SSL Issue:
After you install SSL, be sure to turn off the lower encryption sets. Otherwise, you will fail your next SSL audit.
SSL Solution:
Update the mod_ssl (the SSL module in Apache / IHS) in the httpd.conf file.
## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA
Note: SSL Ciphers are a moving target. This list will be obsolete fairly quickly.
Linux 32-bit IHS Setup on 64-bit Linux As Reverse Proxy Notes:
Objective:
Use IHS as front-end HTTP server for Domino as ciphers are updated more regularly for Apache and IBM IHS.
______________________
1. Download IBM Installation Manager (IIM) and IBM HTTP Server (IHS) from IBM web site.
(Not Passport MS Windows version)
2. Install Linux Libraries.
# yum install compat-libstdc++-33.i686 (32bit version on 64bit)
# yum install compat-libstdc++-33 (msg already installed)
# yum install compat-db (msg already installed)
# yum install libXft (msg already installed)
# yum install libXtst (msg already installed)
# yum install libXmu (msg already installed)
2. Install IBM Installation Manager.
- Untar the installation files
# tar xvd /root/tmp/filename.tar
IIM and IHS File Rights Issue:
- Unzipped okay. However, the executable flag was not kept. Had to update the ./install and .sh files to allow execution (chmod +x). Also had to the same to the ire/bin folder's executable files. (Otherwise you get error type=13 dialog).
After that you can run the ./install file and IHS installs okay.
- Update responsefile.txt to customize your installation info
# vi responsefile.txt
- Run installation:
./install -options "responsefile.txt" -silent
- admsetup post install program files setting up the IHS admin user and group. Create manually:
useradd ihsadmin
passwd ihsadmin
- Update admin.conf
# vi /opt/ibm/HTTPServer/conf/admin.conf
- - Replace the @@AdminName@@ and group name variables with the ihsadmin id created above. Save.
- Update http.conf
# vi /opt/ibm/HTTPServer/conf/httpd.conf
- - Update the ServerName variable to the server and port. Save.
- - Added Include statement at bottom of httpd.conf to include domino.conf.
- - Created domino.conf to load in proxy modules.
- Copied IHS start-up script to server /etc/init.d location.
- Ran chmod on it:
# chmod +x his
- Set ihs to start automatically:
# chkconfig --add his
- Updated iptables for Domino (1352) and ports 80 and 443
# iptables -A INPUT -p tcp -m tcp --dport 1352 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# iptables-save > /etc/sysconfig/iptables
# service iptables restart
- Setup Domino to listen port 80 9288 (since this is the port for the auto-MS Windows setup)
(IBM Domino Administrator Client --> Server document --> Ports --> HTTP and HTTPS)
Sample IHS Script:
 ihs
previous page
|