Post on 08-Apr-2018
8/6/2019 Configuring Iplanet for Ssl
1/10
Configuring iPlanet 6.0 Web Server
For SSL and non-SSL Redirect
IntroductionThisdocumentdescribestheprocessforconfiguringaniPlanetwebserverforthefollowingsituation:
RequirethatclientshaveSSLclientcertificates Ifacertificateisnotvalidornotavailable,redirecttheclienttoanonSSL
portionoftheserverforfurtherprocessing
ThismethodusesvirtualserverstoallowthecreationofbothanSSLandnonSSLportionoftheweb
server.
ConfigurationProcessThefollowingsectionsdescribetheprocesstocreatetwovirtualservers,oneenabledwithSSLandone
without.
Anoteonmyconfiguration:Inmyconfiguration,myserverstartedasSSLandIwastryingtoaddanonSSLvirtualservertoit. Yourconfigurationwillvaryappropriatelydependingonwhichyouwanttodo,
butyourendresultshouldbehavingtwolistensocketsandtwovirtualservers,onewithsecurityonand
onport443,andtheotherwithsecurityoffandonport80.
ObtainandInstallaCertificateInordertoallowSSLconnections,thewebservermusthaveaprivatekeyanddigitalcertificate. To
obtain
a
certificate,
you
should
open
the
management
console
for
the
server,
select
the
Securitytab,
andchooseRequestaCertificatefromtheleftsidemenu. Thisprocesswillcreateyourcertificaterequest. Onceyourrequestiscompleted,youwillneedtosendittoacertificateauthoritysothe
certificatecanbegenerated. Theresponseshouldcontainyourserverscertificate,whichyouinstall
usingthemanagementconsole. SelecttheSecuritytabandchooseInstallCertificate,beingsuretoselecttheradiobuttonlabelingthatthecertificateisforThisServer.CreateListenSocketsInthemanagementconsolefortheserver,choosethePreferencestabandchooseAddListenSocket.Youwillseeascreensimilartothefollowing(exceptblank). Youshouldfillinthevaluessimilartowhat
isshowntoaddyoursecondlistensocket. Seethenotesbelowthepicture.
8/6/2019 Configuring Iplanet for Ssl
2/10
AddVirtualServerClassandVirtualServerInthemanagementconsole,selecttheVirtualServerClasstab. Youwillseeascreensimilartothefollowing:
2
8/6/2019 Configuring Iplanet for Ssl
3/10
YouwilladdavirtualserverclassbyclickingAddClassontheleft,andfillingintheformsimilartothefollowing:
3
8/6/2019 Configuring Iplanet for Ssl
4/10
Oncethatiscompleted,yourManageClassesviewwilllooksomethinglikethis:
Clickthenameofthenewclasstobegintoaddthevirtualserver. Youwillseethefollowing:
4
8/6/2019 Configuring Iplanet for Ssl
5/10
ClicktheAddVirtualServerlinktoaddavirtualserverunderyourvirtualserverclass. Youwillseethefollowing:
Configureanamefortheserver,andchooseyournewlistensocketasappropriate. (Ifyoursecond
serveristheSSLserver,youwouldreversethechoicefortheconnectionsshown.)
Nowthatyourvirtualserveriscreated,thereisjustonemorestep. Youmustbindthelistensocketto
thevirtualserver.
BindingListenSockettoVirtualServerTobindthenewlistensockettothenewvirtualserver,youshouldgobacktothePreferencestabinthe
managementconsole. YoushouldthenchooseEditListenSockets. Youwillbepresentedwithyourtwolistensocketsasshownbelow:
5
8/6/2019 Configuring Iplanet for Ssl
6/10
Dependingonwhichlistensocketyouveadded(inmycaseitsthenonsecureport80socket),clickthe
correspondingGroupsbuttonnexttothenewlistensocket. Youwillseeascreensimilartothe
following:
6
8/6/2019 Configuring Iplanet for Ssl
7/10
NexttotheEditoption,youshouldselectthenameofthevirtualserverthatwillbethedefaultforthat
listensocket(justbyhighlightingit)andthenclickingtheOKbutton. Thiswillbindthenewlistensocket
tothatvirtualserver.
SettingupRedirectionThiscanbedoneinanynumberofways,themethodIchosewasquitesimplistic. FirstchoosetheVirtualServerClasstab. ClickonthenameofyourSSLserverclass(nottheserver,theclass!). Youwillseeascreensimilartothefollowing:
ClicktheContentMgmttabandchoosetheErrorResponseslinkontheleft. Youwillseeapagesimilartothefollowing:
7
8/6/2019 Configuring Iplanet for Ssl
8/10
IcausedalltheerrorstoloadafilethatcontainedanHTMLredirection. TheHTMLfileredirectedtomy
nonsecureinterface. Thecontentsofthatfileareasfollows:
Redirecting now
Please stand by for redirection...
Seesection0belowforanotherexamplethatworksbetterwiththeInternetExplorerbrowser.
InternetExplorerFriendlyErrorMessagesUnfortunately,thedefaultinstallationofInternetExplorercausestheredirectiontonotoccur. ThereasonforthisistheHTTPstatuscodethatisreturnedwiththeerrorpage. InternetExplorer(by
default)isconfiguredtoreturnfriendlyerrormessages,soinsteadofgettingthepagewitha
redirectionyoumightseesomethingsimilartothefollowing:
8
8/6/2019 Configuring Iplanet for Ssl
9/10
Theeasysolutiontopreventthisfromhappeningandtoactuallyfollowyourredirectionistoconfigure
asfollows:Tools >InternetOptions >AdvancedTab >UncheckShowFriendlyErrorMessages.
Unfortunatelysincethisisadefaultsetting,thismaynotbeeasytodo.
WehavefoundthroughresearchthatInternetExplorerclientswillonlyreturnafriendlyerrormessage
ifthereturnederrorpageissmallerthansomethresholdsize,whichisspecifiedinaregistrysetting.
Informationaboutthatregistrysettingandthresholdsizecanbefoundhere:
http://support.microsoft.com/kb/218155/ENUS/
Mosterrorthresholdsareeither256or512bytes. So,whenyoucreateyourredirectionpage,ensure
thatitislongerthan512bytes. Ifthepagedownloadedisgreaterthanthethresholdspecifiedinthe
registry,theInternetExplorerbrowserwillrendertheredirectionpageratherthanshowingthefriendly
errormessage. Thiswillallowtheredirectiontooccurproperly.
ThefollowingpagehasasampleHTMLfilewhichperformsaredirectionandisgreaterthan512bytes.
9
http://support.microsoft.com/kb/218155/EN-US/http://support.microsoft.com/kb/218155/EN-US/http://support.microsoft.com/kb/218155/EN-US/http://support.microsoft.com/kb/218155/EN-US/http://support.microsoft.com/kb/218155/EN-US/8/6/2019 Configuring Iplanet for Ssl
10/10
10
Redirecting now
Please stand by for redirection...