1. Home
  2. VPS
  3. SSL virtual hosting in IBM HTTP Server

SSL virtual hosting in IBM HTTP Server

Rsdaa 26/12/2021 209

Troubleshooting

Problem

SSL virtual hosting capabilities in IBM HTTP Server.

Resolving The Problem

Virtual Hosting comes in two forms in IBM HTTP Server. Each form has special considerations when used in combination with SSL.

IP-Based virtual hostingEach VirtualHost stanza is configured with a different IP address and port combination. If a certificate is used for multiple hostnames without unique IP/Port combinations, it must have multiple or wildcard SubjectAltName extensions.All SSL configuration directives behave intuitively, selected by the local interface and port that handles the underlying connection. KeyFile or SSLServerCert can be used to select a unique certificate.

The following example shows two SSL IP-based virtual hosts that share a single IP/port combination. See the embedded comments for differences between releases.

Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb

# If the local address matches, use the specified SSL settings.

# DNS, routing, and load balancers must arrange for www.example.com to map to 192.168.1.111

ServerName www.example.com

# If the local address matches, use the specified SSL settings.

# DNS, routing, and load balancers must arrange for www.example.com to map to 192.168.1.222

Name-Based virtual hostingA single IP/port combination is shared between multiple virtual hosts, differentiated by unique ServerName and ServerAliasIf a certificate is used for multiple hostnames without unique IP/Port combinations, it must have multiple or wildcard SubjectAltName extensions. In IHS 9.0 (and later), SSLServerCert can be used to select an alternate certificate based on the requested hostnameMost common SSL configuration directives are ONLY effective when specified in the first listed virtual host ("default name-based vhost") that shares each IP/port combination Examples: SSLCipherSpec, KeyFile, SSLProtocolEnable, SSLClientAuth, SSLProtocolEnable, SSLProtocolDisableNearly every non-SSL Apache configuration directive can be used intuitively within the non-default name-based virtual hosts

The following example shows two SSL name-based virtual hosts that share a single IP/port combination. See the embedded comments for differences between releases.

Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb

# IHS 8.5.5 and earlier requires this

NameVirtualHost 192.168.100:443

# This is the "default" (first listed) name-based virtualhost for 192.168.1.100:443

# In IHS 9.0 and later, "SNI" can be appended to "SSLEnable" to allow

# additional virtual hosts sharing this IP:PORT to specify a different

ServerName www.example.com# Perform all normal SSL configuration in the default virtual host

SSLCipherSpec TLSv12 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

# Second, non-default virtual host. Same IP:PORT

ServerName OTHER.example.com # IHS 9.0 (and later) only: If the default virtual host enabled SNI, # and the requested hostname matches this ServerName, the specified # SSLServerCert will be used # No other SSL directives should be used. DocumentRoot /var/www/other.example.com

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0 8.5;8.0;7.0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0;8.5;9.0;7.0;6.1;6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]


PREV: Top 10 Reasons to Setup a Client-Server Network - IT Peer Network

NEXT: Client Server Computing - Tutorialspoint

Popular Articles

Hot Articles

Navigation Lists

Back to Top