This procedure describes how to create and configure your own certificates for a
clustered environment.
Before you begin
The Campaign web application must be configured for SSL by using default certificates.
About this task
The following procedure describes how to create and configure self-signed certificates for
Unica Campaign and Unica Platform.
In a clustered environment where there is an IBM HTTP Server in front of the Unica Campaign web application and Campaign
listener, follow these steps to configure the Campaign listener in SSL.
You can use these steps as a guide for configuring certificates for other Unica products.
This procedure is applicable for the default certificates that are provided by the IBM WebSphere
Application Server. If you are using custom security certificates, you must follow the steps for the
custom certificates used by the IBM WebSphere Application Server.
Procedure
To configure the IBM HTTP Server in SSL, complete the following steps.
-
Use GSKit to generate SSL certificates as follows.
-
Create and initialize a new key database.
For example:
gsk8capicmd_64 -keydb -create -populate -db IHS.kdb -pw password
-stash
The
-stash
option is required for
Unica Campaign.
-
Use GSKit to generate a self-signed certificate for Unica Campaign and store it in the key database, as
follows.
For example:
gsk8capicmd_64 -cert -create -db IHS.kdb -dn "CN=*.in.ibm.com" -expire 3650 -pw password
-size 1024 -label key -default_cert yes
-
Extract the public part of the certificate to a file.
For the clients to trust a certificate, its public part needs to be distributed to the clients
and stored in their key databases. In this step, you export the public part of the Unica Campaign certificate. You import it in a later
step.
For example:
gsk8capicmd_64 -cert -extract -db IHS.kdb -stashed -label key -target
IHS.arm
-
Enable the following module in the httpd.conf file.
For example:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
KeyFile /data/webservers/IBM/IHS/ssl/IHS.kdb
SSLStashFile /data/webservers/IBM/IHS/ssl/IHS.sth
SSLDisable
-
Provide the key file path in the httpd.conf file.
-
Restart the IBM HTTP server.
-
Generate keystore database files for the server that hosts the Unica Campaign
listener.
-
On the server that hosts the Unica Campaign listener, run the following commands
from any location and note the path.
gsk8capicmd_64 -keydb -create -populate -db Key.kdb -pw password -stash
gsk8capicmd_64 -cert -create -db Key.kdb -dn "CN=*.in.ibm.com" -expire 3650 -pw password -size 1024
-label key -default_cert yes
gsk8capicmd_64 -cert -extract -db Key.kdb -stashed -label key -target Key.arm
-
Verify that the following files are generated in the location from where you ran
the above commands.
- Key.arm
- Key.crl
- Key.kdb
- Key.rdb
- Key.sth
-
Import the Key.arm and HIS.arm files into the
application server where the Campaign web application is deployed.
-
Copy the Key.arm and HIS.arm files to the Campaign
web application server.
-
Add the Key.arm and HIS.arm files in the
NodeDefaultTrustStore of the WebSphere Application Server by completing the
following steps:
- Click .
- Click .
- Click Add and provide the Alias and the path where
the Key.arm and HIS.arm files are copied.
- Click OK.
-
Extract the Personal and Signer certificates for the IBM WebSphere Application Server
- Click .
- Click .
- Select the default certificate.
- Add the Personal Certificate file name along with the valid path in the Unica Campaign web
application server. For example,
/opt/HCL/HCLUnica101/ClientPersonal.cer.
- Click OK.
- Click .
- Select the default certificate.
- Add the Signer Certificate file name along with the valid path in the Unica Campaign web
application server. For example,
/opt/HCL/HCLUnica101/ClientSigner.cer.
- Navigate to the folder and verify the both certificates are present in the folder.
-
Import the Personal and Signer certificates into the Unica Campaign listener and HCL
HTTP Server keystore databases.
-
Copy the ClientPersonal.cer and
ClientSigner.cer certificates to the listener server. You can
use the same location where the key.kdb file was created.
-
Import the Personal and Signer certificates to the listener keystore database by
using the gsk8capicmd_64 command from the location where the
listener keystore database (key.kdb) was created.
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label ClientPersonalKey -file ClientPersonal.cer
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label ClientSignerlKey -file ClientSigner.cer
-
Copy the ClientPersonal.cer and
ClientSigner.cer certificates to the HCL HTTP Server. You can
use the same location where the IHS.kdb file was created.
-
Import the Personal and Signer certificates to the listener keystore database by
using the gsk8capicmd_64 command from the location where the HCL
HTTP Server keystore database (IHS.kdb) was created.
-
Import the Campaign listener key in the HCL HTTP Server keystore database and import
the HCL HTTP Server key in the Campaign keystore database.
-
Copy the HCL HTTP Server key (IHS.arm) to the listener server.
-
Import the HCL HTTP Server key to the listener keystore database by using the
gsk8capicmd_64 command from the location where the Campaign
listener keystore database (key.kdb) was created.
gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label IHSKey -file IHS.arm
-
Copy the Campaign listener key (Key.arm) to the listener
server.
-
Import the Campaign listener key to the HCL HTTP Server keystore database by using
the gsk8capicmd_64 command from the location where the HCL HTTP
Server keystore database (IHS.kdb) was created.
gsk8capicmd_64 -cert -add -db IHS.kdb -stashed -label IHSKey -file Key.arm
-
Restart the HCL Campaign application server, the HCL HTTP server and then start the
Unica Campaign Listener.