CA Spool

Can I use SSL with the HTTP Apache Server for the CA Spool Web Interface?

  • 1.  Can I use SSL with the HTTP Apache Server for the CA Spool Web Interface?

    Posted 01-26-2017 11:34 AM

    The short answer is yes. The IBM manual titled IBM HTTP Server on z/OS - Migrating from Domino-powered to Apache-powered contains a section titled ‘Configuring SSL support’ that details the configuration requirements. Both native z/OS key management (gskkyman key database) and SAF keyrings are supported.

     

    An additional LoadModule statement and virtual host definition are needed in the httpd.conf file to enable ssl support in the Apache server.

     

    The example below uses the default ssl port of 443 and specifies a gskkyman key database as the key store.

     

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    <VirtualHost *:443>
    SSLEnable
    </VirtualHost>
    SSLDisable
    KeyFile /users/apache/keys.kdb

     

    This example uses a SAF keyring instead of a gskkyman key database. The SSLServerCert refers to the label name defined on the certificate when it was created. The /saf value on the KeyFile statement is a required literal when a SAF keyring is to be used. The keyring name follows the /saf literal.

     

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    <VirtualHost *:443>
    SSLEnable
    SSLServerCert spoolwebssl
    </VirtualHost>
    KeyFile /saf WEBRING
    SSLDisable

     

    The http.conf updates documented in the CA Spool documentation in the section titled ‘Install the Web Interface on z/OS 2.2’ are still required but they do not require any changes when ssl is added.