Thursday, May 30, 2013

Setting Up TLS (SSL) for IBM HTTP Server with Domino 9 - Part 2

In Part 1 I showed you how to use IKeyMan to set up your SSL keys database.

Now in Part 2 we will configure IHS to actually use your keys and to use TLS (SSL).

Since you've already set up IBM HTTP Server on your Domino 9 server, all you need to do now is edit the domino.conf file and tell IHS to start using SSL.

The Domino documentation is perfect here, too.  I followed their steps to the letter and it worked.  When I deviated, it didn't work so <GOODADVICE>save your deviation and creativity until you have the basics working then tweak</GOODADVICE>.




Once you have edited your domino.conf file, restart your Domino server and see what happens.

If you see this, it didn't work and you need to go back and retrace your steps because something is missing.



If you see the normal startup in your console then rush over to your browser and visit your site using https://....  Then be glad because you're now using the best encryption available to your Domino server!




And now a little bit of Tweaking...

Let's say you want to enable Client Certificates or only allow specific SSL ciphers to be used.  There all kinds of thing you can change on you IHS to make it work the way you want.

Take a look here (not sure if this is the most official list but do some Googling).


Here are a couple of examples.





Test often

My advice on "hardening" is to make sure to do a lot of incremental changes and test often.  I have resorted to making a single change, restarting the server, then testing that change.  It can be time consuming but this SSL thing is a little "black box" and you only have the ability to control it via these configuration directives so if you make one change and it breaks things then you know what did it.


A case in point...Safari.

Had SSL and IHS all setup on a test server and was testing an application update using Safari on a Mac.  Whoops!  Safari could not connect to the server.  WTH?!  After all the appropriate checking I determined that the problem was actually with the way Safari handles SSL and intermediate certificates.

Bummer.  Can't put this IHS in front of Domino if it can't do SSL from Safari right?

Fortunately I found this post (http://www.leidinger.net/blog/2011/10/04/ibm-http-server-7-and-verisign-intermediate-certificates/) that addressed a similar problem with Verisign intermediate certificates that I was having with the GoDaddy intermediate certificates.  Performed a little routine of exporting the current SSL certificate from my keys database as PKCS12 and then reimported it back into the keys database and Bam Like Magic! the problem was fixed on Safari.

Darren Duke has also been running a set of posts on this topic and you should check it out to get a different perspective.  It looks like our experiences are different and also our needs since we're application-focused and his is a little more Traveler-focused.