IBM HTTP Server does allow a single SSL/TLS certificate to be presented for multiple virtual hosts. It allows this capability by supporting Server Alternate Names (SANs) on certificates rather than by supporting TLS Server Name Indication (SNI). (Just to be clear - no versions of IHS support SNI as of IHS version 8.5).
This article defines this capability:
IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Hosts,
but it does it in a VERY confusing way, with an even MORE confusing title. The meat of the solution is in the following text from the above article:
Exception Note: If the Keyfile uses a SAN Certificate (support for multiple domain names)
Name-Based virtual hosting can be used instead. When using a SAN Certificate the first SSL VirtualHost will be used for the SSL handshake. After the handshake completes the SSL Virtualhost used for the HTTP request processing is determined by the ServerName directive that matches the host header supplied in the client request
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:80>
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:80>
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>
SSLDisable
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
SSLV2Timeout 100
SSLV3Timeout 1000
In this case, your keyfile (Keyfile.kdb) would only contain one server certificate.
You can view information on SAN Certificates here: http://www-01.ibm.com/support/docview.wss?uid=swg21444027
And in case you were wondering, I'm pretty certain the above will NOT work for the Tivoli Enterprise Portal Server (TEPS) because of multiple specifications of the host name and/or IP address that must all match correctly.
Subscribe to:
Post Comments (Atom)
3 comments:
Hi,
I know this topic is two years old, but I didn't find any good advice.
I'm trying to set two secured named-virtual hosts in an IBM HttpServer (Apache 2.2.x), using a certificate with SAN alternate name.
The default host has SSLClientAuth required, the second virtualhost has SSLClientAuth none.
The problem is that I cannot access the second virtual host avoiding a certificate request in the browser.
What did I do wrong?
Thank you!
I don't know if that's possible. It may be, I'm just not sure. Have you tried changing the order of your VirtualHost entries to put the one with SSLClientAuth none listed FIRST?
Hi,
I tried this approach, but it led to forbid all access on the 2nd secure site. That virtual host has SSLCertAuth required. Now I put SSLCertAuth optional in the first virtualhost to allow access on the 2nd :)
I will follow the clean approach, using two sepparate IHS servers on different IPs.
Post a Comment