Windows LiveWindows Live
 
 
dalong 的个人资料龙的传人照片日志列表 工具 帮助

日志
    1月29日

    在IHS上配置SSL

    在IHS上配置SSL
    之前一直都没做过这方面的配置,但是觉得说不定什么时候用得着,就问了配过的同事,自己也在网上找了些资料了解了大概的过程。但是大部分都没有写明是在IHS的哪个版本上作的,于是想试试在IHS61上面是不是也是同样的做法。参考的资料包括:
    1.IHS User's Guide中的Chapter 5中的securing communications
    2.WebSphere Application Server V6.1 Security Handbook(sg246316).pdf中的7.2和7.3
    其中7.2介绍了Browser和IHS的SSL配置,也是我试验的内容;7.3讲的是IHS plugin和WAS的SSL配置。
    3.WebSphere Security Fundamentals(redp3944).pdf
    笔记本上本来就有一个WAS61的环境,于是装上IHS和plugin开始试验。可能是太久没有用IHS了,都忘记了怎样将IHS加到DM的console中进行管理。一开始以为就是把webserver的定义建起来就可以了,一启动就产生了一个FFDC,打开一看说是没找到webserver1的定义,详细信息如下:
    ------Start of DE processing------ = [07-1-26 15:48:29:228 CST] , key = javax.management.MBeanException com.ibm.ws.management.AdminServiceImpl.invoke 679
    Exception = javax.management.MBeanException
    Source = com.ibm.ws.management.AdminServiceImpl.invoke
    probeid = 679
    Stack Dump = javax.management.MBeanException: Exception thrown in RequiredModelMBean while trying to invoke operation launchProcess
     at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1116)
     。。。
    Caused by: com.ibm.websphere.management.exception.AdminException: Server, webserver1, not found.
     。。。
    突然记起以前做的时候好像是要运行一个IHS安装过程中自己生成的脚本的,试试看。在PLUGIN_HOME\bin找到configurewebserver1.bat拷贝至DM_PROFILE\bin直接执行,webserver1的启动停止都OK了。
    接下来开始在本次试验的主要工作:
    1、使用ikeyman生成CMS key database file,虽然好像除了CMS外还有其他的类型但是好像看到某本redbook上说了IHS只能使用CMS的。创建了mykey.kdb后再给运行IHS的机器发一个证书,直接在ikeyman中新建自签署证书就可以了,创建的证书会出现在个人证书列表中,最后不要忘了转储密码(Stash the password to a file).
    ihs_610.pdf中描述如下:
    Create a new key database as follows:
    1. Start the IKEYMAN user interface. Refer to Starting the Key Management utility for platform-specific instructions.
    2. Click key database file from the main user interface, then click New. Select CMS for the Key database type. IBM HTTP Server does not support database types other than CMS.
    3. Enter your password in the Password Prompt dialog box, and confirm the password. Select Stash the password to a file. Click OK. The new key database should display in the IKEYMAN utility with default signer certificates. Ensure that there is a functional, non-expiring signer certificate for each of your personal certificates.
    Creating a self-signed certificate
    It usually takes two to three weeks to get a certificate from a well known certificate authority (CA). While waiting for a certificate to be issued, use IKEYMAN to create a self-signed server certificate to enable SSL sessions between clients and the server. Use this procedure if you act as your own CA for a private Web network. Complete the following steps to create a self-signed certificate:
    1. If you have not created the key database, see Creating a new key database for instructions.
    2. Start the IKEYMAN user interface.
    3. Click Key Database File from the main UI, and then click Open.
    4. Enter your key database name in the Open dialog box, or click the key.kdb file, if you use the default. Click OK.
    5. In the Password Prompt dialog box, enter your correct password and click OK.
    6. Click Personal Certificates in the Key Database content frame, and click the New Self-Signed radio button.
    7. Enter the following information in the Password Prompt dialog box: v Key label: Enter a descriptive comment to identify the key and certificate in the database.
    v Key size: Choose your level of encryptions from the drop-down menu.
    v Common Name: Enter the fully qualified host name of the Web server as the common name. Example: www.myserver.com.
    v Organization Name: Enter your organization name.
    v Optional: Organization Unit v Optional: Locality
    v Optional: State/Province
    v Optional: Zip code
    v Country: Enter a country code. Specify at least two characters. Example: US Certificate request file name, or use the default name.
    v Validity Period
    8. Click OK.
    其实在生产环境中应该是创建完key database后将CA发的证书(如*.cer)导入,自己做试验的话自签一个就可以了,并不影响配置和实现。
    2、修改http.conf。
    以下是我在http.conf中增加的:
    # SSL config
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    <IfModule mod_ibm_ssl.c>
     Listen 443
     <VirtualHost *:443>
      SSLEnable
     </VirtualHost>
    </IfModule>
    SSLDisable
    KeyFile "C:/IBM/HTTPServer/bin/mykey.kdb"
    一开始看到IBM中国的论坛上说NT环境的话load一个XXX.dll,但是打开IHS_HOME\modules看到了一大堆的so,而且原来的http.conf中也load了不少so,找redbook上写的应该没错。改完保存重新启动IHS,一切OK。
    下面开始验证,就拿snoop来试一试吧。打开http://...:9080/snoop,显示正常。试试http://.../snoop,等了半天没出来。troubleshooting的时间到了,很明显request没有被plugin转发给WAS,重新生成插件看看。在DM console中找到“环境--更新全局 Web 服务器插件配置”,更新完之后原来http.conf中的WebSpherePluginConfig指向的文件并没有更新,难道是插件位置不对?修改为DM_HOME\config\cells\plugin-cfg.xml,这回IHS读到新的插件了,但是老觉得“更新全局 Web 服务器插件配置”中的全局好像大对劲。搞了半天没找对地方,更新webserver1的插件应该是在“服务器--Web服务器”中的这回应该没错了,再试还是老样子。突然想起来之前做过的另一个试验给server1加上了80侦听,动手把IHS改成81。修改了Listen 0.0.0.0:81和ServerName szd610-286.boshi.com.cn:81两行。奇怪的是原来IHS占着80,server1启动时也不会报错。重起webserver1和server1后80和81都正常启动了,http://...:81/snoophttp://.../snoop访问正常,访问https://.../snoop出来两个安全警报,确定后终于看到了snoop。
    8:58 | 写入日志 | IHS

    评论 (9)

    请稍候...
    很抱歉,您输入的评论太长。请缩短您的评论。
    您没有输入任何内容,请重试。
    很抱歉,我们当前无法添加您的评论。请稍后重试。
    若要添加评论,需要您的家长授予您相应权限。请求权限
    您的家长禁用了评论功能。
    很抱歉,我们当前无法删除您的评论。请稍后重试。
    您已超过了一天之内允许提供的评论数上限。请在 24 小时后重试。
    因为我们的系统表明您可能在向其他用户提供垃圾评论,您的帐户已禁用了评论功能。如果您认为我们错误地禁用了您的帐户,请联系 Windows Live 支持部门
    完成下面的安全检查,您提供评论的过程才能完成。
    您在安全检查中键入的字符必须与图片或音频中的字符一致。

    若要添加评论,请使用您的 Windows Live ID 登录(如果您使用过 Hotmail、Messenger 或 Xbox LIVE,您就拥有 Windows Live ID)。登录


    还没有 Windows Live ID 吗?请注册
    没有名字发表:
    10 月 16 日
    没有名字发表:
    7 月 15 日
    没有名字发表:
    7 月 15 日
    没有名字发表:
    7 月 1 日
    没有名字发表:
    7 月 1 日
    没有名字发表:
    7 月 1 日
    没有名字发表:
    http://www.batterygoshop.co.uk/dell/1501-battery.htm dell 1501 battery ,
    http://www.batterygoshop.co.uk/dell/e1505-battery.htm dell e1505 battery ,
    http://www.batterygoshop.co.uk/dell/kd476-battery.htm dell kd476 battery ,
    http://www.batterygoshop.co.uk/dell/gd761-battery.htm dell gd761 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-9100-battery.htm dell inspiron 9100 battery ,
    http://www.batterygoshop.co.uk/dell/dell-inspiron-xps-battery.htm dell dell inspiron xps battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-2000-battery.htm dell inspiron 2000 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-2100-battery.htm dell inspiron 2100 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-2800-battery.htm dell inspiron 2800 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-ls-400-battery.htm dell latitude ls 400 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-c400-battery.htm dell latitude c400 battery ,
    http://www.batterygoshop.co.uk/dell/4e369-battery.htm dell 4e369 battery ,
    http://www.batterygoshop.co.uk/dell/d620-battery.htm dell d620 battery ,
    http://www.batterygoshop.co.uk/dell/d630-battery.htm dell d630 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-d620-battery.htm dell latitude d620 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-d820-battery.htm dell latitude d820 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-d830-battery.htm dell latitude d830 battery ,
    http://www.batterygoshop.co.uk/dell/latitude-d531-battery.htm dell latitude d531 battery ,
    http://www.batterygoshop.co.uk/dell/precision-m65-battery.htm dell precision m65 battery ,
    http://www.batterygoshop.co.uk/dell/d820-battery.htm dell d820 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-6000-battery.htm dell inspiron 6000 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-9200-battery.htm dell inspiron 9200 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-9300-battery.htm dell inspiron 9300 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-9400-battery.htm dell inspiron 9400 battery ,
    http://www.batterygoshop.co.uk/dell/e1705-battery.htm dell e1705 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-1520-battery.htm dell inspiron 1520 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-1720-battery.htm dell inspiron 1720 battery ,
    http://www.batterygoshop.co.uk/dell/vostro-1500-battery.htm dell vostro 1500 battery ,
    http://www.batterygoshop.co.uk/dell/vostro-1700-battery.htm dell vostro 1700 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-910-battery.htm dell inspiron 910 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-mini-9-battery.htm dell inspiron mini 9 battery ,
    http://www.batterygoshop.co.uk/dell/xd187-battery.htm dell xd187 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-1300-battery.htm dell inspiron 1300 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-b120-battery.htm dell inspiron b120 battery ,
    http://www.batterygoshop.co.uk/dell/inspiron-b130-battery.htm dell inspiron b130 battery ,
    http://www.batterygoshop.co.uk/gateway/12msbg-battery.htm gateway 12msbg battery ,
    http://www.batterygoshop.co.uk/gateway/4s2p-battery.htm gateway 4s2p battery ,
    http://www.batterygoshop.co.uk/gateway/8msb-battery.htm gateway 8msb battery ,
    http://www.batterygoshop.co.uk/gateway/8msbg-battery.htm gateway 8msbg battery ,
    http://www.batterygoshop.co.uk/gateway/s62044l-battery.htm gateway s62044l battery ,
    http://www.batterygoshop.co.uk/gateway/m320-battery.htm gateway m320 battery ,
    http://www.batterygoshop.co.uk/gateway/m325-battery.htm gateway m325 battery ,
    http://www.batterygoshop.co.uk/gateway/4000-battery.htm gateway 4000 battery ,
    http://www.batterygoshop.co.uk/gateway/s62066l-battery.htm gateway s62066l battery ,
    3 月 6 日
    匿名 的图片
    ssqt 发表:
    6 月 3 日
    没有名字发表:
    3 月 1 日

    引用通告

    此日志的引用通告 URL 是:
    http://cdalong.spaces.live.com/blog/cns!127AB823C1BD7F1F!168.trak
    引用此项的网络日志