Maximo Open Forum

 View Only
  • 1.  Maximo SSL (HTTPS) Configuration

    Posted 05-25-2020 16:50

    I won’t get into a lengthy discussion about why you should use SSL to secure browser traffic. I’ll simply offer that your Maximo environment, especially if the environment can be accessed over the public internet, should be secured. Here are a few reasons:

    • SSL Encrypts Sensitive Information
    • SSL Provides Trust and Authentication
    • SSL Can Provide Compliance in certain Industries

    The disadvantages are that it costs money to obtain and verify a certificate from a Certificate Authority, and it takes some time to configure. Hopefully, this blog post will help to reduce the amount of time necessary to configure SSL with Maximo.

    Please note that you can also create a self-signed certificate which will suffice in forcing the browser traffic to be encrypted. However, users will see that the certificate is not trusted in the browser, and it might lead them to ask questions or not trust the connection.

    This article will take you through setting up Maximo with SSL through a GoDaddy SSL Certificate, which is currently ranging anywhere from $50.00 to $300.00 annually based on the level of encryption, features, and number of sub-domains you want to secure. We will use the most basic single-domain option for this exercise.

    STEP 1: CREATE A KEY DATABASE AND GENERATE A NEW CERTIFICATE SIGNING REQUEST

    Run the IBM Key Management Utility

    • Sign on to the server where the IBM HTTP Server is installed as an administrator.
    • Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5

    Create a Key Database

    • Create a new Key Database File. This file will hold your private keys and must be kept secure:
      • Key database type: CMS
      • File Name: maximo.kdb
      • Location: C:\IBM\HTTPServer\ (provide an appropriate path for your system)
      • Click OK

    Secure the Key Database

    • You will be prompted for a password to secure your new key database:
      • Enter a password
      • Confirm the password
      • Check the Stash password to a file checkbox
      • Click OK

    Create a New Certificate Signing Request

    • Create a New Certificate Request from the menu options. This request, also known as a Certificate Signing Request (CSR), is what will be sent to the Certificate Authority for verification. With the information provided in the request, the CA will do their homework on you to make sure you are who you say you are, including possibly attempting to contact you or your business by email or phone. It’s important that this information is as accurate as possible:
      • Key Label: MAX_SSL_KEY
      • Key Size: 2048
      • Common Name: www.mycompany.com (this is the host name that you want to secure and must be correct!)
      • Organization: My Company Inc
      • Locality: Your city
      • State/Province: Your state
      • Zipcode: Your zip
      • Country or region: Your country
      • Email Address: admin@mycompany.com
      • Enter the file name: C:\IBM\HTTPServer\maximo.arm
      • Click OK. We’re going to leave the IBM Key Management Utility open for now. We’ll come back to it later.

    STEP 2: PURCHASE AN SSL CERTIFICATE, UPLOAD THE CSR, AND DOWNLOAD THE CERTIFICATE

    Purchase an SSL Certificate

    Request an SSL certificate

    After you purchase an SSL certificate, you need to request it for the website’s domain name (or “common name”) you want to use.

    ACTIVATE YOUR CREDIT

    1. Log in to your GoDaddy account.
    2. Click SSL Certificates.
    3. Next to the SSL certificate credit you want to use, click Set up.
    4. If you have multiple credits, select the credit you want to use, and then click Set up.
    5. Refresh the page; you should see a New Certificate. If you don’t, continue to refresh the page until you do.

    REQUEST YOUR CERTIFICATE

    1. Next to your New Certificate, click Manage.
    2. Select Provide a CSR, and then enter the CSR from your server. Back on the server where the IBM HTTP Server is installed, open the C:\IBM\HTTPServer\maximo.arm file in your favorite text editor. Copy its contents. This is your Certificate Signing Request (CSR).
    3. Click Request Certificate.

    VERIFICATION PROCESS

    • GoDaddy will verify your certificate request. How long this takes depends on the type of certificate (typically between 1 and 7 days). Once we have that certificate we can continue with the process. Until then, we wait.

    Download the Certificate

    • After GoDaddy approves your SSL certificate request, you can download your primary and intermediate certificate from within the SSL application on the GoDaddy website.
    • On your SSL certificate home page, click Download.
    • Select the Apache server type.
    • Click Download ZIP file.

    Copy the Certificate to your IBM HTTP Server

    • Copy the ZIP file to the C:\IBM\HTTPServer\ folder on the server where the IBM HTTP Server is installed.
    • Extract the contents of the ZIP file to the C:\IBM\HTTPServer\ folder.
    • Note that there should be two files: one that represents your certificate, and one that represents GoDaddy’s intermediate certificate. You will need both to install the certificate in the next step.

    STEP 3: INSTALL THE CERTIFICATE

    Run the IBM Key Management Utility

    • Sign on to the server where the IBM HTTP Server is installed as an administrator.
    • Run the IBM Key Management Utility program from your Start Menu > IBM HTTP Server V8.5
    • Open your maximo.kdb key database created earlier, using the password you created earlier to unlock the key database.

    Install the Intermediate Certificate

    • Change the Key database content drop-down to Signer Certificates.
    • Click the Add… button
    • Choose the intermediate certificate file that you extracted in the previous step. Please note that the file name is likely to be of the nature gd_bundle_*.crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
    • Click OK
    • You should see the intermediate GoDaddy certificates listed.

    Install the Certificate

    • Change the Key database content drop-down to Personal Certificates.
    • You should see the MAX_SSL_KEY record that was created earlier when we created our CSR. Highlight that record. Note that the * in front of the MAX_SSL_KEY record indicates it is the default key.
    • Press the Receive button.
    • Choose the certificate file that you extracted in the previous step. Please note that the file name is likely to be some has sequence with a file extension of .crt, and that the CRT file extension is not in the default list in the Key Management Utility file browser. Simply change the file extension drop-down to All Files or paste the exact file name into the window.
    • Click OK
    • If all goes well you should see a Validation Successful message in the Key Management Utility! This means that your key database is now validated with a signed certificate from a Certificate Authority (GoDaddy). We’re almost done!

    STEP 4: UPDATE THE HTTP SERVER, WEBSPHERE, AND MAXIMO

    Update the IBM HTTP Server

    • Sign on to the server where the IBM HTTP Server is installed as an administrator.
    • Edit the C:\IBM\HTTPServer\conf\httpd.conf file. Please note that the directory path may be different based upon your installation (e.g. C:\Program Files\IBM\HTTPServer\).
    • Add the following snippet to the file:
      # Maximo SSL Config
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
      Listen 0.0.0.0:443
      ## IPv6 support:
      #Listen [::]:443
      <VirtualHost *:443>
      SSLEnable
      </VirtualHost>
      KeyFile "C:/IBM/HTTPServer/maximo.kdb"
      
    • Save the file.
    • Restart the IBM HTTP Server V8.5 Windows Service.

    Update the WebSphere Virtual Host

    • Log into the IBM WebSphere Console as an administrator.
    • Navigate to Environment > Virtual Hosts.
    • Click on the maximo_host Virtual Host.
    • Click on Host Aliases under Additional Properties.
    • Click on the New… button.
    • Add the host name that you used for the Common Name (e.g. www.mycompany.com) in your certificate request as the Host Name. Specify 443 as the Port.
    • Click OK and save the configuration to the Master File.
    • Restart your IBM WebSphere Windows Services (Cell Manager and Node Agent).

    Update your Maximo System Properties

    • At this point, you should be able to access Maximo over SSL (HTTPS). There are just a few System Properties that should be updated in order to have everything buttoned up.
    • Log into Maximo as an administrator.
    • Navigate to the System Configuration > Platform Configuration > System Properties application.
    • Update the following properties, which should just involve changing the existing property value to change the http:// to https://
      • mxe.doclink.path01: This is for attached documents.
      • mxe.help.protocol: This is for application help. Please note that in 7.6.0.4 the help is now pointing to IBM’s website. In the case where you have 7.6.0.4 or later pointed to IBM’s website, leave the protocol as is (http).
      • mxe.int.webappurl: This is for Integration Framework web service and HTTP calls.
      • mxe.oslc.restwebappurl: This is for OSLC calls through the REST interface.
      • mxe.oslc.webappurl: This is for OSLC calls through the standard interface.

     

    That’s it! I hope this has been helpful. Please feel free to leave feedback in the comments section below.

    See the original post here

    #SSL #WebSphere

    ​​
    #Security

    ------------------------------
    Alex Walter
    A3J Group LLC
    ------------------------------


  • 2.  RE: Maximo SSL (HTTPS) Configuration

    Posted 05-26-2020 02:59
    Hi Alex,

    Thanks for posting this. I recently did this and can now understand how well you have documented it. 

    Regards,
    Biplab

    ------------------------------
    Biplab Choudhury
    Tata Consultancy Services
    ------------------------------



  • 3.  RE: Maximo SSL (HTTPS) Configuration

    Posted 05-26-2020 03:30
    Alex,

    Thanks for sharing. This was well documented.

    I recently implemented this as well, just for proof of concept, on a Maximo Test environment using free SSL issued by "Let's Encrypt Authority X3", which is always free, but will have to be renewed every 6 months. I generated the Certificate using the tool, Certbot, a project of the Electronic Frontier Foundation.

    I'm not a big fan of the IBM Key Manager, but I think it's the only option we have since we're limited to IBM HTTP Server.

    I had no issues implementing this for HTTPS port 443. Any idea how to configure this to work in a situation where there are multiple Maximo Test instances running on a single Server, with each instance utilizing different port numbers?

    ------------------------------
    Kevin Arhagba
    Plains All American
    ------------------------------



  • 4.  RE: Maximo SSL (HTTPS) Configuration

    Posted 05-20-2022 12:44
    Kevin,

    You might find this helpful as it automates requesting and deploying Let's Encrypt certificates for IHS.

    https://github.com/sharptree/letsencrypt-ihs

    Feel free to reach out if you have any questions.

    Jason

    ------------------------------
    Jason VenHuizen
    Sharptree
    ------------------------------



  • 5.  RE: Maximo SSL (HTTPS) Configuration

    Posted 12 hours ago

    Hi Alex,

    thank you for your article,it is very helpful.

    Do you have any reference to enable the SSL for Websphere console as well. We are stuck up in enabling the SSL for the console.



    ------------------------------
    Mahadevan Ramakrishnan
    ------------------------------