Install IHS
1. Download the IHS Server.2. Place this tar.gz file in the home directory of the to-be IHS server.
3. Extract the tar and enter the IHS directory.
tar xvfz IHS.tar.gz
cd IHS
4. Create a new response file in this directory "responsefile-ihs.txt".
-OPT silentInstallLicenseAcceptance=true -OPT allowNonRootSilentInstall=true -OPT disableOSPrereqChecking=true -OPT installLocation=/home/idcuser/IBM/HTTPServer -OPT httpPort=80 -OPT runSetupAdmin=false -OPT createAdminAuth=false -OPT webserverDefinition=\"webserver1\" -OPT washostname=\"localhost\"
5. Save and exit the response file.
6. Install the IHS server using the response file you just created.
./install -options "responsefile-ihs.txt" -silent
Setup SSL on IHS Server
Now that the IHS server is up and running, we need to configure it to work with SSL. To do this, we will create and sign our own certificate and use this for the SSL. These steps are required in order to correctly send requests to Jazz-based products behind the proxy.Note You will need to substitute the follow parameters in the code below:
- testpass (Pick a password)
- xx.xxx.xxx.xxx (This should be the ip address of the IHS server)
cd ~/IBM/HTTPServer/bin/ sudo ./apachectl stop
2. Create the keystore database
cd ~/IBM/HTTPServer/bin ./gsk7cmd -keydb -create -db ihskeys -pw testpass -expire 3650 -stash -type cms
3. Create a self-signed certificate and add it to the the new keystore db
./gsk7cmd -cert -create -db ihskeys.kdb -label xx.xxx.xxx.xxx -expire 3650 -dn "CN=xx.xxx.xxx.xxx/O=IBM/C=US" -default_cert yes -pw testpass
4. Modify httpd.conf (/IBM/HTTPServer/conf/httpd.conf) to include the new SSL information.
- First, make sure that the IBM ssl module is loaded and un-commented.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
- Next, add this to the end of the httpd.conf file. Verify to make sure this is not already un-commented out in httpd.conf somewhere.
# SSL Configuration Listen xx.xxx.xxx.xxx:443 #proxy ip5. Save the httpd.conf and restart IHSSSLProxyEngine On SSLEnable SSLCipherSpec 27 SSLCipherSpec 21 SSLCipherSpec 23 SSLCipherSpec 3A SSLCipherSpec 34 SSLCipherSpec 35 KeyFile "/home/idcuser/IBM/HTTPServer/bin/ihskeys.kdb" SSLDisable
sudo ./apachectl start
Setup SSL Handshake Between Servers
This step is required in order to proxy SSL requests from the IHS server to the other WAS servers. Since our WAS servers are not using official CA-signed certificates, they are considered Invalid and cause the SSL proxy requests to fail the handshake. These steps are quite involved, so please follow them carefully.You must do these steps in order to get the reverse proxy to work.
1. Go to the WAS Integration Solutions Console for one of the WAS servers.
2. Security -> SSL certificate and key management -> Key Stores and Certificates
3. Create a new Key store
- Name: was283keys (..where 283 is the last portion of this servers IP. Not required, but will make life easier later.)
- Path: (something like this) ${CONFIG_ROOT}/cells/vlan690-9-31-192-283Node01Cell/nodes/vlan690-9-31-192-283Node01/was283keys.kdb (Note: Your path WILL be different.)
- Type: CMSKS
- Password: Set a password. Make sure you remember this.
5. Open up NodeDefaultKeyStore.
6. Choose "Personal certificates" from the right sidebar.
7. Check the default certificate and do Export.
- Key Store Password: Probably the default password which is: WebAS
- Select "Key Store File" radio button
- Key File Name: ${CONFIG_ROOT}/cells/vlan690-9-31-192-283Node01Cell/nodes/vlan690-9-31-192-283Node01/was283keys.kdb (Should be the same as above)
- Type: CMSKS
- Password: (the one you used above)
8. Export the Key. You can verify that it worked by going back and looking at the key store we created (was283keys) and make sure the "default" certificate is in there.
9. Next, we have to copy this key store to the IHS server. Something like this should do the trick:
cd ~/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/vlan690-9-31-192-283Node01Cell/nodes/vlan690-9-31-192-283Node01
scp was283keys.kdb idcuser@:/home/idcuser/IBM/HTTPServer/bin
10. Now switch to the IHS server.
11. Run this command to add the certificates from our keystore into our existing IHS keystore. Be sure to change the passwords to the one you used above.
cd ~/IBM/HTTPServer/bin
./gsk7cmd -cert -import -db was283keys.kdb -pw password -type cms -target ihskeys.kdb -target_pw password -target_type cms -label default -new_label default_283
12. Restart IHS:
sudo ./apachectl restart
Reverse Proxy Setup using IHS
The IHS configuration property is located: /home/idcuser/IBM/HTTPServer/conf/httpd.confMake sure that the proxy modules are loaded and uncommented:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so
1. In httpd.conf, add the following lines to the bottom of the httpd.conf file:
ProxyRequests off ProxyPreserveHost on SSLProxyEngine on #Proxy setup for a Jazz Foundation Server ProxyPass /jazz1/ https://x.xx.xxx.151:9443/jazz1/ProxyPassReverse /jazz1/ #Proxy setup for RTC Server ProxyPass /rtc/ https://x.xx.xxx.152:9443/rtc/ProxyPassReverse /rtc/ #Proxy setup for RQM Server ProxyPass /jazz/ https://x.xx.xxx.150:9444/jazz/ProxyPassReverse /jazz/
2. Verify that all other proxy-related settings in the httpd.conf file are commented out or disabled.
3. Restart the IHS Server:
sudo IBM/HTTPServer/bin/apachectl restart
댓글 없음:
댓글 쓰기