Kevin, Do you have more than one Virtual Host defined? If so, it would appear that each requires a separate IP to be bound.
Not sure if you've already come across this link, but contains some documentation for setting up SSL with IBM HTTP Server: http://www-01.ibm.com/support/docview.wss?uid=swg21179559 HTH. Regards, Brian. -----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Thursday, 21 February 2013 8:35 AM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Where does one get this magical GUI? I wonder, John, if I am unable to procure such an animal if I sent you my key file if you could see if you could nominate a default for me? On Wed, Feb 20, 2013 at 1:58 PM, John Hester <jhes...@momtex.com> wrote: > This would be an IBM support issue rather than Rocket since you're > dealing specifically with IHS. You might want to check with the > customer to see if they're currently under maintenance. There's a good > chance they are if the IHS install was recent because AFAIK you can't > even get the installation files without a support login. > > One other thing you might try is using the iKeyman GUI to create the > keystore database rather than the command line utility. That's what I > always use. You can run it via an X session, or locally on Windows > desktop. I typically create and test a keystore locally on my desktop > and copy the kdb file to the server when I'm sure it's working > correctly. The iKeyman interface is fairly intuitive, and it's easy to > designate a default cert with the click of a button. > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Tuesday, February 19, 2013 6:23 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > I tried checking for a default certificate and it reports "null". The > KDB file has the GSK certs and my cert - that's it, and when I follow > the instructions to set up my cert as the default, it gives me a cryptic > "I'm sorry Dave, I can't do that" kind of message. > > This is on a customer's system, and they don't have any good paths to > contact Rocket, as their vendor is entirely unresponsive which is why > they work with us in the first place, and we're not a var. So I post > here and hope someone from Rocket is listening. Wally, Kevin, Mike, ... > there've been a number of very good Rocket folks helping out here over > the years. > (Apologies for anyone I missed.) > > -K > > On Tue, Feb 19, 2013 at 6:12 PM, John Hester <jhes...@momtex.com> wrote: > > > I doubt the unqualified listen has any connection. It sounds like > > something's corrupt in the kdb file. If you only have one cert in the > > > file, you might try removing the SSLServerCert directive altogether. > > Normally one cert in the database is marked as the default to use when > > > none is specified, and if you only have one, that should be it. I > > would also create a new kdb file from scratch just to make sure it's > clean. > > > > If it still won't work after that, I'd suggest opening a case with IBM > > > support if you have a current entitlement. I open cases with them all > > > the time for issues with new software installations, and they're > > always very responsive. > > > > -John > > > > -----Original Message----- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > > Sent: Tuesday, February 19, 2013 4:03 PM > > To: U2 Users List > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > Yes, I have both the LoadModule and Listen, though my Listen is > > unqualified, like this: > > > > Listen 443 > > > > The error I'm getting in the logs tells me there is no key for "api" > > or " > > api.client.com" (I've tried both) despite the fact that gsk7cmd shows > > that the certificate absolutely is in there. That's what's vexing; I > > can see the certificate, but for some reason Apache cannot. > > > > You don't suppose the unqualified Listen might have something to do > > with it, do you? > > > > > > On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com> > > wrote: > > > > > Kevin, I have both chained and self-signed certs on various servers. > > > The example from my workstation is a self-signed cert. Self-signed > > > is > > > > > actually less prone to error because you don't have to worry about > > > importing the intermediate certs into the keystore database. The > > > only > > > > > other thing I know to suggest at the moment is verify you're loading > > > > the IBM ssl module and listening on port 443: > > > > > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > > > > > Are you getting any errors in the IHS SSL logs, either at server > > > startup or when you attempt to browse to port 443? > > > > > > -John > > > > > > -----Original Message----- > > > From: u2-users-boun...@listserver.u2ug.org > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > > King > > > Sent: Monday, February 18, 2013 5:04 PM > > > To: U2 Users List > > > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > > > > > John (Thompson)... This IHS Apache is definitely a cracked Apache > > > with > > > > > some odd configuration SSL setup in particular is completely > > different. > > > > > > John (Hester), I can see the cert in the key file (through the > > > gsk7cmd > > > command) but with the name api.client.com it cannot be found. I > > > even recreated the cert as "api" (without dots) because I found a > > > page that > > > > > said that the dots could be causing problems, but still no love. It > > > > seems I've done everything correctly but still it just can't find a > > > combination that works. I'm wondering if the problem here is the > > > fact > > > > > that it's a self-signed cert without a chain? Are you using a > > > self-signed cert here? > > > Do you have other certs in your key file that may represent a chain > > > > for the self-signed cert? > > > > > > Thank you gentlemen for the insight. Most appreciated. > > > > > > -K > > > > > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> > > wrote: > > > > > > > It sounds like you've done all you need to for basic IHS SSL > > > > functionality. As long as api.client.com matches the name you > > > > gave the certificate via ikeyman, and you have the KeyFile > > > > directive, you > > > > > > should be OK. There are a lot of other options you can add for > > > > optimization and browser compatibility, but I don't think leaving > > > > any of those out would break it outright. Here's my working IHS > > > > config from the development server on my Windows workstation for > > comparison: > > > > > > > > <VirtualHost *:443> > > > > SSLEnable > > > > SSLProtocolDisable SSLv2 > > > > SSLServerCert is12.momtex.com > > > > <Directory "c:/IBM/HTTPServer/htdocs/html"> > > > > Options +Includes > > > > AddType text/html .shtml > > > > AddOutputFilter INCLUDES .shtml > > > > </Directory> > > > > </VirtualHost> > > > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > > > SSLDisable > > > > > > > > -John > > > > > > > > -----Original Message----- > > > > From: u2-users-boun...@listserver.u2ug.org > > > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > > > King > > > > Sent: Saturday, February 16, 2013 4:02 PM > > > > To: U2 Users List > > > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > > > > > Might anyone have any tips or tricks for getting SSL to work on > > > > the IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > > > documentation I've found on the web is byzantine at best and it > > > > would be fine if the > > > > > > > commands actually worked, but I keep getting odd error messages > > > > and stalled at every turn. > > > > > > > > I've upgrade the GSK so that the server will start with SSL > > > > enabled, > > > > > > I > > > > > > > have a virtual host configured, but I have no clue how to tie a > > > > specific certificate to the VirtualHost. Well, let's say I have > > > > clues, but nothing is working. Here's the <VirtualHost> stanza I > > > > have > > > > > > > set up in > > > > httpd.conf: > > > > > > > > <VirtualHost *:443> > > > > SSLEnable > > > > SSLClientAuth None > > > > SSLServerCert api.client.com > > > > ServerName api.client.com > > > > DocumentRoot /usr/www > > > > <Directory "/usr/www"> > > > > Order Allow,Deny > > > > Allow From All > > > > </Directory> > > > > ErrorLog logs/api_error.log > > > > CustomLog logs/api_error.log common </VirtualHost> > > > > > > > > I've been able to generate a CSR and create a self-signed > > > > certificate, > > > > > > > and it would appear that I've even successfully imported that > > > > certificate into my key database, as demonstrated by this command: > > > > > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > > > api.client.com" -pw "password" > > > > > > > > ...which produces the following output... > > > > > > > > Label: api.client.com > > > > Key Size: 512 > > > > Version: X509 V1 > > > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: > > > > api.client.com CLIENT City, ST, US > > > > Subject: api.client.com > > > > CLIENT > > > > City, ST, US > > > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: > > > > Saturday, > > > > > > April 17, 2032 7:06:08 PM EDT > > > > Fingerprint: ... > > > > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > > > > > > > But even though this certificate is in the keyfile (and yes, I > > > > have a KeyFile directive elsewhere in the httpd.conf file pointing > > > > > to the > > > > > > client.kdb file) I can't seem to associate it to the virtual host. > > > > What am I missing? > > > > > > > > (And yes, I'm aware this is not specifically a U2 question but I > > > > need this to provide web connectivity to a Unidata machine from a > > > > Rackspace > > > > > > > hosted server. So in a way... it sorta is U2 related.) > > > > > > > > Help? > > > > _______________________________________________ > > > > U2-Users mailing list > > > > U2-Users@listserver.u2ug.org > > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > > _______________________________________________ > > > > U2-Users mailing list > > > > U2-Users@listserver.u2ug.org > > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > > > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > > > U2-Users mailing list > > > U2-Users@listserver.u2ug.org > > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
