本文搭建如下环境以做演示:
192.168.137.93 IHS 安装节点
192.168.137.231 WAS 安装节点,安装类型为alone-server
IHS 、WAS版本:7.0
首先确保IHS 、Plug-in和WAS 已正确安装
打开 /opt/IBM/HTTPServer/bin/ikeyman 工具:
新建密钥数据库
新建自签名证书
打开 http.conf 文件,取消如下注释并修改:
---------------------------------------------------------------------------------------------------
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
SSLProtocolDisable SSLv2
SSLClientAuth none 说明:这里不要求客户端认证,即单向认证
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/ssl/key.kdb 说明:KeyFile 是我们新建的密钥数据库文件
SSLDisable
----------------------------------------------------------------------------------------------------
生成plugin-cfg.xml 插件配置文件,然后手动上传到IHS 服务器下:
生成的 plugin-cfg.xml ,可能需要修改部分内容:
http_plugin.log日志问文件位置:
<Log LogLevel="Error" Name="/opt/IBM/HTTPServer/Plugins/logs/webserver1/http_plugin.log"/>
Plug-in安装目录:
<Property Name="PluginInstallRoot" Value="/opt/IBM/HTTPServer/Plugins/"/>
Plug-in密钥数据库和密码文件:
<Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins/config/webserver1/
plugin-key.kdb"/>
<Property Name="stashfile" Value="/opt/IBM/HTTPServer/Plugins/config/webserver1/
plugin-key.sth"/>
启动IHS后,我们通过 https://192.168.137.93 访问异常,发现后台有如下报错信息:
----------------------------------------------------------------------------------------------------
[Thu Nov 12 14:59:02 2015] 00006037 f7e8c6c0 - ERROR: lib_security: logSSLError: str_security (gsk error 107): GSK_KEYFILE_CERT_EXPIRED
[Thu Nov 12 14:59:02 2015] 00006037 f7e8c6c0 - ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment
[Thu Nov 12 14:59:02 2015] 00006037 f7e8c6c0 - ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security
[Thu Nov 12 14:59:02 2015] 00006037 f7e8c6c0 - ERROR: ws_server: serverAddTransport: Failed to initialize security
[Thu Nov 12 14:59:02 2015] 00006037 f7e8c6c0 - ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped
-----------------------------------------------------------------------------------------------------
原因是Plug-in 默认的证书过期导致的,我们需要重新建立证书文件:
过期证书文件在 /opt/IBM/HTTPServer/Plugins/config/webserver1 目录下,我们可以通过IBM 密钥管理工具 ikeyman 打开 plugin-key.kdb 文件,查看证书信息:
我们需要重新创建Plugin的SSL密钥数据库文件,首先删除过期证书,然后
打开 /opt/IBM/HTTPServer/Plugins/bin/ikeyman.sh 工具:
我们通过浏览器SSL端口访问WAS默认应用时报错https://192.168.137.93/snoop
查看后台http_plugin.log 文件发现错误如下:
lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)
[Thu Nov 12 15:50:12 2015] 00006900 f4f70b90 - ERROR: ws_common: websphereGetStream: Could not open stream
[Thu Nov 12 15:50:12 2015] 00006900 f4f70b90 - ERROR: ws_common: websphereExecute: Failed to create the stream
[Thu Nov 12 15:50:12 2015] 00006900 f4f70b90 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'vm02Node01_server1'on host 'vm02'; will try another one
[Thu Nov 12 15:50:12 2015] 00006900 f4f70b90 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
原因是因为WAS节点的签署者证书没有加入到Plug-in 的密钥数据库,我们可以通过以下步骤添加:(如果WAS有多个节点,那么每个节点都需要添加)
抽取证书:
将抽取出的node.arm 文件上传到Plug-in 所在的服务器/opt/目录下
然后打开 /opt/IBM/HTTPServer/Plugins/bin/ikeyman.sh 工具:
完成后,我们重启IHS,再次通过浏览器访问: