Setting Public URI fails with "forbidden"
Accepted answer
2 other answers
Please keep in mind not to choose a machine dependent name for the server, use a fully qualified domain name that can later be moved to a different machine.
Comments
Thanks for the quick response! Unfortunately, the link supplied didn't answer my question. I have the Public URI configured on port 443, as the article shows. I have the WAS server running on port 9443, also as the article shows. The translation happens properly, when I log in at https://servername/jts/admin I get through. The problem comes into play when I set the IHS server to require certificates. The internal connection to "Applications and Friends" is broken. I'm getting an error message:
You have to set up all the applications using the same public URI root (in your case with 443 as the port). If you have a topology that uses multiple application servers (potentially listning to other ports, you have to set up IHS as proxy server in front of them, covering the public URI root and forwarding to the other application servers. Usually you install IHS in front of the other WAS servers and set it up to use LTPA token so that the login on IHS works on the other application server. See this page: https://jazz.net/wiki/bin/view/Deployment/InstallProxyServers
I am not sure what your problem is, because I am not sure I know the symptoms. So that hint is pretty much what I can do. Hopefully someone else knows the symptoms and help better.
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014435366#77777777-0000-0000-0000-000014435494
I believe you explained the problem in a too complicated way. Basically, when you enable
SSLClientAuth on IBM HTTP Server, your WebSphere server (acting as a client) cannot connect to the IHS due to the lack of a certificate.
If you need to find more references, search with keyword "IHS WebSphere SSLClientAuth", and don't include anything related to RTC or CLM, because it's basically an IHS and WAS configuration issue.
Comments
Thank you for restating the problem in a more suitable way. As explained in the link, the client I'm using has a certificate, It looks to me like the RTC server tries to access itself and goes through the IBM HTTP Server to do it. I have server certificates installed in both IHS and Websphere, where do I need to install a certificate to allow the server to access itself?
You need to make it very clear, not using the term "RTC server", as no one knows whether you are talking about IHS, WAS or something else. Since the public URI uses the port 443, which is the IHS HTTPS port in this case, all CLM requests have to go through IHS, regardless the requests are initiated from a browser or WAS. Applications such as CCM running on WAS do not magically know to use port 9443 (WAS is not necessarily listening at 9443).
I don't really know how to import the certificate in this case since I have never work with "client certificate" before. In particular, you need to configure WAS so that it will send out a client certificate when connecting to IHS. Usually it's the other way round - IHS connects to WAS and WAS sends out a server certificate to IHS.
If you don't what to struggle with client certificates, you can check out the below document and configure IHS to not use client certificate on 127.0.0.1, and then map the host in the public URI to 127.0.0.1.
http://www-01.ibm.com/support/docview.wss?uid=swg21503373