E-mail
Enabling HTTPS (SSL) support for Apache
GroundWork Monitor supports the use of SSL for encrypting web browser connections to Apache, although this feature is not enabled by default. If you would like to enable this feature, you must first create or import an SSL Certificate for Apache to use, and then enable the SSL support in the appropriate Apache configuration file(s). The binaries and libraries necessary to enable SSL support are included in the GroundWork Monitor distribution. The steps below outline how to enable SSL for the Apache Web Server.
For more information, please refer to the Apache site at: http://httpd.apache.org/docs/2.2/ssl/
Configuration Steps
To enable SSL support in GroundWork Monitor:
- If you have an existing SSL certificate and key file for your web server that you wish to reuse, you must edit the /usr/local/groundwork/apache2/conf/extra/httpd-ssl.conf file to reference those files. The files must also have permissions that will allow them to be read by the Apache server on startup. A common situation in which you would use existing files would be if they were obtained from an external certificate authority.
- It is important that the person who generates the certificate correctly specifies the hostname. It must match the hostname where the certificate will be used exactly. In particular, the choice of fully qualified name or unqualified (short) name has to be consistent with all the ways that SSL will be invoked, not only for Apache content but also JOSSO requests. A mismatch here will create odd rejections.
- A further area of concern is the factor of chained certificates. If the issuing authority provides such a chain certificate make sure that the details such as issuing authority match with the server certificate.
- If you wish to create new self-signed certificate and key files, log in to the system as the root user and use the commands below from a terminal session. This will ensure appropriate default file names and certificate settings, and correct permissions are used.
cd /usr/local/groundwork/apache2/conf openssl genrsa -out server.key 2048 openssl req -new -x509 -key server.key -out server.crt -days 1095 -set_serial `date +%s`
The back-quotes surrounding the date-command invocation (`date +%s`) are used to capture its output and substitute it into the command line. - This command will create a certificate good for 3 years from the date of manufacture; (-days 1095). You might wish to specify a longer period, such as 10 years; (-days 3653), to move the expiration date even further into the future.
- The -set_serial option specifies a hopefully-unique serial number for this certificate, in contrast to the fixed default of 0. Using a different value for this option each time you create a certificate helps to avoid problems with some browsers. The integer timestamp produced by the date command shown above in this context provides sufficient uniqueness for ordinary use.
- Answer the questions asked by the last command shown above. When prompted for the Common Name, you have two basic choices. If you will have some users who may access the system from outside your domain, answer with the fully qualified hostname of your web server. If all access will occur only from inside your domain, you may answer instead with the unqualified hostname of your web server.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank. Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:
- Edit the file:
/usr/local/groundwork/apache2/conf/httpd.conf
- Remove the # symbol in the line below:
Replace my-server with the name of the actual server Apache is running on: #LoadModule rewrite_module modules/mod_rewrite.so #Include conf/extra/httpd-ssl.conf #RewriteEngine On #RewriteCond %{SERVER_PORT} !^443$ #RewriteRule ^/(.*)$ [https://my-server/$1] [NE]Apache ProxyPass directives need to be set to the new connector on port 8443:
ProxyPass /foundation-webapp [http://localhost:8443/foundation-webapp] ProxyPass /reportserver [http://localhost:8443/reportserver] ProxyPass /birtviewer [http://localhost:8443/birtviewer] ProxyPass /monarch/ [http://localhost:8443/monarch/] timeout=5400 ProxyPass /monarch-export/ [http://localhost:8443/monarch-export/] ProxyPass /josso/ [http://localhost:8443/josso/] ProxyPass /nagios-app/ [http://localhost:8443/nagios-app/] ProxyPassMatch ^/nms-(.*)$ [http://localhost:8443/nms-$1] ProxyPassMatch ^/(portal/auth/portal/groundwork-monitor/(?:admin|config|auto-disc).*)$ [http://localhost:8443/$1] timeout=600 ProxyPassMatch ^/portal(.*)$ [http://localhost:8443/portal$1] ProxyPassMatch ^/nagvis/(.*)$ [http://localhost:8443/nagvis/$1] ProxyPass /nagvis_share/ [http://localhost:8443/nagvis_share/] ProxyPass /gwos-vema-vmware [http://localhost:8443/gwos-vema-vmware/]
For configurations combining SSL and dual JVM: The procedure for setting up dual JVM specifies port 8181 for foundation-webapp/services in httpd.conf, console.properties, and status-viewer.properties. This SSL configuration procedure normally specifies it be set to 8443 in the ProxyPass portion of the httpd.conf file. For combined SSL and dual JVM machines use port 8181 on the foundation-webapp/services line in httpd.conf, matching the settings in console.properties and status-viewer.properties. - Save the changes you've just made to:
/usr/local/groundwork/apache2/conf/httpd.conf
- Remove the # symbol in the line below:
- For the network discovery application NeDi you will need to;
- Edit the file:
/usr/local/groundwork/apache2/conf/groundwork/nedi_httpd.conf
change:
ProxyPass /nedi/ http://localhost:8080/nedi/to:
ProxyPass /nedi/ http://localhost:8443/nedi/ - Save the changes you've just made to:
/usr/local/groundwork/apache2/conf/groundwork/nedi_httpd.conf
- Edit the file:
- The certificate name is identified in the file conf/extra/httpd-ssl.conf. If you did not create it with the default name, if you are using a differently named certificate provided by an authority, or if you are using a chain of authority, you may have to make changes as following. If you just created your own self signed cert with default names skip this next step;
- Edit:
/usr/local/groundwork/apache2/conf/extra/httpd-ssl.conf
- Change these lines to match the actual certificate file name in place of server.crt and server.key; and the chain certificate server-ca.crt.
Remember, these are conditional steps, not necessarily needed. Also keep in mind that the certificates must be in the proper format and that it may be necessary to validate these with the openssl tool and potentially separate component certificates in order to import them correctly SSLCertificateFile "/usr/local/groundwork/apache2/conf/server.crt" SSLCertificateKeyFile "/usr/local/groundwork/apache2/conf/server.key" SSLCertificateChainFile "/usr/local/groundwork/apache2/conf/server-ca.crt"
- Edit:
- Edit:
/usr/local/groundwork/config/status-viewer.properties
and change:
secure.access.enabled=true - Edit:
/usr/local/groundwork/config/report-viewer.properties
and change:
secure.access.enabled=true - Edit:
/usr/local/groundwork/config/resources/josso-agent-config.xml
and change the protocol for gatewayLoginUrl and gatewayLogoutUrl from http:// to https://
- Edit the file:
/usr/local/groundwork/foundation/container/webapps/jboss/jboss-web.deployer/server.xml
Modify the Connector settings for port 8080 (line 27) by removing the redirectPort="8443" attribute. The connector setting should look as follows:
<Connector acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="250" port="8080" protocol="HTTP/1.1" />
The HTTPS connector needs to be enabled to process HTTPS requests with a dedicated connector. Uncomment connector (line 37). Please add several attributes such as proxyName and proxyPort to the settings. Make sure to set the proxyName of the 8443 connector to be the CN of the certificate issued for this host. The HTTPS connector should look like the following after the edits:
<Connector acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="250" port="8443" protocol="HTTP/1.1" scheme="https" proxyName="cn.of.cert.for.this.host" proxyPort="443" />
- Import the Certificate to the java keystore:
Assuming you used the default certificate name, server.crt in step 2, you should import this certificate with the following commands:source /usr/local/groundwork/scripts/setenv.sh keytool -import -file /usr/local/groundwork/apache2/conf/server.crt -alias myserver -keystore /usr/local/groundwork/java/jre/lib/security/cacerts- Use your GroundWork Monitor host name as myserver.
- The keytool will ask for the java keystore password. By default, this is: changeit
- It will also ask if the cert should be trusted. You should answer yes.
- If you are using a chain certificate, import that to the java keystore as well:
Change the certificate name to what you actually have where it shows chain.pem and a unique name instead of "myserver_chain" with the following commands:source /usr/local/groundwork/scripts/setenv.sh keytool -import -file /usr/local/groundwork/apache2/conf/chain.pem -alias myserver_chain -keystore /usr/local/groundwork/java/jre/lib/security/cacerts - Stop and Start gwservices:
/usr/local/groundwork/ctlscript.sh stop gwservices /usr/local/groundwork/ctlscript.sh stop apache /usr/local/groundwork/ctlscript.sh start gwservices /usr/local/groundwork/ctlscript.sh start apache
You may now bring up the site in a browser using https, for example: https://myserver