Enable Client certificate authentication with IBM HTTP Server and WebSphere
Posted by eichelgartenweg on 3:08 PM with 5 comments
If you want to provide client cert autentication for web apps deployed in WebSphere Application Server 6.1 you first need to edit the web.xml of the application.
You need to add a security-constraint:
You need to add a security-constraint:
<security-constraint id="SecurityConstraint_Test01">
<web-resource-collection id="WebResourceCollection_TestOZ01">
<web-resource-name>Test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_CognosOZ02">
<description/>
<role-name>Tester</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Testrealm</realm-name>
</login-config>
<security-role id="SecurityRole_MIS01">
<description/>
<role-name>Tester</role-name>
</security-role>
After that you need to create a new virtual host in your ibm http server config.
To do that edit the httpd.conf
<web-resource-collection id="WebResourceCollection_TestOZ01">
<web-resource-name>Test</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_CognosOZ02">
<description/>
<role-name>Tester</role-name>
</auth-constraint>
</security-constraint>
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Testrealm</realm-name>
</login-config>
<security-role id="SecurityRole_MIS01">
<description/>
<role-name>Tester</role-name>
</security-role>
After that you need to create a new virtual host in your ibm http server config.
To do that edit the httpd.conf
<VirtualHost <ip-adresse>:443>
ServerName www.yourvh.host.com
SSLEnable
SSLClientAuth 2
SSLServerCert <name of cert in key-db>
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire o="<needed dn>"
</Directory>
RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>
ServerName www.yourvh.host.com
SSLEnable
SSLClientAuth 2
SSLServerCert <name of cert in key-db>
<Directory "/">
Options Indexes MultiViews
Order allow,deny
Allow from all
SSLClientAuthRequire o="<needed dn>"
</Directory>
RequestHeader set HTTPS %{HTTPS}e
RequestHeader set SSL_CIPHER %{SSL_CIPHER}e
RequestHeader set SSL_CLIENT_CN %{SSL_CLIENT_CN}e
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
DocumentRoot /usr/IBM/HTTPServer/www-doc-root2/
</VirtualHost>
Then you need to add the root-cert of the certificate you want to use for authentification to the key-database of your ibm http server.
1. Open the IBM Key Management utility ((i)keyman) and add the root-cert (e.g. o=host.com). Use the same name like in the httpd.conf (<name of cert in key-db>)
2. Save the changes to the key-database
3. Restart your IBM HTTP Server
After that edit the virtual host settings in WebSphere. In the administrative console go to Enviroment > Virtual Hosts and add the new Virtual Host (e.g.: Certificate Host) with its Host aliases.
The plugin-cfg.xml of your IBM HTTP Server should now be automatically updated with a new Virtual Host entry.
1. Open the IBM Key Management utility ((i)keyman) and add the root-cert (e.g. o=host.com). Use the same name like in the httpd.conf (<name of cert in key-db>)
2. Save the changes to the key-database
3. Restart your IBM HTTP Server
After that edit the virtual host settings in WebSphere. In the administrative console go to Enviroment > Virtual Hosts and add the new Virtual Host (e.g.: Certificate Host) with its Host aliases.
The plugin-cfg.xml of your IBM HTTP Server should now be automatically updated with a new Virtual Host entry.
<VirtualHostGroup Name="Certificate Host">
<VirtualHost Name="<host-alias1>:*" />
<VirtualHost Name="<host-alias1>:*" />
</VirtualHostGroup>
<VirtualHost Name="<host-alias1>:*" />
<VirtualHost Name="<host-alias1>:*" />
</VirtualHostGroup>
Hi, Your blog has helped me a lot in my job (working with liferay and websphere) I don't know how to say how thankful I am for all your work.
ReplyDeleteI am in this moment facing problems deploying portlets in EAR files.
Do you know how to make it work?? I found lots of threads about that in liferay forum but none with a solution. Since I've learned more in your blog then in the forum I decided sending this message.
Thanks,
D.Barciela
Hi,
ReplyDeletemaybe these posts are useful:
http://eichelgartenweg2.blogspot.com/2008/07/add-portlet-to-liferay-via-websphere.html
http://eichelgartenweg2.blogspot.com/2008/07/add-portlet-to-liferay-in-websphere.html
Greets
Thanks a lot! I've resolved my problem.. My error was that I had liferay libraries in a shared librarie so the listener for the 2 Ears (liferay and portlets) was runing in 2 separated instances and not just one. I changed my libs to the lib folder of the AppServer and deleted the shared librarie and the portlet appeared in the liferay list.
ReplyDeleteGreat post.
ReplyDeleteI seldom see technical blog-posts that are this direct and contain information so clearly written.
In your way of enable Client Certificate, only the specified application will require client certificate. What will be the protocol between plug-in and WebSphere App Server? HTTP or HTTPS?
ReplyDelete