Securing Maximo with SSL/HTTPS

Maximo installation configures by default HTTP unencrypted communication. This basic configuration may represent a security exposure especially when the server is reachable from the public internet.

This article describes all the steps needed to enable HTTPS (SSL) communications for Maximo.
It comprises the following main steps.

  1. Creation of a self-signed certificate
  2. IBM HTTP Server configuration
  3. WebSphere configuration
  4. Adjust DocLinks settings

Create a self-signed certificate

Run IBM Key Management utility – Start > Programs > IBM HTTP Server > Start Key Management Utility.
Click Create a new key database file button.

Leave default values and click OK. Take note of the key.kdb file path.

Enter a password and select Stash password to a file option. Click OK.

Click New Self-Signed… button.

Enter MX_SSL_KEY for Key Label and leave default for other fields. Click OK to create a self-signed certificate.

Select Key Database File > Stash Password and close IBM Key Management utility.

Web server configuration

Backup C:\Program Files\IBM\HTTPServer\conf\httpd.conf file and open it with text editor.

If you want to disable HTTP you have to remove or comment out the following line.

Listen 0.0.0.0:80

To enable HTTPS on the default port 443 paste the following rows.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 0.0.0.0:443
<VirtualHost *:443>
 SSLEnable
</VirtualHost>
KeyFile "C:\IBM\HTTPServer\key.kdb"

Verify the path of the key.kdb file matches with the one you have generated before.

Restart IBM HTTP Server by following sequence.

  1. Stop Admin Server
  2. Stop HTTP Server
  3. Start Admin Server
  4. Start HTTP Server

WebSphere configuration

Login to WebSphere ISC console and navigate down to Environment > Virtual Hosts > maximo_host > Host Aliases.
Verify that port 443 is present. Add it if missing. You may also wish to remove port 80 and other unused ports.

Navigate to Servers > Server Types > Web servers. Select webserver1 and click Generate Plug-in. Select webserver1 again and click Propagate Plug-in.
Continue from ISC console, restart MXServer in Servers > Server Types > WebSphere application servers.

Verify the connection by logging in at https://[MXHOST]/maximo, where [MXHOST] is the host name of the HTTP server. Now your server is running in SSL.

Adjust DocLinks settings

The last step is to change the URL generated by Maximo to display attachments.
Login as maxadmin and modify the mxe.doclink.path01 System Property to replace http:// with https://
Do a Live Refresh of this property and test by downloading an attachment.

References

Enabling SSL in IBM SmartCloud Control Desk
Guide to properly setting up SSL within the IBM HTTP Server
Enable HTTPS in WebSphere for Maximo, SCCD, TSRM, and Tririga

Securing Maximo with SSL/HTTPS

19 thoughts on “Securing Maximo with SSL/HTTPS

  1. Hello Bruno!
    I think there is some mistake in next part:
    *****
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443

    SSLEnable

    KeyFile "C:\IBM\HTTPServer\key.kdb"
    SSLDisable
    ****
    Because, there is no need in "SSLDisable". Original article on IBM site doesn't have this line.
    Isn't it?

  2. This is extracted from the 'TPAE SECURITY WHITEPAPER' I'm going to publish soon.

    Maximo has a useful feature that allows attaching documents to several kind of objects trough the web interface. These files are typically stored on a shared filesystem that is accessible from web servers and application servers that comprise the system. Those servers are typically shielded from the outside world form a firewall that block any access to NFS/SAMBA protocols used to access those filesystems. However there two important tips to prevent access to the attached files trough the web server
    Disable HTTP directory listing – http://www.ibm.com/support/docview.wss?uid=swg21296739
    This technique is simpler and just prevents to list all the attached files stored on the server by simply typing the hostname of the server in the web browser (e.g. http://mxhost). When HTTP directory listing is disabled, an attacker can retrieve attachments only if he knows exactly the file name (e.g. http://mxhost/attachments/myfile.doc).

    Secure attachment links – http://www.ibm.com/support/docview.wss?uid=swg21628427
    The second technique generates a very complex URL for each file so that is practically impossible to find it. The only drawback of this technique is that adds a little additional workload on the application servers and may be a little hard to debug in case of problems. The decision to apply it or not depends on the kind of attachments that will be stored and the required security level.

  3. So I'm having a little issue with this. First, we have a legitimate CA certificate we'd like to use instead of a self-signed one. Secondly, why are we editing the conf for "webserver1" and not "MXServer"? Currently we have "webserver1" running on port 80 and "MXServer" running on all its ports (9080, 9443, etc). Ideally I'd like to have Maximo run on port 443 so that users can simply put in the url without a port number (since 443 is default) and even more ideally, have port 80 (http non-ssl requests) redirect to port 443 as ssl request. Is this possible in WebSphere 8.5 and Maximo 7.6?

  4. Hi Bruno,

    If we have a customer maximo installation so that intranet users uses maximo with http and users coming outside (from Internet) uses with https, is there

    (1) any kind of mechanism to prevent any user to access any document from attachment folder even user know url exactly, so to force user to be authenticated before seeing document
    (2) So that it will works also if both protocols (http/https) are used simultaneously

    Paavo

  5. Hi Madhav,
    Configuring Maximo application on HTTP/HTTPS can be done but not attachments and reports. Since these two URLs are defined in SystemProperties, so you need to keep it either HTTP or HTTPS URL.

    Also if you have any other views on this, Let me know.
    Thanks.

  6. Hi Bruno,
    After applying the changes as suggested above and if I try to login to the application by accessing the url https://[HOSTNAME]/maximo, I get an error
    The requested URL /maximo was not found on this server
    and in the HTTPServer error log it shows File does not exist: //HOSTNAME/doclinks/maximo.
    any recommendations please?

  7. Hi Bruno,
    First I'd like to thank you for the instruction. I've successfully done this issue for my testing system (internal ip address, I can access my testing system via https by internal ip now). Now I'd like to make it public (access my testing system via internet by a domain name). I have a domain name, which point to a public and static ip address and then redirect to my internal ip address. I cannot get access to my system via internet and the domain name or public ip address by https (still can access by http). Please instruct me how to do that. Thanks alot.

  8. Hi Bruno,
    First I'd like to thank you for the instruction. I've successfully done this issue for my testing system (internal ip address, I can access my testing system via https by internal ip now). Now I'd like to make it public (access my testing system via internet by a domain name). I have a domain name, which point to a public and static ip address and then redirect to my internal ip address. I cannot get access to my system via internet and the domain name or public ip address by https (still can access by http). Please instruct me how to do that. Thanks alot.

  9. Can you speak to what needs to be changed for SSL with the MIF and things like WebServices? DO we need to change things like the mxe.int.webappurl to be an https URL ???? and away from port 9080?

  10. Once I have Maximo working with my SSL just fine I cannot find any guides on how to activate it for the WAS Console so that it uses the SSL Cert and properly uses SSL not showing the invalid indicator.

    Any chance you can explain what is needed to make the WebSphere also use the SSL?

    Thanks,
    Miller

  11. Hi Bruno,

    I have followed the instructions, thanks for that but unable to start the webserver because of the error:

    Invalid command ‘SSLEnable’, perhaps misspelled or defined by a module not included in the server configuration

    Thanks and Regards,
    Amina Waqar

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top