How do I create and use Apache virtual host when using a CA SSO Agent?
search cancel

How do I create and use Apache virtual host when using a CA SSO Agent?

book

Article ID: 11366

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Generally, a virtual server is defined as a logical entity that you configure on a physical server. This logical entity acts as an independent server. Virtual servers let you host multiple websites on one physical server. For example, using virtual servers, one can set up a server to host both _host.example.com and _host.example.org.



What is the use and/or the benefit of using a virtual host and how to use it with CA SSO?

 

 

Environment

CA SSO Apache Agent on supported Unix or Windows OS

Resolution

Virtual hosts can be "IP-based", meaning that you have a different IP address for every web site (or same IP but different port numbers), or "Name-Based", meaning that you have multiple names running on each IP address. The fact that they are running on the same physical server is not apparent to the end user. Using an Apache Virtual Host, you can run several websites on the same apache instance utilizing the same Apache binary; thus saving physical and maintenance resources. For example, you can run both _host2.example.com and _host2.example.org on a single physical server that has one Apache webserver running on it. This can be easier to manage with Apache and CA SSO (e.g. upgrade a single agent), hence fewer resources. 

In the Name-based Virtual Host, when Apache webserver receives a request, it looks for the hostname in the HTTP header, and depending on the hostname, it serves different websites. This is very easy, as you need only one IP-address on that physical server; but, you update the DNS with multiple website names pointing to the same IP-address. For all practical purpose, you’ll be using only Name-based virtual host configuration.

In the following example, the server can contain only one NIC card, which is configured with 10.0.0.1 IP-address. The DNS entry for both example.com and example.org websites point to the 10.0.0.1 IP-address. When Apache receives a request, it looks for the hostname entry in the HTTP header, and serves the corresponding website.

1.) Create the virtual Host in the httpd.conf

NameVirtualHost 10.0.0.1
<VirtualHost 10.0.0.1>
DocumentRoot /www/docs/ example.org
ServerName example.org
</VirtualHost>

2.) After this is done, using Administrative UI, add agent identity ("agentname") in the ACO for the virtual server to be protected by CA SSO, and the name of the ACO, “Apach2ACO”, is set in the AgentConfigObject parameter of the WebAgent.conf.

agentname=”apache2,10.0.0.1”

In your ACO (Agent Configuration Object) on the Policy Server, you can have “apache” defined for the “defaultagentname” (_host2.example.com)

3.) In the Administrative UI, create a new Agent for the new agent identity “apache2”. The IP addresses and Agent Name must be the identical with what is specified in ACO “Apache2ACO” and httpd.conf.

4.) For each additional virtual server that needs to be protected by CA SSO, the underlying reason is a new realm and associated policy, -- which should be created.

5.) Each agent identity should have a unique ServerPath parameter defined in the WebAgent.conf. (The ServerPath creates a unique identifier for the caching, logging, and health-monitoring resources that the agents use.)

6.) Start/Stop the web server for the changes to take effect.

 

Debugging

When trying to debug your virtual host configuration, you may find the -S command line switch useful, along with Web Agent log and Web Agent trace.

Unix example

apachectl -S

Windows example

httpd.exe -S

Additional Information

For more details, please refer to Apache.org and docops.ca.com CA SSO documentation for the version you’re using.