Skip to content

Maximo SSL (HTTPS) Configuration

I won’t get into a lengthy discussion about why you should use SSL to secure browser traffic. I’ll simply offer that your Maximo environment, especially if the environment can be accessed over the public internet, should be secured. Here are a few reasons:
  • SSL Encrypts Sensitive Information
  • SSL Provides Trust and Authentication
  • SSL Can Provide Compliance in certain Industries
The disadvantages are that it costs money to obtain and verify a certificate from a Certificate Authority, and it takes some time to configure. Hopefully, this blog post will help to reduce the amount of time necessary to configure SSL with Maximo. Please note that you can also create a self-signed certificate which will suffice in forcing the browser traffic to be encrypted. However, users will see that the certificate is not trusted in the browser, and it might lead them to ask questions or not trust the connection. This article will take you through setting up Maximo with SSL through a GoDaddy SSL Certificate, which is currently ranging anywhere from $50.00 to $300.00 annually based on the level of encryption, features, and number of sub-domains you want to secure. We will use the most basic single-domain option for this exercise.

Step 1: Create a Key Database and Generate a new Certificate Signing Request

Run the IBM Key Management Utility

  • Sign on to the server where the IBM HTTP Server is installed as an administrator.
  • Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5

Create a Key Database

  • Create a new Key Database File. This file will hold your private keys and must be kept secure:
    • Key database type: CMS
    • File Name: maximo.kdb
    • Location: C:\IBM\HTTPServer\ (provide an appropriate path for your system)
    • Click OK

Secure the Key Database

  • You will be prompted for a password to secure your new key database:
    • Enter a password
    • Confirm the password
    • Check the Stash password to a file checkbox
    • Click OK

Create a New Certificate Signing Request

  • Create a New Certificate Request from the menu options. This request, also known as a Certificate Signing Request (CSR), is what will be sent to the Certificate Authority for verification. With the information provided in the request, the CA will do their homework on you to make sure you are who you say you are, including possibly attempting to contact you or your business by email or phone. It’s important that this information is as accurate as possible:
    • Key Label: MAX_SSL_KEY
    • Key Size: 2048
    • Common Name: www.mycompany.com (this is the host name that you want to secure and must be correct!)
    • Organization: My Company Inc
    • Locality: Your city
    • State/Province: Your state
    • Zipcode: Your zip
    • Country or region: Your country
    • Email Address: admin@mycompany.com
    • Enter the file name: C:\IBM\HTTPServer\maximo.arm
    • Click OK. We’re going to leave the IBM Key Management Utility open for now. We’ll come back to it later.

Step 2: Purchase an SSL Certificate, Upload the CSR, and Download the Certificate

Purchase an SSL Certificate

Request an SSL certificate

After you purchase an SSL certificate, you need to request it for the website’s domain name (or “common name”) you want to use.

Activate your credit

  1. Log in to your GoDaddy account.
  2. Click SSL Certificates.
  3. Next to the SSL certificate credit you want to use, click Set up.
  4. If you have multiple credits, select the credit you want to use, and then click Set up.
  5. Refresh the page; you should see a New Certificate. If you don’t, continue to refresh the page until you do.

Request your certificate

  1. Next to your New Certificate, click Manage.
  2. Select Provide a CSR, and then enter the CSR from your server. Back on the server where the IBM HTTP Server is installed, open the C:\IBM\HTTPServer\maximo.arm file in your favorite text editor. Copy its contents. This is your Certificate Signing Request (CSR).
  3. Click Request Certificate.

Verification Process

  • GoDaddy will verify your certificate request. How long this takes depends on the type of certificate (typically between 1 and 7 days). Once we have that certificate we can continue with the process. Until then, we wait.

Download the Certificate

  • After GoDaddy approves your SSL certificate request, you can download your primary and intermediate certificate from within the SSL application on the GoDaddy website.
  • On your SSL certificate home page, click Download.
  • Select the Apache server type.
  • Click Download ZIP file.

Copy the Certificate to your IBM HTTP Server

  • Copy the ZIP file to the C:\IBM\HTTPServer\ folder on the server where the IBM HTTP Server is installed.
  • Extract the contents of the ZIP file to the C:\IBM\HTTPServer\ folder.
  • Note that there should be two files: one that represents your certificate, and one that represents GoDaddy’s intermediate certificate. You will need both to install the certificate in the next step.

Step 3: Install the Certificate

Run the IBM Key Management Utility

  • Sign on to the server where the IBM HTTP Server is installed as an administrator.
  • Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5
  • Open your maximo.kdb key database created earlier, using the password you created earlier to unlock the key database.

Install the Intermediate Certificate

  • Change the Key database content drop-down to Signer Certificates.
  • Click the Add… button
  • Choose the intermediate certificate file that you extracted in the previous step. Please note that the file name is likely to be of the nature gd_bundle_*.crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
  • Click OK
  • You should see the intermediate GoDaddy certificates listed.

Install the Certificate

  • Change the Key database content drop-down to Personal Certificates.
  • You should see the MAX_SSL_KEY record that was created earlier when we created our CSR. Highlight that record. Note that the * in front of the MAX_SSL_KEY record indicates it is the default key.
  • Press the Receive button.
  • Choose the certificate file that you extracted in the previous step. Please note that the file name is likely to be some has sequence with a file extension of .crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
  • Click OK
  • If all goes well you should see a Validation Successful message in the Key Management Utility! This means that your key database is now validated with a signed certificate from a Certificate Authority (GoDaddy). We’re almost done!

Step 4: Update the HTTP Server, WebSphere, and Maximo

Update the IBM HTTP Server

  • Sign on to the server where the IBM HTTP Server is installed as an administrator.
  • Edit the C:\IBM\HTTPServer\conf\httpd.conf file. Please note that the directory path may be different based upon your installation (e.g. C:\Program Files\IBM\HTTPServer\).
  • Add the following snippet to the file:
    # Maximo SSL Config
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    ## IPv6 support:
    #Listen [::]:443
    <VirtualHost *:443>
    SSLEnable
    </VirtualHost>
    KeyFile "C:/IBM/HTTPServer/maximo.kdb"
    
  • Save the file.
  • Restart the IBM HTTP Server V8.5 Windows Service.

Update the WebSphere Virtual Host

  • Log into the IBM WebSphere Console as an administrator.
  • Navigate to Environment > Virtual Hosts.
  • Click on the maximo_host Virtual Host.
  • Click on Host Aliases under Additional Properties.
  • Click on the New… button.
  • Add the host name that you used for the Common Name (e.g. www.mycompany.com) in your certificate request as the Host Name. Specify 443 as the Port.
  • Click OK and save the configuration to the Master File.
  • Restart your IBM WebSphere Windows Services (Cell Manager and Node Agent).

Update your Maximo System Properties

  • At this point, you should be able to access Maximo over SSL (HTTPS). There are just a few System Properties that should be updated in order to have everything buttoned up.
  • Log into Maximo as an administrator.
  • Navigate to the System Configuration > Platform Configuration > System Properties application.
  • Update the following properties, which should just involve changing the existing property value to change the http:// to https://
    • mxe.doclink.path01: This is for attached documents.
    • mxe.help.protocol: This is for application help. Please note that in 7.6.0.4 the help is now pointing to IBM’s website. In either case, the property value should be changed to https.
    • mxe.int.webappurl: This is for Integration Framework web service and HTTP calls.
    • mxe.oslc.restwebappurl: This is for OSLC calls through the REST interface.
    • mxe.oslc.webappurl: This is for OSLC calls through the standard interface.
  That’s it! I hope this has been helpful. Please feel free to leave feedback in the comments section below.  

Share This

Related Posts

integration-trobleshooting-IBM-Maximo-A3J-Group-Consulting-e1636065766665
Preventing fields from Editing Once Record is in Workflow
Preventing fields from Editing Once Record is in Workflow I like this problem because it involves a few...
how_to_enable_the_print_button_in_ibm_maximo
How to Enable Print Functionality in IBM Maximo
How to enable the print button in Maximo.   By default, Maximo only allows the MAXADMIN group to have...
WBENC Anoounement thumbnail

24 Responses

24 Comments

  1. Great article, very concise and informative. Do you have any further steps in order to only allow TLS 1.2 as the transport protocolo on SSL?

  2. Your article is quite good. Do you think it is advisable in this situation to configure access such that ssl is the only/mandatory connection available?

  3. Is there some way to encrypt the mxe.report.birt.viewer?

    • If you have a BIRT Reporting Only Server (BROS), you can secure that environment in a similar fashion. Then update your mxe.report.birt.viewerurl System Property to use the HTTPS protocol.

  4. Hi Alex,

    A Big Thank you for making this concise instructions. Are there any special considerations for Maximo clustered environment in enabling SSL?

    • You’re welcome! For a clustered environment, the key is securing the load balancer URL and then ensuring that the Virtual Hosts are configured properly. You do not need certificates for each host within the cluster. You simply need to establish trust with the load balancer.

  5. Hi Alex,
    Is it possible to use wildcard SSL certificate with Maximo?

    • Yes, a wildcard certificate can be used with Maximo. Most of the SSL certificate providers will provide a way to specify your list of sub-domains for wildcard certificates. Other than providing the Maximo sub-domain to the provider, the steps should be very similar to what’s been listed in the article.

  6. Hi Alex, Thanks for sharing such a useful article.

    Can you please help me with the below problem?

    I am getting invalid certificate when running a BIRT report.

    Maximo URL: https://maximo.xyz.ca/maximo
    This URL is also added to the UICluster Virtual host with port 443

    Reports birt viewer URL: https://maxrep.xyz.ca/maximo/report
    This URL is added to the BROSCluster Virtual Host with port 443

    The BROS application is mapped to the BROS JVM and webserver1.

    • Thanks!

      A certificate is usually only valid for a given domain name. In other words, you will need two certificates – one for maximo.xyz.ca and one for maxrep.xyz.ca. The exception is that some providers offer wildcard certificates, where one certificate can match *.xyz.ca.

      In your case you will need two certificates or one wildcard certificate to secure both maximo.xyz.ca and maxrep.xyz.ca. The setup above can be followed for both JVMs. Good luck!

      • Thanks for responding Alex!

        We are using wildcard certificate i.e. *.xyz.ca.

        I am able to get around the invalid certificate problem by deploying the BROS EAR to a webserver running on the same VM as BROS JVM. But this approach then allows users to login to maximo using the maxrep.xyz.ca url as well which I dont want to happen.

        Any thoughts?

  7. Hello,

    we need to call a secure webservice from Maximo using publish channel. Do I have to import certs in websphere?

    thanks

  8. Have you thought about playing with how to setup SSL with Maximo linked to Cloudfare???

    trying to follow your above post and figure out where the PEM file and Private Key I get from Cloudfare would come in on setting up the Origin CA server (Maximo).

    Just curious,
    Miller

  9. This article talks about the IBM HTTP Server. How is this different than generating a certificate for WebSphere itself and under what conditions do you do one vs. the other?

    When WebSphere is installed by the IBM Maximo Configuration Utilitiy, it creates a Web Server and an App Server. But Maximo runs fine with just an App Server. Is a Web Server needed to secure Maximo through SSL?

    Thank you.

    • Dear Julio – Thanks for your comment. This was exactly my concern as well. I believe our Linux admin already installed a self-signed cert for WebSphere although Maximo runs on HTTP. Although our situation is slightly different, your situation is very helpful in coordinating with both IBM Maximo support and IBM WebSphere support it seems.

  10. Your article helped me get SSL working when accessing Maximo through the IBM HTTP Server. I was still getting “Not Secure” messages when accessing Maximo directly or accessing the WebSphere Console but IBM Support walked me through how to import the SSL certificates into WebSphere itself.

    One issue I found was with the Help application. I found that if mxe.help.protocol is changed to “https” then mxe.help.port needs to be changed from “80” to “443” to avoid errors when opening the IBM Knowledge Center.

    Thank you.

  11. Very helpful article that has helped us get our configuration secured as well. I wanted to go ahead and point out that if you prefer to work at a command line that you can use the IBM HTTP Server’s gskcapicmd command line tool to also do all these steps. Reference IBM Support article “Creating IHS keystores and certificate requests on the command line with gskcapicmd” located at https://www.ibm.com/support/pages/node/6253339

    —– example instructions for when you need to use a local CA ——

    cd /opt/IBM/HTTPServer

    bin/gskcapicmd -keydb -create -db conf/maximo.kdb -pw passw0rd -stash

    bin/gskcapicmd -certreq -create -db conf/maximo.kdb -stashed -dn “CN=www.mycompany.com, O=My Company Inc, L=New York, ST=NY, C=US” -label MAX_SSL_KEY -size 2048 -sigalg sha512WithRSA -san_dnsname http://www.mycompany.com -file conf/maximo.arm

    Request and download certificate from your own local CA

    bin/gskcapicmd -cert -add -db conf/maximo.kdb -stashed -file conf/localrootca.cer -label localrootca

    bin/gskcapicmd -cert -add -db conf/maximo.kdb -stashed -file conf/localsubca.cer -label localsubca

    bin/gskcapicmd -cert -receive -db conf/maximo.kdb -stashed -file conf/downloaded-certificate-from-local-ca.cer -default_cert enable

    bin/gskcapicmd -cert -validate -db conf/maximo.kdb -stashed -label MAX_SSL_KEY


Add a Comment