How to setup access to UMP in the DMZ using Apache HTTP Server as a proxy

Article Id: 33967
Status: Published
Updated On: 24-09-2018 06:39
Legacy Id: TEC000005135
Products:
CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) , NIMSOFT PROBES
Issue/Introduction:

How to setup access to UMP in the DMZ using Apache HTTP Server as a proxy

 

Environment:

Release:
Component: CAUIM

Resolution:

Apache HTTP Server versions greater than 2.2 are NOT officially supported.

ONLY Apache HTTP Server version 2.2 is supported.

Apache HTTP Server Version 2.2 Documentation
http://httpd.apache.org/docs/2.2/

To download Apache HTTP Server version 2.2x go to:
http://httpd.apache.org/download.cgi

Note that in that 8.0 and older documentation there is a required section on setting up the Tomcat connector that currently appears to be missing from the 8.1/8.2 documentation hence the information required is presented in the Article below:

The following IS required even in CA UIM v8.2

Install Apache HTTP Server version 2.2

Set up the Tomcat Connector (THIS IS REQUIRED)
Set up the Tomcat Connector to allow communication between the Apache web proxy server and the web application service probe (wasp) in UMP.

Follow these steps:

Create the workers.properties file and save it in:

 C:\Program Files (x86)\Apache Software Foundation\Apache\conf

Specify the UMP portal server.

 For example:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=10.10.10.10
worker.worker1.port=8009

On the Apache server, download the version of mod_jk.so that it matches your version of Apache and save it to:

 C:\Program Files (x86)\Apache Software Foundation\Apache\modules

Important! Ensure that you have a JkMount directive appropriate for your configuration.

Add the Tomcat Connector configuration to the Apache configuration file, httpd.conf:

 For example:

# Load mod_jk module
# Update this path to match your modules location
LoadModule jk_module modules/mod_jk.so
# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile conf/workers.properties
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile logs/mod_jk.shm
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel debug
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# Send everything for context / to worker named worker1 (ajp13)
JkMount / worker1

The Tomcat Connector is now set up for communication.


Define the Proxy Configuration between the Apache and UMP machines

Configure proxy communication between the Apache proxy web server and UMP server so that external browsers can access UMP via the DMZ.

Follow these steps:

Edit the Apache configuration file, httpd.conf, as follows:

Uncomment the following lines:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Locate: #ServerName www.example.com; uncomment and change it to:

ServerName <Apache_server_name>.<domain>.com:80
Add the following lines to the end of the httpd.conf file:
ProxyRequests On
<Proxy *>
 Order deny,allow
 Allow from all
</Proxy>
 ProxyPass / ajp://<ump_server_name_orIP>:8009/
 ProxyPass /c/portal ajp://<ump_server_name_orIP>:8009/c/portal
ProxyPass /web/guest ajp://<ump_server_name_orIP>:8009/web/guest
ProxyRequests Off

For example:
ProxyRequests On
<Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
ProxyPass / ajp://<ump_hostname>:8009/
ProxyPass /c/portal ajp://<ump_hostname>:8009/c/portal
ProxyPass /web/guest ajp://<ump_hostname>:8009/web/guest
ProxyRequests Off

For more detail on how that setting works, see the following:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

After making that change, you will need to restart apache.

To restart Apache on Windows:

Open a command prompt
Cd to the Apache bin directory
e.g., C:\Apache\bin

Run the command

httpd -k restart

to restart the Apache service.

UNIX/LINUX

apachectl stop
apachectl start

On the inside firewall, make sure you open Port 8009

On the outside firewall, make sure you open: Port 80 OR Port 443 if you are using SSL.

Note: (Optional) - To allow internet access to a hub in the DMZ, you must assign a public IP address. Restart the Apache server.

(Optional) if you want to enable only https access and disable standard http, you must do the following:

In the http.conf, comment out the following line #Listen 80


In the ServerName entry, specify port 443 instead of port 80.

Important! If you enable https access and do not disable http access, both http and https access are possible.

To test whether the Apache web server proxies you to the UMP login page, access the URL of the Apache HTTP proxy server in your web browser.

(Optional) Create a Self-Signed Certificate

You must have a security certificate to configure a secure connection between the proxy web server and web browsers. A certificate from a certificate authority ensures site visitors that any transferred data is more secure. If you do not transfer sensitive data and you are less concerned about security, create a self-signed certificate.

Note: Visitors see a warning that a trusted certificate authority did not issue the certificate but they can proceed to the website.

Follow these steps:

Open a command prompt on the web server.
Change directories:

C:\Program Files\Apache\conf
Generate a private key:

..\bin\openssl genrsa -des3 -out server.key 1024

Generate a CSR (Certificate Signing Request):

..\bin\openssl req -config ..\conf\openssl.cnf -new -key server.key -out server.csr

Remove the passphrase from the key:

copy server.key server.key.org
..\bin\openssl rsa -in server.key.org -out server.key

Generate a self-signed certificate:

 ..\bin\openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Edit httpd-ssl.conf to update paths to:

SSLCertificateFile and SSLCertificateKeyFile

You created a self-signed certificate.


Configure SSL Support on the Apache Server

Configure SSL support on the Apache server to establish an encrypted link between the web proxy server and external browsers.

Follow these steps:

In the Apache configuration file, httpd.conf, uncomment the following lines:

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

In the Apache configuration file conf/extra/httpd-ssl.conf, edit the following parameters:

Listen port

Identifies the port number that is opened on the inside firewall for SSL as required.

Note: You can use the netstat command to make sure that no other applications are using the port that you specify. If you use port 443 on an Internet Information Services (IIS) web server, this may be an issue.

VirtualHost

Identifies the port number that is opened on the inside firewall for SSL.
(Default value is 443.)

ServerName
Defines the name for the Apache server, including port number (for
 example: 10.10.10.10:443).

ServerAdmin
Defines the email address for the administrator.

SSLCertificateFile
Identifies the path to the PEM encoded certificate.

SSLCertificateKeyFile
Identifies the path to the private key if it is not already combined with the certificate.

In the Apache configuration file conf/extra/httpd-ssl.conf, accept the defaults or specify the desired path for the following parameters:

DocumentRoot
SSLSessionCache
ErrorLog
TransferLog
CustomLog

Restart the Apache web server.

You have now configured SSL support on the Apache server.


Troubleshooting Tips:
  • Request ports to be open and confirm via telnet that UMP AJP port 8009 is configured to receive traffic, and port 80 as well (443 for SSL).
  • Running netstat -an on the ump machine should show that it is LISTENING on both 80 and 8009?
  • You should be able to see the traffic from the browser request to UMP->proxy server-> to UMP machine by watching the logs on the firewall.?
  • Important logs:
  • wasp.log
  • portal.log
  • error.log
  • access.log
  • Issue: When you configure SSL using 64bit Apache on a Windows installation, Apache fails to start.
  • Solution: Modify the SSLSessionCache path ?Program Files (x86)? portion:?SSLSessionCache "shmcb:C:/PROGRA\~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"