It's all about the answers!

Ask a question

SSL Certs with a single server and different public URI's


1
1
Adrian Daniels (6312120) | asked Nov 20 '12, 5:22 p.m.
Hi,

I have installed CLM 4 on a single server using https on port 9443.
For complete flexibility I created a separate public uri for each of the applications (JTS,CCM,RM and QM).
I then added DNS entries so that they could be accessed.
All good so far !

The next stage was to get a signed SSL certificate - now here is the problem - TomCat can only deal with a single certificate and I am not allowed to use one with wildcards. I cannot see anyway for this configuration to work - can any one else - I followed the recommendation of the V4 documentation to go with this topology, but at no point did it mention that you would be snookered by the SSl certificates.

So that got me thinking that I might be able to use a reverse proxy server - but looking at that it will not work because the whole idea of a reverse proxy is to maintain a single public URI and convert it to where ever the server running the distributed apps have been moved to - or am I missing something ?

So if the apps are on a single server each with their own public uri (accessed through DNS aliases) how do I secure them with a single SSL certificate ?

Is the only way to fix this to get each of the applications on to their own server ? So that they can each have their own SSL cert ?

Hopefully someone has some magic to get to the bottom of this !

Cheers
Adrian

2 answers



permanent link
Scott Rich (57136) | answered Nov 21 '12, 5:09 a.m.
JAZZ DEVELOPER
 Hey Adrian, can you say a little more about how you've configured the app server?  It sounds like you've created multiple virtual hosts in Tomcat and then you've created the necessary DNS entries to advertise those hosts.  Right so far?  

Assuming that the hostnames share a domain, why can't you get a wildcard certificate for that domain?  That would be the easiest solution for a set of related hosts.  If it's truly not possible, it seems that you can point the connectors to different certificate files.  Here's an article with some details: http://blog.nicknett.com/2011/09/ip-based-virtual-hosting-for-ssl-with.html

Hope this helps.

Scott

permanent link
Adrian Daniels (6312120) | answered Nov 21 '12, 10:16 a.m.
Hi Scott,

Yes, I have a single Linux box with CLM 4 installed. Each of the applications has a unique public URI. These are all resolved to the same ip address using DNS - the idea is when the full hardware is available the applications will each be moved to their own server.

SSl certificate wildcards are not allowed in the organisation - seen as a security risk apparently.

I think that you are on to something here and that the solution involves having multiple ip addresses on the same box. I could then follow the article that you have linked or possibly introduce a reverse proxy (but I think that would actually be overkill and redundant).

I followed the IBM documentation when selecting the Topology - ie having a single box with a different public URI for each application - I did this because I know that it will be distributed in the future, and this will make it easy. I think that the documentation needs to warn the reader that they may come unstuck with SSL certs if they cannot use wildcards.

I wonder if WAS handles this any better, ie can you have more than one SSl cert on the same app server (multiple public uri's) without having to resort to multiple ip addresses ? I suspect not because the handling of the certificate is done much earlier than the https header.

Looking back - isn't hindsight a wonderful thing - I should of gone with a single public url and planned to include a Reverse Proxy server when the move is made to the fully distributed hardware.

Cheers,
Adrian

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.