Note that in that 8.0 and older documentation there is a required section on setting up the Tomcat connector that currently appears to be missing from the 8.1/8.2 documentation hence the information required is presented in the Article below:
The following IS required even in CA UIM v8.2
Install Apache HTTP Server version 2.2
Set up the Tomcat Connector (THIS IS REQUIRED) Set up the Tomcat Connector to allow communication between the Apache web proxy server and the web application service probe (wasp) in UMP.
Follow these steps:
Create the workers.properties file and save it in:
# Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=10.10.10.10 worker.worker1.port=8009
On the Apache server, download the version of mod_jk.so that it matches your version of Apache and save it to:
Important! Ensure that you have a JkMount directive appropriate for your configuration.
Add the Tomcat Connector configuration to the Apache configuration file, httpd.conf:
For example:
# Load mod_jk module # Update this path to match your modules location LoadModule jk_module modules/mod_jk.so # Where to find workers.properties # Update this path to match your conf directory location (put workers.properties next to httpd.conf) JkWorkersFile conf/workers.properties # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile logs/mod_jk.shm # Where to put jk logs # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile logs/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel debug # Select the timestamp log format JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # Send everything for context / to worker named worker1 (ajp13) JkMount / worker1
The Tomcat Connector is now set up for communication.
Define the Proxy Configuration between the Apache and UMP machines
Configure proxy communication between the Apache proxy web server and UMP server so that external browsers can access UMP via the DMZ.
Follow these steps:
Edit the Apache configuration file, httpd.conf, as follows:
Locate: #ServerName www.example.com; uncomment and change it to:
ServerName <Apache_server_name>.<domain>.com:80 Add the following lines to the end of the httpd.conf file: ProxyRequests On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / ajp://<ump_server_name_orIP>:8009/ ProxyPass /c/portal ajp://<ump_server_name_orIP>:8009/c/portal ProxyPass /web/guest ajp://<ump_server_name_orIP>:8009/web/guest ProxyRequests Off
For example: ProxyRequests On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / ajp://<ump_hostname>:8009/ ProxyPass /c/portal ajp://<ump_hostname>:8009/c/portal ProxyPass /web/guest ajp://<ump_hostname>:8009/web/guest ProxyRequests Off
For more detail on how that setting works, see the following:
After making that change, you will need to restart apache.
To restart Apache on Windows:
Open a command prompt Cd to the Apache bin directory e.g., C:\Apache\bin
Run the command
httpd -k restart
to restart the Apache service.
UNIX/LINUX
apachectl stop apachectl start
On the inside firewall, make sure you open Port 8009
On the outside firewall, make sure you open: Port 80 OR Port 443 if you are using SSL.
Note: (Optional) - To allow internet access to a hub in the DMZ, you must assign a public IP address. Restart the Apache server.
(Optional) if you want to enable only https access and disable standard http, you must do the following:
In the http.conf, comment out the following line #Listen 80
In the ServerName entry, specify port 443 instead of port 80.
Important! If you enable https access and do not disable http access, both http and https access are possible.
To test whether the Apache web server proxies you to the UMP login page, access the URL of the Apache HTTP proxy server in your web browser.
(Optional) Create a Self-Signed Certificate
You must have a security certificate to configure a secure connection between the proxy web server and web browsers. A certificate from a certificate authority ensures site visitors that any transferred data is more secure. If you do not transfer sensitive data and you are less concerned about security, create a self-signed certificate.
Note: Visitors see a warning that a trusted certificate authority did not issue the certificate but they can proceed to the website.
Follow these steps:
Open a command prompt on the web server. Change directories:
C:\Program Files\Apache\conf Generate a private key:
Configure SSL support on the Apache server to establish an encrypted link between the web proxy server and external browsers.
Follow these steps:
In the Apache configuration file, httpd.conf, uncomment the following lines:
LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf
In the Apache configuration file conf/extra/httpd-ssl.conf, edit the following parameters:
Listen port
Identifies the port number that is opened on the inside firewall for SSL as required.
Note: You can use the netstat command to make sure that no other applications are using the port that you specify. If you use port 443 on an Internet Information Services (IIS) web server, this may be an issue.
VirtualHost
Identifies the port number that is opened on the inside firewall for SSL. (Default value is 443.)
ServerName Defines the name for the Apache server, including port number (for example: 10.10.10.10:443).
ServerAdmin Defines the email address for the administrator.
SSLCertificateFile Identifies the path to the PEM encoded certificate.
SSLCertificateKeyFile Identifies the path to the private key if it is not already combined with the certificate.
In the Apache configuration file conf/extra/httpd-ssl.conf, accept the defaults or specify the desired path for the following parameters: