How to setup end-to-end security in ZIEWeb-Client

Summary


This document explains the step-by-step configuration needed to be performed by ZIEWeb-Client users to be able to access ZIEWeb-Client pages with a Secure URL.

Objective


To access ZIEWeb HTML and Config pages securely via ZIEWeb-Client, users need to have the below configuration.

  • Secure IBM WebSphere Application Server
  • Secure IBM HTTP Web server (or any other web server)
  • IBM HTTP Webserver Self-Sign certificate should be added under IBM WebSphere Application Server java key store.

Steps to configure IBM WebSphere Application Server as Secure

  1. Open IBM WebSphere Application Server’s key store. The sample location of the key store is as below. This depends on the installed location of WAS and how you have configured it
     
    \IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\testnameNode01Cell\nodes\testnameNode01\key.p12
     
  2. Either create a self-signed certificate in this key store or import a Certificate Authority certificate to this key store.
  3. Add the above certificate to the browser’s key store as well, under the trusted root certificate.
  4. Restart WAS service
  5. Clear the browser history and restart the browser.
  6. Open WAS URL in browser with secure port
    https://<WAS IP>:<WAS secure port>/ibm/console
     
    e.g. https://WAS IP:9043/ibm/console
  7. Give Secure WAS URL in the browser. Secure WAS URL should not display any errors and display a lock symbol.

Steps to configure IBM HTTP Server (or any other web server) as Secure

  1. Open IBM HTTP Server’s key store. The sample location of the key store is as below. This depends on the installed location of IBM HTTP Server and how you have configured it
  2. If such a key store does not exist, create a new one.
  3. Either create a self-signed certificate in this key store or import a Certificate Authority certificate to this key store
  4. Update httpd.conf file of IBM HTTP server and modify to include SSL module and provide the appropriate configuration (below is a sample)
     
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    <IfModule mod_ibm_ssl.c>
    Listen 0.0.0.0:443
    ## IPv6 support:
    #Listen [::]:443
    #SSLCheckCertificateExpiration 30
    <VirtualHost *:443>
     SSLEnable
     # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    </VirtualHost>
    </IfModule>
    SSLDisable
    KeyFile "C:/Program Files/ibm/HTTPServer/key.kdb"
    SSLStashFile "C:/Program Files/ibm/HTTPServer/key.sth"
     
  5. Restart IBM HTTP Server

Secure connection between IBM WebSphere Application Server and IBM HTTP Server (on any other web server)

  • To complete the setup, add both the web server certificate as well as the IBM WebSphere Application Server certificate to the signer section of IBM WAS’s java key store.

    The sample location of WAS java key store is as below.

    IBM\WebSphere\AppServer9\java\8.0\jre\lib\security

  • Restart IBM WebSphere Application Server

    This should complete the security setup. Now, you can open the ZIEWeb-Client URL with https.