Using IHS 8.5.5. with WAS v7

IBM provides support for customers using IBM HTTP Server 8.5.5 and WebSphere WebServer Plug-in 8.5.5 to frontend a supported V7 application server or V7-lead cell. This arrangement is designed to allow advanced TLS support in IBM HTTP Server 8.5.5 to be used in existing V7 topologies.

• Users entitled to support for WebSphere Application Server 8.5.5 can now use the included IBM HTTP Server with any supported WebSphere Application Server 7.0.

• Products that bundle WebSphere Application Server 7.0 have the option of bundling a supported IBM HTTP Server 8.5.5.

• Products that bundle IBM HTTP Server 7.0 can declare support for IBM HTTP Server 8.5.5, and the combination will be supported as long as the user maintains support for both the product and WebSphere Application Server 8.5.5.

Full details of the current policy for having the IHS and Plugin release differ from the WAS release is documented here

Where do I obtain IHS 8.5.5 for use with WAS v7?

If the product you're using doesn't include IHS 8.5.5, there are a few options.

• If you currently have Service and Support (S&S) for WebSphere Application Server, obtain the WAS 8.5.5 supplements from passport advantage. Review the instructions and part numbers for "Supplements" here. Some more detail about downloads and IBM Installation Manager is linked from here

• Otherwise, contact marketing for the product that included an earlier release of IBM HTTP Server.

You'll need IHS, the WAS WebServer Plug-in, and the Plugin Configuration Tool (PCT). For information on installation and configuration of the 8.5.5 components, see the 8.5.5 documentation.

• http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.ihs.doc/htmlnav.html

• http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.base.doc/htmlnav.html

How do I take advantage of new SSL features of IHS

• IBM HTTP Server 8.0 and later takes advantage of strong TLS ciphers and protocols by default, so no action is required to permit strong SSL connections.

• To require particular TLS ciphers or protocols, which may be detrimental to backlevel browser support, see the SSLCipherSpec and SSLProtocolDisable directives in the topics below.

  • mod_ibm_ssl documentation

  • SSL ciphers documentation in the infocenter

  • SSL directives in the infocenter

Permitting HTTPS frontend connections to use backend HTTP connectins

By default, the 8.5.5 Plugin will not route a HTTPS frontend connection to a backend HTTP connection. The WebServer Plugin custom property "UseInsecure" is what permits the plugin to use HTTP to the backend when the client leg is HTTPS.

The custom property is only available in Version 7 deployment managers with PI10757 (7.0.0.33 and later). Without PI10757, the following change is required in plugin-cfg.xml

  <Config ASDisableNagle="false" ... UseInsecure="true" ...>

How do I configure the updated IHS, or migrate my configuration?

Ideally, applying customizations would be a repeatable process of appending configuration snippets to conf/httpd.conf. Some approaches to migrating from one release to the next are documented here

If you decide to start with a verbatim existing configuration file instead of appending or porting your customizations, you'll have to fix up references to absolute paths in at least the ServerRoot, WebSpherePluginConfig, LoadModule directives as well as Directory and DirectoryMatch sections.

Plugin Issues

Because of the install differences between a 7.0 IHS/Plugin and an 8.5.5 IHS/Plugin, it is recommended that a new Web Server definition is created to support the new 8.5.5 IHS/Plugin. This will ensure that the plugin generation will pick up the proper install root for the PluginInstallRoot property. This value can't be edited via the Admin Console.

PI55092 needs to be installed on the WebSphere 7.0 server. This new apar provides customers the ability to define custom properties which are necessary for the 8.5.5 plugin-cfg.xml file.

• AutoSecurity (true/false) - See PI39126 ,   PI49538

• StrictSecurity (true/false) - See PM74603

• certificate_validation_strict_rfc5280 (true/false) - See PI49893

Unsupported Features in this topology

Some features described in the 8.5.5 documentation cannot be used when IHS and the WAS WebServer Plug-in are used separately from the 8.5.5 product.

• The "Intelligent Management for WebServers" features cannot be used in this topology.

• WAS WebServer Plug-in custom properties that were introduced after WAS 7.0, such as "UseInsecure", cannot be used in this topology.

What other things should I be prepared for when moving to 8.5.5?

While there are no Apache HTTP Server differences between 7.0 and 8.5.5, you might find some other differences worth preparing for:

• 8.0 and later use IBM Installation Manager for installation and updates.

• 8.0 and later adds the requirement to run the Plugin Configuration Tool (PCT) to configure an installed WAS Plugin to an instance of IHS.

• 8.0 and later will negotiate TLS 1.2 by default, and typically TLS 1.2 clients will not accept certificate chains with md2/md4/md5 and now SHA1 signature algorithms.

• Review your use of SSLCipherSpec as the defaults and syntax has changed.

• The WAS Plug-in before 8.5.5.7 does not reliably speak TLS1.2 to WAS if TLS1.2 has been forced in the application server configuration. See here

---