Linux. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key Then I remember having to merge two files together to create the chain file (just using a basic unix cat command I believe) SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt I remember these two links being helpful: Of course its all openssl based. Not sure how the gsk stuff works with IBM. http://jasoncodes.com/posts/startssl-free-ssl http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/ On Mon, Feb 18, 2013 at 8:14 AM, John Thompson jthompson...@gmail.comwrote: So I'm guessing you aren't using the open source version of apache, but, the IBM AIX flavor of it. Which I'm guessing is IHS. I've never worked with that before. Does the customer have IBM support? Maybe they have some guru that can send you an example? I have some notes on this on Linux. Here is an example of a virtual host section that did work with ssl on Apache on Linux (open source). It did not use gsk and ihs, but, openssl and open source apache. I included the comments because I thought it might help. BUT, all you need are the un-commented lines. /VirtualHost IfModule mod_ssl.c #May need this if not included elsewhere in apache config files. #NameVirtualHost *:443 #Listen 443 VirtualHost *:443 ServerAdmin some...@foo.com ServerName foo.com DocumentRoot /var/www/somesite Directory /var/www/somesite #Disable Options we don't need Options -Indexes +Includes -ExecCGI +FollowSymLinks -MultiViews AllowOverride None Order allow,deny allow from all /Directory ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 /Directory # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile/etc/apache2/ssl/basinc.biz.crt SSLCertificateKeyFile /etc/apache2/ssl/basinc.biz.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the
Re: [U2] AIX 5.3 IBMIHS Web Server
It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label api.client.com -pw password ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] AIX 5.3 IBMIHS Web Server
John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as api (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester jhes...@momtex.com wrote: It sounds like you've done all you need to for basic IHS SSL functionality. As long as api.client.com matches the name you gave the certificate via ikeyman, and you have the KeyFile directive, you should be OK. There are a lot of other options you can add for optimization and browser compatibility, but I don't think leaving any of those out would break it outright. Here's my working IHS config from the development server on my Windows workstation for comparison: VirtualHost *:443 SSLEnable SSLProtocolDisable SSLv2 SSLServerCert is12.momtex.com Directory c:/IBM/HTTPServer/htdocs/html Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml /Directory /VirtualHost KeyFile C:/IBM/HTTPServer/key.kdb SSLDisable -John -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Saturday, February 16, 2013 4:02 PM To: U2 Users List Subject: [U2] AIX 5.3 IBMIHS Web Server Might anyone have any tips or tricks for getting SSL to work on the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation I've found on the web is byzantine at best and it would be fine if the commands actually worked, but I keep getting odd error messages and stalled at every turn. I've upgrade the GSK so that the server will start with SSL enabled, I have a virtual host configured, but I have no clue how to tie a specific certificate to the VirtualHost. Well, let's say I have clues, but nothing is working. Here's the VirtualHost stanza I have set up in httpd.conf: VirtualHost *:443 SSLEnable SSLClientAuth None SSLServerCert api.client.com ServerName api.client.com DocumentRoot /usr/www Directory /usr/www Order Allow,Deny Allow From All /Directory ErrorLog logs/api_error.log CustomLog logs/api_error.log common /VirtualHost I've been able to generate a CSR and create a self-signed certificate, and it would appear that I've even successfully imported that certificate into my key database, as demonstrated by this command: $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label api.client.com -pw password ...which produces the following output... Label: api.client.com Key Size: 512 Version: X509 V1 Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com CLIENT City, ST, US Subject: api.client.com CLIENT City, ST, US Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, April 17, 2032 7:06:08 PM EDT Fingerprint: ... Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled But even though this certificate is in the keyfile (and yes, I have a KeyFile directive elsewhere in the httpd.conf file pointing to the client.kdb file) I can't seem to associate it to the virtual host. What am I missing? (And yes, I'm aware this is not specifically a U2 question but I need this to provide web connectivity to a Unidata machine from a Rackspace hosted server. So in a way... it sorta is U2 related.) Help? ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
