IBM HTTP Server does allow a single SSL/TLS certificate to be presented for multiple virtual hosts. It allows this capability by supporting Server Alternate Names (SANs) on certificates rather than by supporting TLS Server Name Indication (SNI). (Just to be clear - no versions of IHS support SNI as of IHS version 8.5).
This article defines this capability:
IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Hosts,
but it does it in a VERY confusing way, with an even MORE confusing title. The meat of the solution is in the following text from the above article:
Exception Note: If the Keyfile uses a SAN Certificate (support for multiple domain names)
Name-Based virtual hosting can be used instead. When using a SAN Certificate the first SSL VirtualHost will be used for the SSL handshake. After the handshake completes the SSL Virtualhost used for the HTTP request processing is determined by the ServerName directive that matches the host header supplied in the client request
NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:80>
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:80>
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyA.com
ServerAdmin webmaster@CompanyA.com
DocumentRoot /www/html/CompanyA
ErrorLog /www/logs/CompanyA/error_log
TransferLog /www/logs/CompanyA/access_log
</VirtualHost>
<VirtualHost 1.2.3.4:443>
SSLEnable
SSLClientAuth none
ServerName www.CompanyB.com
ServerAdmin webmaster@CompanyB.com
DocumentRoot /www/html/CompanyB
ErrorLog /www/logs/CompanyB/error_log
TransferLog /www/logs/CompanyB/access_log
</VirtualHost>
SSLDisable
Keyfile /usr/lpp/HTTPServer/keys/Keyfile.kdb
SSLV2Timeout 100
SSLV3Timeout 1000
In this case, your keyfile (Keyfile.kdb) would only contain one server certificate.
You can view information on SAN Certificates here: http://www-01.ibm.com/support/docview.wss?uid=swg21444027
And in case you were wondering, I'm pretty certain the above will NOT work for the Tivoli Enterprise Portal Server (TEPS) because of multiple specifications of the host name and/or IP address that must all match correctly.
Sunday, September 1, 2013
Wednesday, August 28, 2013
APM UI - Part 2 - Thresholds and Propagation
As a continuation of my previous post, we'll expand upon our GBS Supermarket Agent Builder data in the APM UI to incorporate thresholds and status propagation.
If you looked closely at the end of part 1, you'll notice that the "Resources" icon next to GBS Supermarket contained a grey question mark.
To resolve this with most APM UI widgets, you simply click on Resources, click on Edit at the upper-right, then click the gear icon on the widget you wish to adjust.
Next click on the [Thresholds] tab.
Unfortunately, our Thresholds tab is blank. That's because we never defined thresholds within our custom JSON files.
Let's fix that and import a new version of the GBS Supermarket into APM UI.
Click the title or here to read more.
If you looked closely at the end of part 1, you'll notice that the "Resources" icon next to GBS Supermarket contained a grey question mark.
To resolve this with most APM UI widgets, you simply click on Resources, click on Edit at the upper-right, then click the gear icon on the widget you wish to adjust.
Next click on the [Thresholds] tab.
Unfortunately, our Thresholds tab is blank. That's because we never defined thresholds within our custom JSON files.
Let's fix that and import a new version of the GBS Supermarket into APM UI.
Click the title or here to read more.
Subscribe to:
Posts (Atom)