This procedure describes how to create and configure your own certificates for a
clustered environment.
Before you begin
The Campaign web application must be configured for SSL by using default certificates.
About this task
The following procedure describes how to create and configure self-signed certificates for
Campaign and Marketing Platform.
In a clustered environment where there is an IBM HTTP Server in front of the Campaign web application and IBM Campaign listener,
follow these steps to configure the IBM Campaign listener in SSL.
For additional details on using GSKit, see http://www.ibm.com/developerworks/security/tutorials/se-gskit/. You can use these steps as a
guide for configuring certificates for other HCL® Marketing
Software products.
This procedure is applicable for the default certificates that are provided by the IBM WebSphere
Application Server. If you are using custom security certificates, you must follow the steps for the
custom certificates used by the IBM WebSphere Application Server.
Procedure
To configure the IBM HTTP Server in SSL, complete the following steps.
-
Use GSKit to generate SSL certificates as follows.
-
Create and initialize a new key database.
For example:
gsk8capicmd_64 -keydb -create -populate -db IHS.kdb -pw password
-stash
The
-stash option is required for
Campaign.
-
Use GSKit to generate a self-signed certificate for Campaign and store it in the key database, as
follows.
For example:
gsk8capicmd_64 -cert -create -db IHS.kdb -dn "CN=*.in.ibm.com" -expire 3650 -pw password
-size 1024 -label key -default_cert yes
-
Extract the public part of the certificate to a file.
For the clients to trust a certificate, its public part needs to be distributed to the clients
and stored in their key databases. In this step, you export the public part of the Campaign certificate. You import it in a later
step.
For example:
gsk8capicmd_64 -cert -extract -db IHS.kdb -stashed -label key -target
IHS.arm
-
Enable the following module in the httpd.conf file.
For example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
KeyFile /data/webservers/IBM/IHS/ssl/IHS.kdb
SSLStashFile /data/webservers/IBM/IHS/ssl/IHS.sth
SSLDisable
-
Provide the key file path in the httpd.conf file.
-
Restart the IBM HTTP Server.
-
Generate keystore database files for the server that hosts the IBM Campaign listener.
-
On the server that hosts the IBM Campaign listener, run the following commands from any
location and note the path.
gsk8capicmd_64 -keydb -create -populate -db Key.kdb -pw password -stash
gsk8capicmd_64 -cert -create -db Key.kdb -dn "CN=*.in.ibm.com" -expire 3650 -pw password -size 1024
-label key -default_cert yes
gsk8capicmd_64 -cert -extract -db Key.kdb -stashed -label key -target Key.arm
-
Verify that the following files are generated in the location from where you ran the above
commands.
- Key.arm
- Key.crl
- Key.kdb
- Key.rdb
- Key.sth
-
Import the Key.arm and HIS.arm files into the
application server where the Campaign web application is deployed.
-
Copy the Key.arm and HIS.arm files to the Campaign
web application server.
-
Add the Key.arm and HIS.arm files in the
NodeDefaultTrustStore of the WebSphere Application Server by completing the
following steps:
- Click .
- Click .
- Click Add and provide the Alias and the path where
the Key.arm and HIS.arm files are copied.
- Click OK.
-
Extract the Personal and Signer certificates for the IBM WebSphere Application Server
- Click .
- Click .
- Select the default certificate.
- Add the Personal Certificate file name along with the valid path in the IBM Campaign web
application server. For example, /opt/IBM/IBMMS101/ClientPersonal.cer.
- Click OK.
- Click .
- Select the default certificate.
- Add the Signer Certificate file name along with the valid path in the IBM Campaign web
application server. For example, /opt/IBM/IBMMS101/ClientSigner.cer.
- Navigate to the folder and verify the both certificates are present in the folder.
-
Import the Personal and Signer certificates into the IBM Campaign listener and IBM HTTP Server
keystore databases.
-
Copy the ClientPersonal.cer and ClientSigner.cer
certificates to the listener server. You can use the same location where the
key.kdb file was created.
-
Import the Personal and Signer certificates to the listener keystore database by using the
gsk8capicmd_64 command from the location where the listener keystore database
(key.kdb) was created.
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label ClientPersonalKey -file ClientPersonal.cer
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label ClientSignerlKey -file ClientSigner.cer
-
Copy the ClientPersonal.cer and ClientSigner.cer
certificates to the IBM HTTP Server. You can use the same location where the
IHS.kdb file was created.
-
Import the Personal and Signer certificates to the listener keystore database by using the
gsk8capicmd_64 command from the location where the IBM HTTP Server keystore
database (IHS.kdb) was created.
-
Import the Campaign listener key in the IBM HTTP Server keystore database and import the IBM
HTTP Server key in the Campaign keystore database.
-
Copy the IBM HTTP Server key (IHS.arm) to the listener server.
-
Import the IBM HTTP Server key to the listener keystore database by using the
gsk8capicmd_64 command from the location where the Campaign listener keystore
database (key.kdb) was created.
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label IHSKey -file IHS.arm
-
Copy the Campaign listener key (Key.arm) to the listener server.
-
Import the Campaign listener key to the IBM HTTP Server keystore database by using the
gsk8capicmd_64 command from the location where the IBM HTTP Server keystore
database (IHS.kdb) was created.
gsk8capicmd_64 -cert -add -db IHS.kdb -stashed -label IHSKey -file Key.arm
-
Restart the IBM Campaign application server, the IBM HTTP server and then start the IBM
Campaign Listener.
