Using IHS 8.5.5. with WAS v7¶
IBM provides support for customers using IBM HTTP Server 8.5.5 and WebSphere WebServer Plug-in 8.5.5 to frontend a supported V7 application server or V7-lead cell. This arrangement is designed to allow advanced TLS support in IBM HTTP Server 8.5.5 to be used in existing V7 topologies.
Users entitled to support for WebSphere Application Server 8.5.5 can now use the included IBM HTTP Server with any supported WebSphere Application Server 7.0.
Products that bundle WebSphere Application Server 7.0 have the option of bundling a supported IBM HTTP Server 8.5.5.
Products that bundle IBM HTTP Server 7.0 can declare support for IBM HTTP Server 8.5.5, and the combination will be supported as long as the user maintains support for both the product and WebSphere Application Server 8.5.5.
Full details of the current policy for having the IHS and Plugin release differ from the WAS release is documented here
Where do I obtain IHS 8.5.5 for use with WAS v7?¶
If the product you're using doesn't include IHS 8.5.5, there are a few options.
If you currently have Service and Support (S&S) for WebSphere Application Server, obtain the WAS 8.5.5 supplements from passport advantage. Review the instructions and part numbers for "Supplements" here. Some more detail about downloads and IBM Installation Manager is linked from here
Otherwise, contact marketing for the product that included an earlier release of IBM HTTP Server.
You'll need IHS, the WAS WebServer Plug-in, and the Plugin Configuration Tool (PCT). For information on installation and configuration of the 8.5.5 components, see the 8.5.5 documentation.
How do I take advantage of new SSL features of IHS¶
IBM HTTP Server 8.0 and later takes advantage of strong TLS ciphers and protocols by default, so no action is required to permit strong SSL connections.
To require particular TLS ciphers or protocols, which may be detrimental to backlevel browser support, see the SSLCipherSpec and SSLProtocolDisable directives in the topics below.
Permitting HTTPS frontend connections to use backend HTTP connectins¶
By default, the 8.5.5 Plugin will not route a HTTPS frontend connection to a backend HTTP connection. The WebServer Plugin custom property "UseInsecure" is what permits the plugin to use HTTP to the backend when the client leg is HTTPS.
The custom property is only available in Version 7 deployment managers
with PI10757 (7.0.0.33 and later). Without PI10757, the following change
is required in
plugin-cfg.xml
<Config ASDisableNagle="false" ... UseInsecure="true" ...>
How do I configure the updated IHS, or migrate my configuration?¶
Ideally, applying customizations would be a repeatable process of
appending configuration snippets to conf/httpd.conf
. Some approaches
to migrating from one release to the next are documented
here
If you decide to start with a verbatim existing configuration file
instead of appending or porting your customizations, you'll have to fix
up references to absolute paths in at least the ServerRoot
,
WebSpherePluginConfig
, LoadModule
directives as well as Directory
and DirectoryMatch
sections.
Plugin Issues¶
Because of the install differences between a 7.0 IHS/Plugin and an 8.5.5 IHS/Plugin, it is recommended that a new Web Server definition is created to support the new 8.5.5 IHS/Plugin. This will ensure that the plugin generation will pick up the proper install root for the PluginInstallRoot property. This value can't be edited via the Admin Console.
PI55092 needs to be installed on the WebSphere 7.0 server. This new apar provides customers the ability to define custom properties which are necessary for the 8.5.5 plugin-cfg.xml file.
AutoSecurity (true/false) - See PI39126 , PI49538
StrictSecurity (true/false) - See PM74603
certificate_validation_strict_rfc5280 (true/false) - See PI49893
Unsupported Features in this topology¶
Some features described in the 8.5.5 documentation cannot be used when IHS and the WAS WebServer Plug-in are used separately from the 8.5.5 product.
The "Intelligent Management for WebServers" features cannot be used in this topology.
WAS WebServer Plug-in custom properties that were introduced after WAS 7.0, such as "UseInsecure", cannot be used in this topology.
What other things should I be prepared for when moving to 8.5.5?¶
While there are no Apache HTTP Server differences between 7.0 and 8.5.5, you might find some other differences worth preparing for:
8.0 and later use IBM Installation Manager for installation and updates.
8.0 and later adds the requirement to run the Plugin Configuration Tool (PCT) to configure an installed WAS Plugin to an instance of IHS.
8.0 and later will negotiate TLS 1.2 by default, and typically TLS 1.2 clients will not accept certificate chains with md2/md4/md5 and now SHA1 signature algorithms.
Review your use of SSLCipherSpec as the defaults and syntax has changed.
The WAS Plug-in before 8.5.5.7 does not reliably speak TLS1.2 to WAS if TLS1.2 has been forced in the application server configuration. See here