Multiple SSL domains on one Instance of Profound

[rossiemurray]

Hi

I was wondering if anyone knows if we can run two separate SSL domains on the one instance of Profound on our Iseries v7.1.

We are currently running an SSL domain https://domain1.example.com:8084/ and are now looking at securing a new SSL domain https://domain2.example.com:8084/landingpage.html .

We would like to use the same instance of Profound as they will access the same Profound objects mainly but will have a different skin etc. We can get different certificates for both but when I look at the httpd.conf on our Profound instance it only seems to have one SSLAPPNAME application name so not sure how I can point the second DCM application or certificate into the existing httpd.conf file.

Scouring the internet I see that there is something called SNI that would allow this, but our companies browsers and Windows XP OS seems to rule this option out. I just want to see if there are any other options before installing a new instance of Profound that I will then have a management overhead of having to keep in step with the original instance.

Any feedback much appreciated.

Thanks in advance
Ross

[David]

You might have a look at using virtual hosts in the Apache httpd configuration. In a nutshell, virtual hosts allow you to apply different configuration directives based on the host name that is used on the page request, all within a single instance of Apache.

See here for details on virtual host configuration:

http://httpd.apache.org/docs/2.2/vhosts/name-based.html

When using virtual hosts, directives outside of a <VirtualHost> block apply globally. Directives inside the block apply only to the given virtual host. When doing this, you just need to ensure (see IBM documentation) that a directive is valid within the context of a virtual host block. The reference page for each directive will tell you in what contexts it is valid, for example see 'SSLAppName' section on this page (it's valid):

http://pic.dhe.ibm.com/infocenter/iseri ... bm_ssl.htm

Basically, you would put just the 'SSLAppName' into the virtual host blocks that you setup for each name, leaving all else in the global area so that all the Profound UI-related configuration will be applied in the same way for each virtual host.

Some other thoughts...

You are correct that you would need a new certificate for the new host name to avoid a name mismatch warning in the browser. If you plan to do much more of this, you might also consider purchasing a 'wildcard' certificate, which would allow you to use any host name in conjunction with your domain name. Depending on your certificate provider, you'd need to have probably 3 host names before the wildcard certificate would be cost-effective vs. simply purchasing separate certificates for host each name.

Before considering this, though, you'd want to verify that a wildcard certificate will work with IBM Digital Certificate Manager and the IBM HTTP Server. I can't imagine any reason why it shouldn't, but I have never actually seen one used before. I know of them just by seeing them for sale while purchasing single-name certificates.

And again, never have done it, but it seems to me that using a wildcard certificate would eliminate the need for virtual hosts in this situation, assuming that all you needed virtual hosts for was to pick out a different certificate for each host name.

[rossiemurray]

Hi David

Thanks very much for the prompt and detailed response.

I will try this out in the next few days and let you know how I get on.

I am told we don’t intend to do this again in the near future so we shouldn’t need the wildcard certificate for just now. But one I’ll bear in mind for the future.

Thanks
Ross

[Scott Klement]

You can't assign a different certificate based on different domain names in a virtual host because the SSL certificate is negotiated before the hostname is sent over an HTTP connection.

You could, however, have multiple IP addresses or ports in a single Apache config, and each address/port could have it's own SSL certificate. The address and port number are known before SSL is negotiated, so that will work.

But if you have multiple domain names (name-based virtual hosts) on the same address/port, then you can't have separate certificates by domain name.

[rossiemurray]

Hi Scott

Thanks for the clarification and apologies for the delay in responding as I have been out of the office.

I have been handed the current setup where we have two domain names pointing at the same Iseries so having different IP addresses probably isn’t an option at this stage. Looks like I will go with the option of multiple instances of Profound then or a wildcard certificate if DCM and our version of OS/browsers can handle it.

Thanks
Ross