IHS安装ssl证书

news2024/11/27 1:19:45

1、向专业机构申请证书，或者使用openssl生成自签名证书，openssl生成证书参考以下步骤。

openssl生成证书参考https://blog.51cto.com/longlei/2120718

生成加密私钥

[root@localhost test]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
...............+++
e is 65537 (0x10001)
[root@localhost test]#

生成证书签名请求（CSR），这里需要填写许多信息，如国家，省市，公司等

[root@localhost test]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:ll
Organizational Unit Name (eg, section) []:lz
Common Name (eg, your name or your server's hostname) []:www.test.com这里填域名
Email Address []:111@ddd

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost test]# ls
test.csr  test.key

生成类型为X509的自签名证书。有效期设置3650天，即有效期为10年

[root@localhost test]# openssl x509 -req -days 3650 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=cn/ST=bj/L=bj/O=ll/OU=lz/CN=www.test.com/emailAddress=111@ddd
Getting Private key
[root@localhost test]# ls
test.crt  test.csr  test.key

2、将crt和key转换为jks格式文件

可使用https://geshi.sslzhengshu.com/在线转换（如果是在权威机构申请的证书，建议在申请证书的官网转换）

3、使用IHS自带的工具将jks文件转换为kdb格式

参考https://blog.csdn.net/lavin1614/article/details/126141114

（1）启动IKeyMan工具

[root@localhost ~]# export DISPLAY=192.168.1.1:0.0
[root@localhost ~]# cd /opt/IBM/HTTPServer/bin/
[root@localhost bin]# ./ikeyman

（2）创建KDB文件

在打开的IBM 密钥管理工具中，点击创建新密钥数据库文件，密钥数据库类型选择CMS并选择密钥保存路径。

在这里插入图片描述

注意：请选中“将密码存储到文件”选项，此选项将把密码加密保存到扩展名为.sth的文件中。IHS启动时，会自动从该.sth文件中读取密码，如果不选择此项启动IHS时会报错

创建密钥库成功后，会在对应的目录下生成三个文件：

在这里插入图片描述

2、导入签署者证书

在这里插入图片描述

导入jks文件

在这里插入图片描述

输入密码确定后，将会弹出如下窗口，在新标签中输入证书域名或者别名，点击“应用”-“确定”，在个人证书中就可以看到对应的证书，点击“查看/编辑”，可将证书设置为缺省证书(默认证书)

在这里插入图片描述

安装部署证书

参考https://www.ibm.com/support/pages/guide-properly-setting-ssl-within-ibm-http-server#create

https://www.ibm.com/support/pages/node/72233

conf文件修改修改或者添加以下配置：

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
  SSLEnable
  ServerName www.xxxxx.xxx
 #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>
KeyFile /u01/IBM/HTTPServer/conf/keydir/key.kdb

RewriteEngine on          
RewriteCond %{SERVER_PORT} 80    
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

可能会遇到的报错处理：

httpd: Syntax error on line 850 of /u01/IBM/HTTPServer/conf/httpd.conf: Cannot load modules/mod_ibm_ssl.so into server: /u01/IBM/HTTPServer/modules/mod_ibm_ssl.so: undefined symbol: ihs_socket_iol_push

该问题属于环境变量问题

参考https://www.cnblogs.com/qtong/p/13152462.html

[root@VM-24-5-centos bin]# ldd httpd 
	linux-vdso.so.1 =>  (0x00007ffe85d96000)
	libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f8b5b865000)
	libaprutil-1.so.0 => /usr/local/apr-util/lib/libaprutil-1.so.0 (0x00007f8b5b63f000)
	libexpat.so.1 => /lib64/libexpat.so.1 (0x00007f8b5b414000)
	libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 (0x00007f8b5b1e1000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f8b5afd9000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f8b5ada2000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8b5ab86000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f8b5a982000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f8b5a5b4000)
	libfreebl3.so => /lib64/libfreebl3.so (0x00007f8b5a3b1000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f8b5bac7000)
[root@VM-24-5-centos bin]# ll | grep env
-rwxr-xr-x 1 root root    2019 Nov 25 17:36 envvars
-rwxr-xr-x 1 root root    2019 Nov 25 17:36 envvars-std
-rwxr-xr-x 1 root root    1130 Nov 25 17:36 gsk_envvars
[root@VM-24-5-centos bin]# ./envvars
[root@VM-24-5-centos bin]# ./httpd -t -f /u01/IBM/HTTPServer/conf/httpd.conf
httpd: Syntax error on line 850 of /u01/IBM/HTTPServer/conf/httpd.conf: Cannot load modules/mod_ibm_ssl.so into server: /u01/IBM/HTTPServer/modules/mod_ibm_ssl.so: undefined symbol: ihs_socket_iol_push
[root@VM-24-5-centos bin]# cat envvars | grep LD_LIBRARY
if test "x$LD_LIBRARY_PATH" != "x"; then
  LD_LIBRARY_PATH="/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/gsk8/lib64:$LD_LIBRARY_PATH:/u01/IBM/HTTPServer/modules"
  LD_LIBRARY_PATH="/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/modules:/u01/IBM/HTTPServer/gsk8/lib64"
export LD_LIBRARY_PATH
[root@VM-24-5-centos bin]# echo x$LD_LIBRARY_PATH
x
[root@VM-24-5-centos bin]# echo $LD_LIBRARY_PATH

[root@VM-24-5-centos bin]# cat envvars | grep LD_LIBRARY
if test "x$LD_LIBRARY_PATH" != "x"; then
  LD_LIBRARY_PATH="/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/gsk8/lib64:$LD_LIBRARY_PATH:/u01/IBM/HTTPServer/modules"
  LD_LIBRARY_PATH="/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/modules:/u01/IBM/HTTPServer/gsk8/lib64"
export LD_LIBRARY_PATH
[root@VM-24-5-centos bin]# export LD_LIBRARY_PATH="/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/modules:/u01/IBM/HTTPServer/gsk8/lib64"
[root@VM-24-5-centos bin]# ./httpd -t -f /u01/IBM/HTTPServer/conf/httpd.conf

IBRARY_PATH=“/u01/IBM/HTTPServer/lib:/u01/IBM/HTTPServer/modules:/u01/IBM/HTTPServer/gsk8/lib64”
[root@VM-24-5-centos bin]# ./httpd -t -f /u01/IBM/HTTPServer/conf/httpd.conf

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/529225.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！