
Maximo SSL (HTTPS) Configuration
- December 23, 2016
- Alex
- 24 Responses
- December 23, 2016
- Alex
- 24 Responses
I won’t get into a lengthy discussion about why you should use SSL to secure browser traffic. I’ll simply offer that your Maximo environment, especially if the environment can be accessed over the public internet, should be secured. Here are a few reasons:
- SSL Encrypts Sensitive Information
- SSL Provides Trust and Authentication
- SSL Can Provide Compliance in certain Industries
Step 1: Create a Key Database and Generate a new Certificate Signing Request
Run the IBM Key Management Utility
- Sign on to the server where the IBM HTTP Server is installed as an administrator.
- Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5
Create a Key Database
- Create a new Key Database File. This file will hold your private keys and must be kept secure:
- Key database type: CMS
- File Name: maximo.kdb
- Location: C:\IBM\HTTPServer\ (provide an appropriate path for your system)
- Click OK
Secure the Key Database
- You will be prompted for a password to secure your new key database:
- Enter a password
- Confirm the password
- Check the Stash password to a file checkbox
- Click OK
Create a New Certificate Signing Request
- Create a New Certificate Request from the menu options. This request, also known as a Certificate Signing Request (CSR), is what will be sent to the Certificate Authority for verification. With the information provided in the request, the CA will do their homework on you to make sure you are who you say you are, including possibly attempting to contact you or your business by email or phone. It’s important that this information is as accurate as possible:
- Key Label: MAX_SSL_KEY
- Key Size: 2048
- Common Name: www.mycompany.com (this is the host name that you want to secure and must be correct!)
- Organization: My Company Inc
- Locality: Your city
- State/Province: Your state
- Zipcode: Your zip
- Country or region: Your country
- Email Address: admin@mycompany.com
- Enter the file name: C:\IBM\HTTPServer\maximo.arm
- Click OK. We’re going to leave the IBM Key Management Utility open for now. We’ll come back to it later.
Step 2: Purchase an SSL Certificate, Upload the CSR, and Download the Certificate
Purchase an SSL Certificate
- Navigate to the SSL Certificate page on the GoDaddy website and purchase an SSL Certificate (sorry, no step-by-step here!).
Request an SSL certificate
After you purchase an SSL certificate, you need to request it for the website’s domain name (or “common name”) you want to use.Activate your credit
- Log in to your GoDaddy account.
- Click SSL Certificates.
- Next to the SSL certificate credit you want to use, click Set up.
- If you have multiple credits, select the credit you want to use, and then click Set up.
- Refresh the page; you should see a New Certificate. If you don’t, continue to refresh the page until you do.
Request your certificate
- Next to your New Certificate, click Manage.
- Select Provide a CSR, and then enter the CSR from your server. Back on the server where the IBM HTTP Server is installed, open the C:\IBM\HTTPServer\maximo.arm file in your favorite text editor. Copy its contents. This is your Certificate Signing Request (CSR).
- Click Request Certificate.
Verification Process
- GoDaddy will verify your certificate request. How long this takes depends on the type of certificate (typically between 1 and 7 days). Once we have that certificate we can continue with the process. Until then, we wait.
Download the Certificate
- After GoDaddy approves your SSL certificate request, you can download your primary and intermediate certificate from within the SSL application on the GoDaddy website.
- On your SSL certificate home page, click Download.
- Select the Apache server type.
- Click Download ZIP file.
Copy the Certificate to your IBM HTTP Server
- Copy the ZIP file to the C:\IBM\HTTPServer\ folder on the server where the IBM HTTP Server is installed.
- Extract the contents of the ZIP file to the C:\IBM\HTTPServer\ folder.
- Note that there should be two files: one that represents your certificate, and one that represents GoDaddy’s intermediate certificate. You will need both to install the certificate in the next step.
Step 3: Install the Certificate
Run the IBM Key Management Utility
- Sign on to the server where the IBM HTTP Server is installed as an administrator.
- Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5
- Open your maximo.kdb key database created earlier, using the password you created earlier to unlock the key database.
Install the Intermediate Certificate
- Change the Key database content drop-down to Signer Certificates.
- Click the Add… button
- Choose the intermediate certificate file that you extracted in the previous step. Please note that the file name is likely to be of the nature gd_bundle_*.crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
- Click OK
- You should see the intermediate GoDaddy certificates listed.
Install the Certificate
- Change the Key database content drop-down to Personal Certificates.
- You should see the MAX_SSL_KEY record that was created earlier when we created our CSR. Highlight that record. Note that the * in front of the MAX_SSL_KEY record indicates it is the default key.
- Press the Receive button.
- Choose the certificate file that you extracted in the previous step. Please note that the file name is likely to be some has sequence with a file extension of .crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
- Click OK
- If all goes well you should see a Validation Successful message in the Key Management Utility! This means that your key database is now validated with a signed certificate from a Certificate Authority (GoDaddy). We’re almost done!
Step 4: Update the HTTP Server, WebSphere, and Maximo
Update the IBM HTTP Server
- Sign on to the server where the IBM HTTP Server is installed as an administrator.
- Edit the C:\IBM\HTTPServer\conf\httpd.conf file. Please note that the directory path may be different based upon your installation (e.g. C:\Program Files\IBM\HTTPServer\).
- Add the following snippet to the file:
# Maximo SSL Config LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 ## IPv6 support: #Listen [::]:443 <VirtualHost *:443> SSLEnable </VirtualHost> KeyFile "C:/IBM/HTTPServer/maximo.kdb"
- Save the file.
- Restart the IBM HTTP Server V8.5 Windows Service.
Update the WebSphere Virtual Host
- Log into the IBM WebSphere Console as an administrator.
- Navigate to Environment > Virtual Hosts.
- Click on the maximo_host Virtual Host.
- Click on Host Aliases under Additional Properties.
- Click on the New… button.
- Add the host name that you used for the Common Name (e.g. www.mycompany.com) in your certificate request as the Host Name. Specify 443 as the Port.
- Click OK and save the configuration to the Master File.
- Restart your IBM WebSphere Windows Services (Cell Manager and Node Agent).
Update your Maximo System Properties
- At this point, you should be able to access Maximo over SSL (HTTPS). There are just a few System Properties that should be updated in order to have everything buttoned up.
- Log into Maximo as an administrator.
- Navigate to the System Configuration > Platform Configuration > System Properties application.
- Update the following properties, which should just involve changing the existing property value to change the http:// to https://
- mxe.doclink.path01: This is for attached documents.
- mxe.help.protocol: This is for application help. Please note that in 7.6.0.4 the help is now pointing to IBM’s website. In either case, the property value should be changed to https.
- mxe.int.webappurl: This is for Integration Framework web service and HTTP calls.
- mxe.oslc.restwebappurl: This is for OSLC calls through the REST interface.
- mxe.oslc.webappurl: This is for OSLC calls through the standard interface.
24 Comments
Great article, very concise and informative. Do you have any further steps in order to only allow TLS 1.2 as the transport protocolo on SSL?
Thanks Harold. I haven’t had to enforce that limitation yet, but I found an article on IBM’s Developer website that explains how to ensure TLS 1.2 is used. Note that you need to be on WebSphere v8 in order to do this. https://developer.ibm.com/answers/questions/206952/how-do-i-configure-websphere-application-server-ss.html
Your article is quite good. Do you think it is advisable in this situation to configure access such that ssl is the only/mandatory connection available?
Thanks! Automatically routing users over to SSL is certainly advisable. Check out how to use the Apache Re-write module to do this with Maximo and WebSphere here: https://a3jgroup.com/securing-maximo-by-forcing-users-to-ssl-https/
Is there some way to encrypt the mxe.report.birt.viewer?
If you have a BIRT Reporting Only Server (BROS), you can secure that environment in a similar fashion. Then update your mxe.report.birt.viewerurl System Property to use the HTTPS protocol.
Hi Alex,
A Big Thank you for making this concise instructions. Are there any special considerations for Maximo clustered environment in enabling SSL?
You’re welcome! For a clustered environment, the key is securing the load balancer URL and then ensuring that the Virtual Hosts are configured properly. You do not need certificates for each host within the cluster. You simply need to establish trust with the load balancer.
Hi Alex,
Is it possible to use wildcard SSL certificate with Maximo?
Yes, a wildcard certificate can be used with Maximo. Most of the SSL certificate providers will provide a way to specify your list of sub-domains for wildcard certificates. Other than providing the Maximo sub-domain to the provider, the steps should be very similar to what’s been listed in the article.
Hi Alex, Thanks for sharing such a useful article.
Can you please help me with the below problem?
I am getting invalid certificate when running a BIRT report.
Maximo URL: https://maximo.xyz.ca/maximo
This URL is also added to the UICluster Virtual host with port 443
Reports birt viewer URL: https://maxrep.xyz.ca/maximo/report
This URL is added to the BROSCluster Virtual Host with port 443
The BROS application is mapped to the BROS JVM and webserver1.
Thanks!
A certificate is usually only valid for a given domain name. In other words, you will need two certificates – one for maximo.xyz.ca and one for maxrep.xyz.ca. The exception is that some providers offer wildcard certificates, where one certificate can match *.xyz.ca.
In your case you will need two certificates or one wildcard certificate to secure both maximo.xyz.ca and maxrep.xyz.ca. The setup above can be followed for both JVMs. Good luck!
Thanks for responding Alex!
We are using wildcard certificate i.e. *.xyz.ca.
I am able to get around the invalid certificate problem by deploying the BROS EAR to a webserver running on the same VM as BROS JVM. But this approach then allows users to login to maximo using the maxrep.xyz.ca url as well which I dont want to happen.
Any thoughts?
You might be able to use the
Location
directive to filter out the ability to navigate to the /maximo/ui path on the maxrep.xyz.ca domain: https://httpd.apache.org/docs/2.4/mod/core.html#locationHello,
we need to call a secure webservice from Maximo using publish channel. Do I have to import certs in websphere?
thanks
Yes, certs need to be imported into the trust store within WebSphere. Look for an article shortly on this topic!
Perfect thanks!
It took a little longer than expected, but the article about importing certificates into WebSphere’s trust store is now online.
Have you thought about playing with how to setup SSL with Maximo linked to Cloudfare???
trying to follow your above post and figure out where the PEM file and Private Key I get from Cloudfare would come in on setting up the Origin CA server (Maximo).
Just curious,
Miller
This article talks about the IBM HTTP Server. How is this different than generating a certificate for WebSphere itself and under what conditions do you do one vs. the other?
When WebSphere is installed by the IBM Maximo Configuration Utilitiy, it creates a Web Server and an App Server. But Maximo runs fine with just an App Server. Is a Web Server needed to secure Maximo through SSL?
Thank you.
Dear Julio – Thanks for your comment. This was exactly my concern as well. I believe our Linux admin already installed a self-signed cert for WebSphere although Maximo runs on HTTP. Although our situation is slightly different, your situation is very helpful in coordinating with both IBM Maximo support and IBM WebSphere support it seems.
Your article helped me get SSL working when accessing Maximo through the IBM HTTP Server. I was still getting “Not Secure” messages when accessing Maximo directly or accessing the WebSphere Console but IBM Support walked me through how to import the SSL certificates into WebSphere itself.
One issue I found was with the Help application. I found that if mxe.help.protocol is changed to “https” then mxe.help.port needs to be changed from “80” to “443” to avoid errors when opening the IBM Knowledge Center.
Thank you.
Very helpful article that has helped us get our configuration secured as well. I wanted to go ahead and point out that if you prefer to work at a command line that you can use the IBM HTTP Server’s gskcapicmd command line tool to also do all these steps. Reference IBM Support article “Creating IHS keystores and certificate requests on the command line with gskcapicmd” located at https://www.ibm.com/support/pages/node/6253339
—– example instructions for when you need to use a local CA ——
cd /opt/IBM/HTTPServer
bin/gskcapicmd -keydb -create -db conf/maximo.kdb -pw passw0rd -stash
bin/gskcapicmd -certreq -create -db conf/maximo.kdb -stashed -dn “CN=www.mycompany.com, O=My Company Inc, L=New York, ST=NY, C=US” -label MAX_SSL_KEY -size 2048 -sigalg sha512WithRSA -san_dnsname http://www.mycompany.com -file conf/maximo.arm
Request and download certificate from your own local CA
bin/gskcapicmd -cert -add -db conf/maximo.kdb -stashed -file conf/localrootca.cer -label localrootca
bin/gskcapicmd -cert -add -db conf/maximo.kdb -stashed -file conf/localsubca.cer -label localsubca
bin/gskcapicmd -cert -receive -db conf/maximo.kdb -stashed -file conf/downloaded-certificate-from-local-ca.cer -default_cert enable
bin/gskcapicmd -cert -validate -db conf/maximo.kdb -stashed -label MAX_SSL_KEY
Nice! Thanks Courtney.