OneClick Customization is affected when enable Apache ModSecurity Firewall

book

Article ID: 7193

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

CA Spectrum Oneclick-Console R10.1(++) view is missing customizations (Branding, custom logos and images) while default functionality and view appears to be fine after ModSecurity firewall application is enabled.

Cause

When for a CA Spectrum R10.1(or higher) Oneclick-Server the ModSecurity Web Application firewall is enabled (see default setup procedure per CA Spectrum R10.1++ documentation), then the OC-Console related customization for loading a "Branding" or custom logos or images are not available in the OC-Console view. 

 

Background here is, that the default setup for the Apache ModSecurity firewall rules is limited and granting access to the default Spectrum installation data and all data not accessible per this path are stripped off. Due to the common advise to add all CA Spectrum OC-Server customization via path $SPECROOT/custom and not to add the "customization files" into the default Spectrum data/file directories, the files (logos, images, ...) are not loaded. 

To resolve this the Apache ModSecurity application firewall setup (Apache WebService setup) needs to be modified by specific "ProxyPass" and "ProxyPassReverse" configuration entries in the "httpd.conf" (or when "https/ssl" is enabled in ./extra/httpd-ssl.conf).

Environment

CA Spectrum Oneclick-Web-Server R10.1(++) for all platforms / OS when enabled ModSecurity Web Application firewall.

Resolution

CA Spectrum R10.3 and higher will cover out of the box functionality to enable Oneclick-Console view and configuration customizations when Apache ModSecurity application firewall is enabled. Find attached document covering workaround sample for CA Spectrum R10.1* and R10.2.* reconfiguration for the Apache webservice. 

Modsecurity_R10.1.1_OC_customization.pdf

Additional Information

This is a CA Spectrum "Apache" webservice configuration item - which is an additional webserver ahead fo the CA Spectrum default OC-web-server (OneClick Tomcat server). 

Attachments

1558533966607TEC1230131.zip get_app