Setting up Apache HTTP Server

Instructions to set up the Apache HTTP Server can be found here. Setup remains the same for configuring multiple exchanges under multiple host names. The Apache HTTP server will serve as a proxy to bind the different virtual hosts to individual ports on Websphere. In the setup defined here, we will be using Apache HTTP to serve as a front facing server to host two different domains which point to the same WAS Server.

Setting up Websphere Enterprise 8.5

Hosting multiple exchanges was achieved by assigning a separate SSL Configuration to each port linked to CONNECT. Each port has a specific keystore / truststore associated with the SSL configuration which holds the given certificates for the virtual hosts fronted by Apache HTTP.

Configuring the Ports

Two new ports should be added and configured onto the server for each hostname you wish to use. The port numbers may be any you wish to specify. As an example, we will be using 8080 for HTTP and 8181 for HTTPS on Host 1, and 9090 for HTTP and 9191 for HTTPS on Host 2.

After the port has been created, we must define transport chains for our newly defined ports. This can be done under "Application Servers >  (Your Server) > Container Settings > Web Container Settings > Web Container Transport Chains"

When creating your transport chain, use "WebContainer(templates/chains|webcontainer-chains.xml#Chain_1)" for HTTP and "WebContainer-Secure(templates/chains|webcontainer-chains.xml#Chain_2)" for HTTPS. When asked for a port to use, be sure to use one of the existing ports you defined earlier, and do not create a new port. Repeat this step to create a transport chain for all existing ports you defined earlier (#Chain_1 for HTTP 8080 and #Chain_2 for HTTPS 8181, as an example).

Configuring SSL Inbound Channels

The next step is to configure the HTTPS channel to use the correct certificates. In our setup, we isolated the different certificates for the various host names into separate keystore and truststores. You should create a new SSL configuration for each HTTPS port you defined earlier. This can be done under "Security > SSL certificate and key management > SSL Configurations". Once created, configure the SSL to use your desired key and trust stores.

Lastly, enter the Quality of Protection settings and ensure Client Authentication is set to "Required", that your selected ciphers are correct, and you have selected your desired JSEE provider.

Binding Transport Chains to SSL Configurations

Lastly, we need to configure our port's transport chains to use the SSL Configurations we just defined. The simplest way to do this is by going back to the transport chains and clicking on the "SSL Inbound Channel" link  for each HTTPS port you defined earlier. You may then specify which SSL Configuration the port should use. Port 8181, in this example will use the "NodeDefaultSSLSettings" which specifies the "gateway" certificate alias for SSL. Port 9191 would use a"wc second ssl" transport chain which would use a "gateway2" certificate alias for SSL.

Example Overview

• Port: 8181
  • Transport Chain: WCInboundDefaultSecure
    • SSL Inbound Channel: SSL_1
      • SSL Configuration: NodeDefaultSSLSettings
        • Trust Store: cacerts
        • Key Store: gateway
        • Server Certificate Alias: gateway
        • Client Certificate Alias: gateway
• Port: 9191
  • Transport Chain: wc_second_secure
    • SSL Inbound Channel: SSL_2
      • SSL Configuration: WCSSLSecondSettings
        • Trust Store: cacerts2
        • Key Store: gateway2
        • Server Certificate Alias: gateway2
        • Client Certificate Alias: gateway2