HTTP and HTTPS with same installation

[brett.elston]

Hi,
We current have Profound running for our internal users all on port 80. We would like to allow internet access and thus would prefer SSL on port 443 for external users whilst retaining port 80 for local users.

I did read, in one of the earlier forums, that a potential work around was to install a second instance of Profound with SSL enabled. Having a full blown second installation obviously has implications on our development and we would prefer not to duplicate our efforts as we do use userdata directories etc.

Ultimately I would like to have two HTTP servers, listening on ports 80 and 443 respectively, but both pointing to the same originally installed Profound library and directories.

What I have tried thus far is a partial installation, well the configuration file only, into a second Profound instance in this case called PROFOUNDEX. I have then modified the configuration for SSL and edited the new instance http.conf to point to our original installed instance, PROFOUNDUI, Document root, paths programs, libraries etc.

The problem I have is I cannot edit the new Server root directory to point back at the original instance. We are on V6.1 so cannot even use WRKHTTPCFG.

Is this a workable approach or is there a better way of achieving this?
Thanks

[Scott Klement]

Brett,

You don't need a second HTTP server. A single HTTP server can support both ports, with plain text data on port 80, and SSL data on port 443.

You'll need to use a firewall (or similar) to ensure that port 80 is not available from outside of your internal LAN, of course. But I assume that's no big deal (if you don't have a firewall, you've got bigger problems than this!)

Does that sound good?

[Scott Klement]

If you do want to allow both SSL (port 443) and non-SSL (port 80) on the same HTTP instance, here's what you should shoudl change in your httpd.conf file:

At the top of your config file, there should be a listen directive that tells it which port to listen on. Assuming you're listening to port 80, it should look like this:

Code: Select all

Listen *:80

Change that to look like this:

Code: Select all

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
Listen *:80
Listen *:443
NameVirtualHost *:443

So what I've done here is

1) Loaded the IBM SSL module -- this is an IBM-supplied service program that runs inside the HTTP server to handle SSL.

2) I've kept the Listen *:80 , and added an additional Listen *:443. This lets it accept connections on both port 80 and port 443.

3) I've told it to use Virtual Host directives for connections on port 443.

Next, at the bottom of the httpd.conf file, add this:

Code: Select all

<VirtualHost _default_:443>
   SSLEngine On
   SSLAppName NAC_PUI_HTTPS
</VirtualHost>

This tells the HTTP server that connections on port 443 are to be SSL connections. And that it should use the application configured in the digital certificate manager as "NAC_PUI_HTTPS" to enable SSL.

Save your changes and restart the HTTP server. It now will use SSL on port 443, and regular (non-SSL) connections on port 80, all in a single http server instance.

If you need help setting up the certificates and app name in the digital certificate manager, we described the process here:
http://www.profoundlogic.com/docs/displ ... abling+SSL

Please let me know if that helps.

[brett.elston]

Hi Scott,

Yes thank you this is exactly what we are after. I am using certificates for the first time so please can you confirm that I am on the right track?

1. I have created a certificate request for certificate store *SYSTEM.
2. The common name I have used is the business external portal name e.g. portal.nac.co.za.
3. This request has been forwarded to an external CA for for a trusted certificate.
4. Follow your instructions to copy the certificate to the IFS and import the certificate into *SYSTEM store.

Assuming the above is correct I now need to add our application, NAC_PUI_HTTPS, under manage applications. Is it as simple as adding the application name with all the default values and then updating the config file?

[Paul]

Brett,

Just to let you know that I did the same as you and it works great. Remember to add the application name that you set up when you uncomment the SSL lines. I called mine PROFOUNDUI:

# Uncomment the following to use SSL.
LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
SSLEngine On
SSLAppName PROFOUNDUI

Now the important bit .... When it's up and running make a copy of the httpd.conf file because the next time you install an upgrade it will get overwritten! Then copy/paste your changes from the saved file back into the newly installed httpd.conf.

One alternative thing that you could do ... I have a 2nd HTTP server (a copy of httpd.conf which I called httpd443.conf). This contains all the SSL config changes and keeps the original httpd.conf as a standard installation. This means that I can choose to have either/both HTTP servers running. Also it means that you can play around with the SSL config without affecting your standard installation. Just a thought.

Paul

[Scott Klement]

It sounds like you are on the right track to me. But, if you do encounter problems, please let us know.

[brett.elston]

Paul, thanks for you tip on the config file at upgrade time.

The only difference you will see is that in Scott’s example the SSLengine and SSLAppName are part of a virtual host and only applicable to port 443 traffic.

[brett.elston]

Thank you Scott. It worked perfectly.

Just a few extras for anyone else trying this:-

We used a different Certificate Authority, Go Daddy in this case, and this required that we receive three separate certificates to get things working. These being the Root Certificate, the CA certificate and then finally the application certificate.

Once these were imported the final step, after defining the application in DCM, was to link the application certificate to the application name.

[Scott Klement]

As Paul said, the default action when you install a new version of Profound UI is to install a new httpd.conf file. Whenever you make changes to the httpd.conf file (not only for SSL, there are a bunch of other reasons why you might change it) you need to make sure you don't let it wipe out that change.

Keeping a backup copy of your httpd.conf is a always good idea.

When you install your upgrade, there is an option in the installer where you can tell it not to overwrite your httpd.conf, however.

install_nohttpconf1.png (64.68 KiB) Viewed 91259 times

install_nohttpconf2.png (25.6 KiB) Viewed 91259 times

Whenever you do that, it's very important to pay attention to our change log. Especially any notes that are in red... For example, in version 4.1.0 of Profound UI we made a change that requires the httpd.conf file to be updated. You would've needed to make those changes (which were very simple) manually to the file if you didn't install our new version.

Our changelog is here:
http://www.profoundlogic.com/versions.rpgsp

The notes in red are the ones that expect you to take some action, or at least keep a watchful eye on something.

[brett.elston]

Thanks again for all your assistance.