I doubt the unqualified listen has any connection. It sounds like something's corrupt in the kdb file. If you only have one cert in the file, you might try removing the SSLServerCert directive altogether. Normally one cert in the database is marked as the default to use when none is specified, and if you only have one, that should be it. I would also create a new kdb file from scratch just to make sure it's clean.
If it still won't work after that, I'd suggest opening a case with IBM support if you have a current entitlement. I open cases with them all the time for issues with new software installations, and they're always very responsive. -John -----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Tuesday, February 19, 2013 4:03 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for "api" or " api.client.com" (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com> wrote: > Kevin, I have both chained and self-signed certs on various servers. > The example from my workstation is a self-signed cert. Self-signed is > actually less prone to error because you don't have to worry about > importing the intermediate certs into the keystore database. The only > other thing I know to suggest at the moment is verify you're loading > the IBM ssl module and listening on port 443: > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > Are you getting any errors in the IHS SSL logs, either at server > startup or when you attempt to browse to port 443? > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Monday, February 18, 2013 5:04 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > some odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that > said that the dots could be causing problems, but still no love. It > seems I've done everything correctly but still it just can't find a > combination that works. I'm wondering if the problem here is the fact > that it's a self-signed cert without a chain? Are you using a > self-signed cert here? > Do you have other certs in your key file that may represent a chain > for the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave > > the certificate via ikeyman, and you have the KeyFile directive, you > > should be OK. There are a lot of other options you can add for > > optimization and browser compatibility, but I don't think leaving > > any of those out would break it outright. Here's my working IHS > > config from the development server on my Windows workstation for comparison: > > > > <VirtualHost *:443> > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > <Directory "c:/IBM/HTTPServer/htdocs/html"> > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > </Directory> > > </VirtualHost> > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -----Original Message----- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > documentation I've found on the web is byzantine at best and it > > would be fine if the > > > commands actually worked, but I keep getting odd error messages and > > stalled at every turn. > > > > I've upgrade the GSK so that the server will start with SSL enabled, > > I > > > have a virtual host configured, but I have no clue how to tie a > > specific certificate to the VirtualHost. Well, let's say I have > > clues, but nothing is working. Here's the <VirtualHost> stanza I > > have > > > set up in > > httpd.conf: > > > > <VirtualHost *:443> > > SSLEnable > > SSLClientAuth None > > SSLServerCert api.client.com > > ServerName api.client.com > > DocumentRoot /usr/www > > <Directory "/usr/www"> > > Order Allow,Deny > > Allow From All > > </Directory> > > ErrorLog logs/api_error.log > > CustomLog logs/api_error.log common </VirtualHost> > > > > I've been able to generate a CSR and create a self-signed > > certificate, > > > and it would appear that I've even successfully imported that > > certificate into my key database, as demonstrated by this command: > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > api.client.com" -pw "password" > > > > ...which produces the following output... > > > > Label: api.client.com > > Key Size: 512 > > Version: X509 V1 > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > > CLIENT City, ST, US > > Subject: api.client.com > > CLIENT > > City, ST, US > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > > April 17, 2032 7:06:08 PM EDT > > Fingerprint: ... > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > > > But even though this certificate is in the keyfile (and yes, I have > > a KeyFile directive elsewhere in the httpd.conf file pointing to the > > client.kdb file) I can't seem to associate it to the virtual host. > > What am I missing? > > > > (And yes, I'm aware this is not specifically a U2 question but I > > need this to provide web connectivity to a Unidata machine from a > > Rackspace > > > hosted server. So in a way... it sorta is U2 related.) > > > > Help? > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
