Showing posts with label IHS. Show all posts
Showing posts with label IHS. Show all posts

Sunday, September 1, 2013

Using a Single SSL/TLS Certificate in IHS for Multiple Virtual Hosts

IBM HTTP Server does allow a single SSL/TLS certificate to be presented for multiple virtual hosts. It allows this capability by supporting Server Alternate Names (SANs) on certificates rather than by supporting TLS Server Name Indication (SNI). (Just to be clear - no versions of IHS support SNI as of IHS version 8.5).

This article defines this capability: IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Hosts, but it does it in a VERY confusing way, with an even MORE confusing title. The meat of the solution is in the following text from the above article:

Exception Note: If the Keyfile uses a SAN Certificate (support for multiple domain names) 
Name-Based virtual hosting can be used instead. When using a SAN Certificate the first SSL VirtualHost will be used for the SSL handshake. After the handshake completes the SSL Virtualhost used for the HTTP request processing is determined by the ServerName directive that matches the host header supplied in the client request

NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:80>
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>

<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>

<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>

SSLDisable
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
SSLV2Timeout 100
SSLV3Timeout 1000


In this case, your keyfile (Keyfile.kdb) would only contain one server certificate.

You can view information on SAN Certificates here: http://www-01.ibm.com/support/docview.wss?uid=swg21444027

And in case you were wondering, I'm pretty certain the above will NOT work for the Tivoli Enterprise Portal Server (TEPS) because of multiple specifications of the host name and/or IP address that must all match correctly.