WEB | Converting p12 to kdb files using gskcmd

Converting p12 to kdb files using gskcmd

---

Test Environment

-Test Version : IBM HTTPServer v9.x

Key file conversion

1. pem to p12

# openssl pkcs12 -export -inkey Wildcard.test.co.kr_pem.key -in Wildcard.cardif.co.kr_pem.pem -out Wildcard.test.co.kr.p12

2. p12 to kdb

1. You can invoke the gskcapicmd from the install_root/bin directory

2. Converting key file

# ./gskcapicmd -cert -export -target key.kdb -db /sw/img/Wildcard.cardif.co.kr.p12 -fips -target_type cms -type pkcs12

# ./gskcapicmd -cert -import -target ../ssl/key.kdb -target_pw {password} -db /sw/img/Wildcard.cardif.co.kr.p12 -pw {password}

# ./gskcapicmd -cert -setdefault -db ../ssl/key.kdb -pw {password} -label "*.test.co.kr"

SSL | WebSphere TLS Clearing issues

WebSphere TLS Clearing issues

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

Answer: TLsv1.2 Suppport on V7.0.0.23 on wards TLsv1.2 Support on 8.0.0.3 onwards and 8.5.0.0.

• TLS v1.2 supported in WebSphere with following JDK version. 7.0.0.23 comes JDK version as follows and TLSv1.2 supported SDK 6
  (32-bit) pap3260sr10fp1-20120321_01(SR10 FP1)
  (64-bit) pap6460sr10fp1-20120321_01(SR10 FP1)​

• 8.0.0.3 comes with JDK version follows and TLSv1.2 supported
  SDK 6.0.1 (J9 2.6)
  (32-bit) pap3260_26sr1fp1-20120309_01(SR1 FP1)
  (64-bit) pap6460_26sr1fp1-20120309_01(SR1 FP1)

• 8.5 comes with JDK version follows and TLSv1.2 supported
  SDK 6.0.1 (J9 2.6)
  (32-bit) pap3260_26sr2ifix-20120419_02(SR2+IV19661)
  (64-bit) pap6460_26sr2ifix-20120419_02(SR2+IV19661)

This change allows TLS 1.1 and 1.2 to be configured at the webserver plugin in 8.0 and later on distributed platforms.

• TLS 1.1 and 1.2 is not supported on zOS at this time.
• Despite this APAR being listed in 7.0 fixpacks, 7.0 does not support TLs1.1 and TLS1.2 due to the use of GSKit V7.

WAS

Click Security > SSL configurations CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig

1. Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.

2. On the **Quality of protection (QoP)** settings panel, select TLSv1.2 from the pull-down list in the box named Protocol. change the protocol to TLSV1.2

3. update ssl.client.props
This must be done for each **ssl.client.props** file under the following directories:
For Node example WAS_install\profiles\AppSrv01\properties
For DMGR example WAS_install\profiles\Dmgr01\properties

 **com.ibm.ssl.protocol=TLSv1.2**

4. stopNode.sh && stopManager.sh 

5. startManager.sh

6. syncNode.sh dmgrhostname dmgrsoapport -username userid -password password

7. startNode.sh

8. Click Protocol : openssl s_client -connect webspherehostname:9443 -tls1_2

WEB

update httpd.conf

VirtualHost
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

Plg

Why do I receive a GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) error, when WebSphere Application Server and IBM HTTP Server are configured to use TLSv1.2? Answer: you need to have StrictSecurity="true" in the plugin-cfg.xml for TLSv1.2 to work. More details see the following link

WAS | WebSphere v9.0.5.1 Basic install guide

WebSphere v9.0.5.1 Basic install guide

---

OS : CentOS 7 3.10.0-957.el7.x86_64

IM imcl install

tip. Check the package name simply {img_file}/Offerings

IM install

./imcl install com.ibm.cic.agent -repositories "/sw/img/im/repository.config" -installationDirectory "/sw/IBM/InstallationManager/eclipse" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

In this guide, use the existing Installation Manager.

# cd /sw/IBM/InstallationManager/eclipse/tools

WebSphere install

./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 -repositories "/sw/img/base" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

tip. Starting with websphere version 9.0, Java installation should also proceed.

#install
./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/base","/sw/img/sdk" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

#fix install
./imcl install com.ibm.websphere.BASE.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/was/AppServer9" -repositories "/sw/img/fixwas"  -sP

IBM HTTPServer install

./imcl install "com.ibm.websphere.IHS.v90_9.0.5001.20190828_0616" "com.ibm.java.jdk.v8_8.0.5041.20190924_1031" -repositories "/sw/img/ihs","/sw/img/sdk"  -installationDirectory "/sw/web/IHS9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP -properties user.ihs.httpPort="80"

#fix
./imcl install com.ibm.websphere.IHS.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/IHS9" -repositories "/sw/img/fixweb" -sP

Plugins install

./imcl install com.ibm.websphere.PLG.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/plg","/sw/img/sdk"  -installationDirectory "/sw/web/Plugins9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

#fix
./imcl install com.ibm.websphere.PLG.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/Plugins9" -repositories "/sw/img/fixweb" -sP

version Info

1. imcl listInstalledPackages
2. {install_home}/bin/versionInfo.sh

WAS | How to disable server name header

WebSphere - How to disable server name header

Test Version

• Test OS : CentOS 7.2
• Test WAS : WebSphere v8.5

X-Powered-By disable setting

• 보안 취약점 사항

• IBM HTTPServer (apache)
  This can be mitigated by adding (httpd.conf):

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

• WebSphere
  v8.5.0.2 이하 버전에서는 두가지 옵션으로 server version 노출을 방지.

• ServerHeaderValue :
  Use the ServerHeaderValue property to replace the default value of the Server header that is added to all outgoing HTTP responses by server if a Server header does not already exist. The default value for the Server header is WebSphere Application Server v/x.x, where x.x is the version of WebSphere Application Server that is running on your system.

• RemoveServerHeader :
  Use the RemoveServerHeader property to force the removal of any server header from HTTP responses that the application server sends, thereby hiding the identity of the server program.

setting link : https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rrun_chain_httpcustom.html

Starting with Version 8.5.0.2, a Server header is no longer automatically added to all outgoing HTTP responses if a Server header does not already exist. If you add this property with a value, that value is included in the Server header that appears in the response. If you specify the value DefaultServerValue, WebSphere Application Server v/x.x is used as the Server header value.

SSL Cipher setting

SSL Cipher setting

---

Test Environment

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5

---

Cipher setting

Apply the following command to the httpd.conf file.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443

NameVirtualHost *:443

<VirtualHost *:443>
    DocumentRoot /app/EAR/SSL
    SSLEnable
    SSLProtocolDisable SSLv2
    SSLProtocolDisable SSLv3
    SSLCipherSpec ALL NONE
    SSLCipherSpec ALL +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    SSLCipherSpec ALL +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSLCipherSpec ALL +TLS_RSA_WITH_AES_256_CBC_SHA +TLS_RSA_WITH_AES_128_CBC_SHA
</VirtualHost>
KeyFile /SW/web/HTTPServer/key/key.kdb
SSLDisable

Confirm application with the command below.

-t -D DUMP_SSL_CONFIG: show parsed SSL vhost configurations
-t -D DUMP_SSL_CIPHERS: show all known SSL ciphers

To determine which SSL ciphers are enabled on your server, you can set LogLevel debug in your httpd.conf

Set Non-Domain Access Processing

Set Non-Domain Access Processing

---

Test Environment

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5

---

apache httpd.conf setting

tip You can set it up on the web server of the Apache class.

Forward to the virtual host that is error-handling for non-domain specified.
The point is not to give a serverName value to a dummy virtual host.

Listen 80
Listen 4958

NameVirtualHost *:80
NameVirtualHost *:4958

<VirtualHost *:80>
    DocumentRoot /app/was/htdocs
    ErrorDocument 403 "해당 방식은 접근이 허용되지 않은 방식입니다."
    ErrorDocument 404 "해당 방식은 접근이 허용되지 않은 방식입니다."
    ErrorDocument 500 "해당 방식은 접근이 허용되지 않은 방식입니다."
</VirtualHost>

<VirtualHost *:4958>
    DocumentRoot /app/was/htdocs
    ErrorDocument 403 "해당 방식은 접근이 허용되지 않은 방식입니다."
    ErrorDocument 404 "해당 방식은 접근이 허용되지 않은 방식입니다."
    ErrorDocument 500 "해당 방식은 접근이 허용되지 않은 방식입니다."
</VirtualHost>

ProxyRequests Off
<VirtualHost *:80>
    ServerName test.apache.com
    ProxyPass / http://172.31.98.155/ Keepalive=on
    ProxyPassReverse / http://172.31.98.155/
   ProxyPreserveHost On
#LogLevel debug
   ErrorLog /app/was/HTTPServer/logs/test_proxy_error.log
   CustomLog /app/was/HTTPServer/logs/test_proxy_access.log combined
</VirtualHost>

<VirtualHost *:4958>
    ServerName test.httpserver.com
    ProxyPass / http://172.31.98.209/ Keepalive=on
    ProxyPassReverse / http://172.31.98.209/
    ProxyPreserveHost On
#LogLevel debug
    ErrorLog /app/was/HTTPServer/logs/http_proxy_error.log
    CustomLog /app/was/HTTPServer/logs/http_proxy_access.log combined
</VirtualHost>

IBM HTTPServer - SSL Ciphers Check

How to check which ciphers are applied when using SSL

---

Test Environment

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5.0.0

---

Methods for checking ciphers for SSL set in web server

Check Options :

    [root@testServer11 bin]# ./apachectl -h
    Usage: /SW/web/HTTPServer/bin/httpd [-D name] [-d directory] [-f file]
                                        [-C "directive"] [-c "directive"]
                                        [-k start|restart|graceful|graceful-stop|stop]
                                        [-v] [-V] [-h] [-l] [-L] [-t] [-S]
 
    Options:
      -D name            : define a name for use in <IfDefine name> directives
      -d directory       : specify an alternate initial ServerRoot
      -f file            : specify an alternate ServerConfigFile
      -C "directive"     : process directive before reading config files
      -c "directive"     : process directive after reading config files
      -e level           : show startup errors of level (see LogLevel)
      -E file            : log startup errors to file
      -v                 : show version number
      -V                 : show compile settings
      -h                 : list available command line options (this page)
      -l                 : list compiled in modules
      -L                 : list available configuration directives
      -t -D DUMP_VHOSTS  : show parsed settings (currently only vhost settings)
      -S                 : a synonym for -t -D DUMP_VHOSTS
      -t -D DUMP_MODULES : show all loaded modules
      -M                 : a synonym for -t -D DUMP_MODULES
      -t -D DUMP_SSL_CONFIG: show parsed SSL vhost configurations
      -t -D DUMP_SSL_CIPHERS: show all known SSL ciphers
      -t                 : run syntax check for config files

Ciphers :

    [root@testServer11 bin]# ./apachectl -t -D DUMP_SSL_CIPHERS SSL    Ciphers:
    .
    .
    .
    SSL default cipher lists: SSL protocol SSLV2, FIPS    off, defaults =
    SSL protocol SSLV2, FIPS on, defaults =  SSL    protocol SSLV3, FIPS off, defaults =    TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_RC4_128_SHA(35),SSL_RSA_WITH_RC4_128_MD5(34),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol SSLV3, FIPS on, defaults =  SSL protocol TLSv10, FIPS    off, defaults =    TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_RC4_128_SHA(35),SSL_RSA_WITH_RC4_128_MD5(34),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol TLSv10, FIPS on, defaults =    TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol TLSv11, FIPS off, defaults =    TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_RC4_128_SHA(35),SSL_RSA_WITH_RC4_128_MD5(34),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol TLSv11, FIPS on, defaults =    TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol TLSv12, FIPS off, defaults =    TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_256_CBC_SHA256(3D),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    SSL protocol TLSv12, FIPS on, defaults =    TLS_RSA_WITH_AES_128_GCM_SHA256(9C),TLS_RSA_WITH_AES_256_GCM_SHA384(9D),TLS_RSA_WITH_AES_128_CBC_SHA256(3C),TLS_RSA_WITH_AES_256_CBC_SHA256(3D),TLS_RSA_WITH_AES_128_CBC_SHA(2F),TLS_RSA_WITH_AES_256_CBC_SHA(35b),SSL_RSA_WITH_3DES_EDE_CBC_SHA(3A)
    Syntax OK

Related Reference Links :

https://testssl.sh/openssl-iana.mapping.html
https://www.ssllabs.com/?_ga=2.136721654.755247565.1559195773-1774555605.1559022470

IBM HTTPServer - HTTP 메소드 차단

WebServer 메소드 차단 방법

---

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5

---

IBM HTTPServer 에서 보안상의 이유로 HTTP 메소드 차단 요청이 들어와 테스트한 내용 정리.

• IHS의 경우 apache 기반이기 때문에 해당 설정은 apache에서도 같이 적용이 가능.

httpd.conf 파일 수정

#GET, POST를 제외한 메소드 제한
<Directory />
Options FollowSymLinks
AllowOverride None
 <LimitExcept GET POST>
 Order allow,deny
 Deny from all
 </LimitExcept>
</Directory>

보통 디렉토리 속성안에 넣어서 사용하지만 디렉토리 속성을 안사용할경우 로케이션을 사용.

<Location "/*">
  <LimitExcept GET POST>
  Order allow,deny
  Deny from all
  </LimitExcept>
</Location>

다른 방안으로 rewrite 사용하는 방법도 있다.

LoadModule rewrite_module modules/mod_rewrite.so
<IfModule mod_rewrite.c>
 RewriteEngine On
 # GET, POST를 제외하고 모두 405 페이지로 이동
 RewriteCond %{REQUEST_METHOD} !^(GET|POST)
 RewriteRule .* - [R=405,L]
</IfModule>

메소드 차단 테스트로는 해당 메소드 파일을 만들어서 요청하는 방법도 있지만, 간단하게 telnet으로 테스트 가능.

$telnet {domain_address} 80
OPTIONS http://{domain_address}/ HTTP/1.0
OPTIONS http://google.com/ HTTP/1.0
Enter Enter

#모든 메소드 허용의 경우
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 01:44:40 GMT
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/html

#메소드가 차단된 경우
HTTP/1.0 405 Method Not Allowed
Allow: GET, HEAD
#
HTTP/1.1 403 Forbidden
Allow: GET, HEAD

위와 같은 방법으로 안대는 경우

web.xml에 secutity-constraint 속성으로 해당 메소드 제한

#web.xml 아래와 같이 메소드 제한 설정
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
</security-constraint>

IBM HTTPServer version info

IHS v8.5, v9.0 apache version Info

PS E:\app\was\HTTPServer\bin> .\apache.exe -V

Server version: IBM_HTTP_Server/8.5.5.0 (Win32)

Apache version: 2.2.8 (with additional fixes)

Server built:   Feb 20 2013 13:50:05

Build level:    IHS90/webIHS1307.02

Server's Module Magic Number: 20051115:21

Server loaded:  APR 1.2.12, APR-Util 1.2.12

Compiled using: APR 1.2.12, APR-Util 1.2.12

Architecture:   32-bit

Server MPM:     WinNT

  threaded:     yes (fixed thread count)

    forked:     no

Server compiled with....

 -D APACHE_MPM_DIR="server/mpm/winnt"

 -D APR_HAS_SENDFILE

 -D APR_HAS_MMAP

 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)

 -D APR_HAS_OTHER_CHILD

 -D AP_HAVE_RELIABLE_PIPED_LOGS

 -D DYNAMIC_MODULE_LIMIT=128

 -D HTTPD_ROOT="/apache"

 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

 -D DEFAULT_ERRORLOG="logs/error.log"

 -D AP_TYPES_CONFIG_FILE="conf/mime.types"

 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Apache vulnerability fixes included:

  CVE-2005-3352  CVE-2005-3357  CVE-2006-3918  CVE-2006-3747

  CVE-2007-4465  CVE-2007-1862  CVE-2006-5752  CVE-2007-3304

  CVE-2007-1863  CVE-2007-3847  CVE-2008-0005  CVE-2007-5000

  CVE-2007-6388  CVE-2007-6422  CVE-2007-6421  CVE-2006-7225

  CVE-2007-6420  CVE-2008-2364  CVE-2008-2939  CVE-2009-1195

  CVE-2009-1955  CVE-2009-0023  CVE-2009-1956  CVE-2009-1890

  CVE-2009-1891  CVE-2009-2412  CVE-2009-1191  CVE-2009-3094

  CVE-2009-3095  CVE-2009-3555  CVE-2010-0408  CVE-2010-0434

  CVE-2010-1452  CVE-2010-1623  CVE-2009-3560  CVE-2009-3720

  CVE-2011-0419  CVE-2011-1928  CVE-2011-3192  CVE-2011-3348

  CVE-2011-3368  CVE-2011-3639  CVE-2011-4317  CVE-2011-3607

  CVE-2012-0717  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883

  CVE-2012-2190  CVE-2012-2191  CVE-2012-2687  CVE-2012-4558

  CVE-2012-3499  CVE-2012-4557  

PS E:\software\IBM\HTTPServer9\bin> .\apache.exe -V

Server version: IBM_HTTP_Server/9.0.0.0-PI56034 (Win32)

Apache version: 2.4.12 (with additional fixes)

Server built:   Apr 18 2016 20:28:53

Build level:    RIHSX.IHS/webIHS1616.01

Server's Module Magic Number: 20120211:57

Server loaded:  APR 1.5.1, APR-UTIL 1.5.2

Compiled using: APR 1.5.1, APR-UTIL 1.5.2

Architecture:   32-bit

Operating System: Windows

Server MPM:     WinNT

  threaded:     yes (fixed thread count)

    forked:     no

Server compiled with....

 -D APR_HAS_SENDFILE

 -D APR_HAS_MMAP

 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)

 -D APR_HAS_OTHER_CHILD

 -D AP_HAVE_RELIABLE_PIPED_LOGS

 -D DYNAMIC_MODULE_LIMIT=256

 -D HTTPD_ROOT="/apache"

 -D DEFAULT_PIDLOG="logs/httpd.pid"

 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

 -D DEFAULT_ERRORLOG="logs/error.log"

 -D AP_TYPES_CONFIG_FILE="conf/mime.types"

 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Apache vulnerability fixes included:

  CVE-2009-1191  CVE-2009-1890  CVE-2009-3094  CVE-2009-3095

  CVE-2010-0434  CVE-2010-0425  CVE-2010-0408  CVE-2009-3555

  CVE-2010-1452  CVE-2010-1623  CVE-2011-3368  CVE-2011-3607

  CVE-2011-3192  CVE-2011-3348  CVE-2011-4317  CVE-2012-0021

  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883  CVE-2012-2687

  CVE-2012-3502  CVE-2012-4558  CVE-2012-3499  CVE-2013-2249

  CVE-2013-1896  CVE-2013-4352  CVE-2013-6438  CVE-2014-0098

  CVE-2014-0963  CVE-2014-0231  CVE-2014-0118  CVE-2014-0226

  CVE-2014-3523  CVE-2014-0117  CVE-2013-5704  CVE-2014-8109

  CVE-2014-3581  CVE-2014-3583  CVE-2015-0253  CVE-2015-3185

  CVE-2015-3183  CVE-2015-1829  CVE-2014-8730  CVE-2015-0228

  CVE-2015-4947  CVE-2015-1283  CVE-2015-7420  CVE-2016-0201

IBM HTTPServer rotatelogs log setting

HTTPServer 로그 로테이션 설정

---

Test Environment

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5 (apache)

---

1. 아파치 로그 설정(로테이션 설정)
   
   위치 : /IBM/HTTPServer/conf
   
   수정 : httpd.conf

# ErrorLog logs/error_log  
ErrorLog "|/IBM/HTTPServer/bin/rotatelogs /IBM/HTTPServer/logs/error_%Y%m%d.log 86400" 

# CustomLog logs/access_log common  
CustomLog "|/IBM/HTTPServer/bin/rotatelogs /IBM/HTTPServer/logs/access_%Y%m%d.log 86400" common  

• 참고 형식 문자열
  
  %A (지역화된) 완전한 요일 이름
  
  %a (지역화된) 3-문자 요일 이름
  
  %B (지역화된) 완전한 달 이름
  
  %b (지역화된) 3-문자 달 이름
  
  %c (지역화된) 날짜와 시간
  
  %d 2-자리 일
  
  %H 2-자리 시간 (24 시간 시계)
  
  %I 2-자리 시간 (12 시간 시계)
  
  %j 3-자리 날짜수
  
  %M 2-자리 분
  
  %m 2-자리 달
  
  %p (지역화된) 12 시간 시계의 am/pm
  
  %S 2-자리 초
  
  %U 2-자리 주일수 (주의 첫번재 날은 일요일)
  
  %W 2-자리 주일수 (주의 첫번재 날은 월요일)
  
  %w 1-자리 요일수 (주의 첫번째 날은 일요일)
  
  %X (지역화된) 시간
  
  %x (지역화된) 날짜
  
  %Y 4-자리 연도
  
  %y 2-자리 연도
  
  %Z 시간대 이름
  
  %% 문자그대로 `%’

SSL setting

SSL Setting

---

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5, WebSphere v8.5

---

1. httpd.conf 수정 부분
   
   위치 : F:\IBM\HTTPServer\conf
   
   파일 : \httpd.conf
   
   수정 : SSL 설정 부분의 주석 해제

### SSL Module Start ###
NameVirtualHost 211.1.1.1:80
NameVirtualHost 211.1.1.1:443

LoadModule ibm_ssl_module     modules/mod_ibm_ssl.so
Listen 443

<VirtualHost ad1.test.com:80>
#    ServerAdmin webmaster@dummy-host.example.com
     DocumentRoot "C:/IBM/HTTPServer/htdocs"
     ServerName ad1.test.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

<VirtualHost ad1.test.com:443>
     SSLEnable
     SSLClientAuth none
     DocumentRoot "C:/IBM/HTTPServer/htdocs"
     ServerName ad1.test.com
</VirtualHost>

SSLDisable
Keyfile "C:/IBM/kera.kdb"

# End of example SSL configuration

IBM HTTPServer의 경우 버전에 따라 취약한 프로토콜은 Disable 된다.

2. ikeyman을 이용한 인증서 발급

• 발급된 인증서가 있는 경우 해당 인증서 사용

3. 콘솔상에서 가상호스트 추가 작업

• 관리콘솔 접속 해당 위치의 추가된 포트 정보 등록
  
  위치: 가상 호스트 > default_host > 호스트 별명
  
  내용: 443 Port 를 기존 가상호스트 에 등록

4. WebServer Restart

apachectl -t 옵션으로 conf내의 오류사항을 체크하고 기동

WebSphere WEB - WAS 동적, 정적 컨텐츠 구분

WEB - WAS 동적 & 정적 구분

---

Test Environment

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5, WebSphere v.85

---

WebSphere에서 컨텐츠 구분을 위해 작업해줘야 하는 사항

사실 별다른 설정없이 Plugin에 Uri 패턴설정만 해줘도 상관은 없다.

1. Plugin-cfg.xml 파일을 커스트마이징해서 전체 request에 대한 Uri 매핑을 만들게 되면 당연히 WebServer에서는 모든 request를 WAS로 전달

• 위치 : F:\IBM\HTTPServer\Plugins
• 수정 : Plugin-cfg.xml 수정 부분

   <UriGroup Name="default_host_server1_root-PCNode01_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="*.jsp"/> 
   </UriGroup>

해당 설정을 해주게 되면 설정된 패턴부분만 WAS로 넘기고 나머지는 WEB에서 찾게 된다.

• httpd.conf 파일에 Alias 추가
  
  (/home/images에 이미지 파일이 복사돼 있어야 합니다.)
  
  위치 : F:\IBM\HTTPServer\conf
  
  추가 : Alias /images /home/images

2. WebSphere 에서는 fileServingEnabled을 이용한 동적 & 정적 구분

WebSphere 에서는 fileServingEnabled 이라는 옵션을 해당 어플리케이션의 .ear/WEB-INF/ibm-web-ext.xmi 에 줄수 있는데 fileServingEnabled=“true” 로 하면 WAS 에서도 *.html 같은 정적 파일을 처리하고 “false” 로 하면 동적 컨텐츠만 처리하고 나머지 부분은 웹서버에서 처리하게 된다.

• fileServingEnabled=“true” => "false"값을 변경후에는 해당 어플리케이션의 모든 파일을 수정해 주어야 한다.

위치 :

/WebSphere/AppServer/profiles/[Profile_Name]/config/cells/[Cell_Name]/applications/[Application_Name].ear/deployments/[Application_Nam]/[Application_Name].war/WEB-INF

/[Application Source Path]/[Application_Name].war/WEB-INF

수정 : ibm-web-ext.xmi

변경 : fileServingEnabled=“false”

수정 : ibm-web-ext.xml인 경우

변경 :

• 플러그인 재 생성 후 전파(WebServer가 분리 되어 통신이 안되는 경우 해당 WebServer의 Plugin-cfg.xml 위치에 넣어 준다.)
  
  예)F:\IBM\HTTPServer\Plugins\config\webserver1\Plugin-cfg.xml
  
  변경된 Plugin-cfg.xml 파일을 확인 할수 있다.

   <UriGroup Name="default_host_server1_root-PCNode01_Cluster_URIs">
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="*.jsp"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="*.jsv"/>
      <Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="*.jsw"/>
   </UriGroup>

• httpd.conf 파일에 Alias 추가
  
  (/home/images에 이미지 파일이 복사돼 있어야 합니다.)
  
  위치 : F:\IBM\HTTPServer\conf
  
  추가 : Alias /images /home/images

이렇게 두가지 방법으로 Plugin-cfg.xml 파일을 수정 후에는 해당 WebServer을 restart

• WAS에서 모든 처리을 다할 경우 Plugin-cfg.xml의

<Uri AffinityCookie="JSESSIONID" AffinityURLIdentifier="jsessionid" Name="*"/>  

pluginMerge tool 이용한 plugin Merge 방법

pluginMerge tool 이용한 plugin Merge 방법

install_root/bin/pluginMerge.sh plugin_configuration_file1 plugin_configuration_file2 resulting_plugin_configuration_file

install_root/bin/pluginCfgMerge.sh plugin_configuration_file1 plugin_configuration_file2 resulting_plugin_configuration_file

install_root\bin\pluginMerge.bat plugin_configuration_file1 plugin_configuration_file2 resulting_plugin_configuration_file

install_root\bin\pluginCfgMerge.bat plugin_configuration_file1 plugin_configuration_file2 resulting_plugin_configuration_file

## 작업 순서

1. Plugin 파일을 수정 후 새로 생성 한다.


2. Merge할 플러그인 파일을 한 디렉토리에 넣어 둔다.


3. Plugin-cfg.xml 파일 이름 변경 (Plugin-cfg.xml –> Plugin-cfg01.xml)


4. 예) ./pluginCfgMerge.sh /apps/wes/IBM/plugin-cfg01.xml /apps/wes/IBM/plugin-cfg02.xml /apps/wes/IBM/plugin-cfg.xml


5. 생성한 plugin 파일을 적용한 해당 WebServer의 Plugin-cfg.xml 파일과 교체 한다.

*작업 전 plugin 파일 backup 할 것 ( Linux  #cp Plugin-cfg.xml Plugin-cfg.xml.20121126)
*plugin 파일을 수작업으로 작업할 경우 아래의 사항도 추가적으로 작업을 해주어야 한다.

웹 서버 > webserver1 > 플러그인 특성

기본 설정 값 >>

plugin 작업 후 >>

플러그인 구성 파일 자동 생성 >> 체크 해제
플러그인 구성 파일 자동 전파 >> 체크 해제

* 플러그인 파일 자동 생성, 전파의 옵션이 true일 경우 수동으로 설정된 부분은 저장이 안되기 때문에 해당 옵션을 false로 바꿔주어야 한다.

Plugin 의 key 파일 관련 이슈

For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory.

gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS

The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT:

Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time

Issue a gsk7 command, similar to the following command, to change the password that is expiring:

gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
-key.kdb 

If you want to the new password to expire after a specific number of days, add -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid.

Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password associated with the key database does not expire.

Note 2: GSKit versions prior to 7.0.3.17 do not recognize the -expire parameter. If you are using one of these prior GSKit versions, you must upgrade to the latest GSKit 7.0.4.x version.

• Fix Pack 17 for IHS V6.1 (V6.1.0.17) and Fix Pack 27 for IHS V6.0.2 (V6.0.2.27) can upgrade the GSKit to V7.0.4.14
  
  http://www.ibm.com/support/docview.wss?uid=swg27008517#61017
  http://www.ibm.com/support/docview.wss?uid=swg27007033#60227
  
  Or the customer can upgrade their system wide GSKit from the link in the following page.
  
  http://www.ibm.com/support/docview.wss?uid=swg24026884

Note 3: There is a behavior difference between GSKit 7.0.3.x and 7.0.4.x when using these commands. Leaving the -expire off when using GSKit 7.0.4 results in a password that never expires. Leaving the -expire off when using GSKit versions prior to 7.0.3.17 results in a password expiring in one year. Leaving the -expire off when using GSKit versions equal to and later than 7.0.3.17 results in a password that never expires.

Note 4: GSKit Versions 7.0.3.9 and earlier do not recognize the -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password.


Frequently asked questions (FAQs):

Q: What happens if I do nothing?
A: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages:

• ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment 
  ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security

Q: Can I use the same password?
A: You can not supply the existing password and tell it to change it to that same one. You must specify a new password.

Q: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x?
A: The plug-in from WebSphere Application Server Version 4.0 used GSKit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a GSKit 7.0.4 environment and use the tools there to change the password.

Q: How do I correct the password problem if I am running on z/OS?
A: You can use the z/OS gskkyman utility. To use this utility to display the expiration date, issue a command similar to the following command:

gskkyman -dk -k plugin-key.kdb To fix the expiration date, you must complete the following steps, which includes changing the password:

1. Navigate to the location of the plugin-key.kdb file.
2. Enter gskkyman.
3. From the menu provided, choose option "3 - Change database password".
4. Prompt: "Enter key database name (press ENTER to return to menu):" (Enter plugin-key.kdb).
5. Prompt: "Enter database password (press ENTER to return to menu):" (Enter WebAS).
6. Prompt: "Enter new database password (press ENTER to return to menu):" (Enter your new password).
7. Prompt: "Re-enter database password:" (Re-enter the password).
8. Prompt: "Enter password expiration in days (press ENTER for no expiration):" (decide if you want this password to expire).
   • 
     

After the password is set, use the following command to stash the new password to a file for the plugin to utilize the updated kdb file.

gskkyman -s -k plugin-key.kdb 

• 
  

Q: How do I correct the password problem if I am running on IBM i?
A: IBM i provides a utility called Digital Certificate Manager. This tool can be used to change the password, but it does not provide a means to view the expire value.

To view the password expiration value, copy the plugin-key.kdb file to a distributed environment, such as Microsoft Windows, and use either iKeyman or gsk7capicmd utilities previously described in this Flash.

To change the password, complete one of the following actions.

If you are running on IBM i V5R4, complete the following steps:

1. Start the HTTP Admin server if it is not already running:
   
   STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 
2. In the browser, enter the following:
   
   machine:2001 (enter credentials)
3. Click Digital Certificate Manager.
4. Click Select a certificate store.
5. Select Other system certificate store, and then click Continue.
6. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
7. Click Reset password.
8. Enter the new password, confirm the new password, and then take the default options.
   
   - Automatic login
   - Password does not expire
9. Click Continue.

The operation is successful if you see the message "The password has been reset." If you are running on IBM i V6R1or V7R1, complete the following steps:

1. Start the HTTP Admin server if it is not already running:
   
   STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 
2. In the browser, enter the following:
   
   machine:2001 (enter credentials)
3. Expand IBM i management and click Internet Configurations.
4. Click Digital Certificate Manager.
5. Click Select a certificate store.
6. Select Other System Certificate Store, and then click Continue.
7. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field.
8. Click Reset password.
9. Enter the new password, confirm the new password, and then take the default options:
   
   - Automatic login
   - Password does not expire
10. Click Continue.

The operation is successful if you see the message "The password has been reset." 



--------------------원문 

WebSphere Plugin 의 key 파일이 4월 27일 만기된다고 합니다. 
(모든 plugin kdb 파일은 아님)

   1.만기 날짜 확인 방법
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS

   2.패스워드 및 만기일 변경
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -changepw -db C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash

   3.변경된 만기일 확인
C:\IBM\HTTPServer\bin>gsk7capicmd -keydb -expiry -db "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-key.kdb" -pw WebAS


------------ AIX -------
root [/]#find . -name gsk7capicmd -print
./usr/bin/gsk7capicmd
./usr/opt/ibm/gskta/bin/gsk7capicmd
root [/]#cd /usr/bin

root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver1/plugin-key.kdb" -pw WebAS
Validity:  Friday, 27 April 2012 00:20:31 AM KORST

root [/usr/bin]#gsk7capicmd -keydb -changepw -db /IBM/Plugins/config/webserver1/plugin-key.kdb -pw WebAS -new_pw WebAS1 -expire 3650 -stash

root [/usr/bin]#gsk7capicmd -keydb -expiry -db "/IBM/Plugins/config/webserver1/plugin-key.kdb" -pw WebAS1                                  
Validity:  Thursday, 21 April 2022 13:12:40 PM KORST