WebSphere Application Server and OpenSSL
Got a call today from a Business Partner asking some really tough security-related questions on WebSphere Application Server Express, but sometimes, what seems most obvious is not. That particular question seemed simple enough:
Can WAS Express 5.1.x use the OpenSSL libraries instead of the IBM provided ones?
Humm, welll, I think so… lemme check… huh… no. Not according to this page, it’s not.
IBM HTTP Server supports Secure Sockets Layer (SSL) Version 2 and Version 3 and Transport Layer Security (TLS) Version 1. IBM HTTP Server is based on the Apache Web server, but for SSL configuration it requires the IBM-supplied SSL modules, rather than the OpenSSL modules. This document describes configuration of IBM HTTP Server, although it is possible to use another supported Web server.
But as always, finding why is always the toughest part, even when you’re on the inside. And finding why is what I was unable to accomplish – hey, we work with short turn-around times to provide answers back to our requesters. BUT, what’s important is that last sentence in the paragraph above… possible to use another Web server.
You see, IBM prides itself on testing every product we say we support. And testing is not something we take lightly. In this case, a decision was most likely made to only certify IBM HTTP Server for use with our own SSL libraries.
But, you can very well install another web server from the supported list for your WAS edition/version and use OpenSSL libraries as desired.