How to setup access to UMP in the DMZ using Apache HTTP Server as a proxy

Document ID : KB000033967
Last Modified Date : 14/02/2018
Show Technical Document Details
How to setup access to UMP in the DMZ using Apache HTTP Server as a proxy

Apache HTTP Server versions greater than 2.2 are NOT officially supported.
?
ONLY Apache HTTP Server version 2.2 is supported.
?
Apache HTTP Server Version 2.2 Documentation
http://httpd.apache.org/docs/2.2/
?
To download Apache HTTP Server version 2.2x go to:
?http://httpd.apache.org/download.cgi
?
Note that in that 8.0 and older documentation there is a required section on setting up the Tomcat connector that currently appears to be missing from the 8.1/8.2 documentation hence the information required is presented in the Article below:
?
The following IS required even in CA UIM v8.2
?
Install Apache HTTP Server version 2.2
?
Set up the Tomcat Connector (THIS IS REQUIRED)
Set up the Tomcat Connector to allow communication between the Apache web proxy server and the web application service probe (wasp) in UMP.
?
Follow these steps:
???
Create the workers.properties file and save it in:
?
??? C:\Program Files (x86)\Apache Software Foundation\Apache\conf
???
Specify the UMP portal server.
?
??? For example:
?
??? # Define 1 real worker using ajp13
????? worker.list=worker1
????? # Set properties for worker1 (ajp13)
????? worker.worker1.type=ajp13
?? ???worker.worker1.host=10.10.10.10
????? worker.worker1.port=8009
?
On the Apache server, download the version of mod_jk.so that it matches your version of Apache and save it to:
?
??? C:\Program Files (x86)\Apache Software Foundation\Apache\modules
?
Important! Ensure that you have a JkMount directive appropriate for your configuration.

Add the Tomcat Connector configuration to the Apache configuration file, httpd.conf:
?
??? For example:
?
??? # Load mod_jk module
??? # Update this path to match your modules location
??? LoadModule??? jk_module? modules/mod_jk.so
??? # Where to find workers.properties
??? # Update this path to match your conf directory location (put workers.properties next to httpd.conf)
??? JkWorkersFile conf/workers.properties
?? ?# Where to put jk shared memory
??? # Update this path to match your local state directory or logs directory
??? JkShmFile???? logs/mod_jk.shm
??? # Where to put jk logs
??? # Update this path to match your logs directory location (put mod_jk.log next to access_log)
??? JkLogFile???? logs/mod_jk.log
??? # Set the jk log level [debug/error/info]
??? JkLogLevel??? debug
??? # Select the timestamp log format
??? JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
??? # Send everything for context / to worker named worker1 (ajp13)
??? JkMount / worker1
?
??? The Tomcat Connector is now set up for communication.
?
?
Define the Proxy Configuration between the Apache and UMP machines
?
Configure proxy communication between the Apache proxy web server and UMP server so that external browsers can access UMP via the DMZ.
?
Follow these steps:
?
Edit the Apache configuration file, httpd.conf, as follows:
???????
Uncomment the following lines:
?
?? ?????LoadModule proxy_module modules/mod_proxy.so
??????? LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
?
??????? Locate: #ServerName www.example.com; uncomment and change it to:
?
??????? ServerName <Apache_server_name>.<domain>.com:80
?
??????? Add the following lines to the end of the httpd.conf file:
?
??????? ProxyRequests On
??????? <Proxy *>
??????? Order deny,allow
??????? Allow from all
??????? </Proxy>
??????? ProxyPass / ajp://<ump_server_name_orIP>:8009/
??????? ProxyPass /c/portal ajp://<ump_server_name_orIP>:8009/c/portal
??????? ProxyPass /web/guest ajp://<ump_server_name_orIP>:8009/web/guest
??????? ProxyRequests Off
???????
For example:
?
??????? ProxyRequests On
??????? <Proxy *>
??????? Order deny,allow
??????? Allow from all
??????? </Proxy>
??????? ProxyPass / ajp://<ump_hostname>:8009/
??????? ProxyPass /c/portal ajp://<ump_hostname>:8009/c/portal
??????? ProxyPass /web/guest ajp://<ump_hostname>:8009/web/guest
??????? ProxyRequests Off
?
For more detail on how that setting works, see the following:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

After making that change, you will need to restart apache.

To restart Apache on Windows:

?
Open a command prompt
Cd to the Apache bin directory
e.g., C:\Apache\bin
?
Run the command
?
httpd -k restart
?
to restart the Apache service.
?
UNIX/LINUX
?
apachectl stop
apachectl start


On the inside firewall, make sure you open Port 8009
?
On the outside firewall, make sure you open: Port 80 OR Port 443 if you are using SSL.
?
Note: (Optional) - To allow internet access to a hub in the DMZ, you must assign a public IP address. Restart the Apache server.
?
(Optional) if you want to enable only https access and disable standard http, you must do the following:

In the http.conf, comment out the following line #Listen 80

In the ServerName entry, specify port 443 instead of port 80.
?
Important! If you enable https access and do not disable http access, both http and https access are possible.
?
To test whether the Apache web server proxies you to the UMP login page, access the URL of the Apache HTTP proxy server in your web browser.
?
(Optional) Create a Self-Signed Certificate
?
You must have a security certificate to configure a secure connection between the proxy web server and web browsers. A certificate from a certificate authority ensures site visitors that any transferred data is more secure. If you do not transfer sensitive data and you are less concerned about security, create a self-signed certificate.
?
Note: Visitors see a warning that a trusted certificate authority did not issue the certificate but they can proceed to the website.
?
Follow these steps:
?
??? Open a command prompt on the web server.
??? Change directories:
?
??? C:\Program Files\Apache\conf
??? Generate a private key:
?
??? ..\bin\openssl genrsa -des3 -out server.key 1024
?
??? Generate a CSR (Certificate Signing Request):
?
??? ..\bin\openssl req -config ..\conf\openssl.cnf
??? -new -key server.key -out server.csr
?
??? Remove the passphrase from the key:
?
??? copy server.key server.key.org
??? ..\bin\openssl rsa -in server.key.org -out server.key
?
??? Generate a self-signed certificate:
?
??? ..\bin\openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
?
??? Edit httpd-ssl.conf to update paths to:
?
??? SSLCertificateFile and SSLCertificateKeyFile
?
??? You created a self-signed certificate.
?
?
Configure SSL Support on the Apache Server
?
Configure SSL support on the Apache server to establish an encrypted link between the web proxy server and external browsers.
?
Follow these steps:
?
In the Apache configuration file, httpd.conf, uncomment the following lines:
?
??? LoadModule ssl_module modules/mod_ssl.so
??? Include conf/extra/httpd-ssl.conf
?
In the Apache configuration file conf/extra/httpd-ssl.conf, edit the following parameters:
?
??? Listen port
?
Identifies the port number that is opened on the inside firewall for SSL as required.
?
Note: You can use the netstat command to make sure that no other applications are using the port that you specify. If you use port 443 on an Internet Information Services (IIS) web server, this may be an issue.
?
??? VirtualHost
?
??? Identifies the port number that is opened on the inside firewall for SSL.
??? (Default value is 443.)

???
??? ServerName
???? Defines the name for the Apache server, including port number (for
??? example: 10.10.10.10:443).

?
??? ServerAdmin
???? Defines the email address for the administrator.
?
??? SSLCertificateFile
??? Identifies the path to the PEM encoded certificate.
?
??? SSLCertificateKeyFile
??? Identifies the path to the private key if it is not already combined with the
??? certificate.

?
In the Apache configuration file conf/extra/httpd-ssl.conf, accept the defaults or specify the desired path for the following parameters:
?
??????? DocumentRoot
??????? SSLSessionCache
??????? ErrorLog
??????? TransferLog
??????? CustomLog
?
Restart the Apache web server.
?
You have now configured SSL support on the Apache server.

?
Troubleshooting Tips:
?
  • Request ports to be open and confirm via telnet that UMP AJP port 8009 is configured to receive traffic, and port 80 as well (443 for SSL).
  • Running netstat -an on the ump machine should show that it is LISTENING on both 80 and 8009?
  • You should be able to see the traffic from the browser request to UMP->proxy server-> to UMP machine by watching the logs on the firewall.?
  • Important logs:
  • wasp.log
  • portal.log
  • error.log
  • access.log?
  • Issue: When you configure SSL using 64bit Apache on a Windows installation, Apache fails to start.
  • Solution: Modify the SSLSessionCache path ?Program Files (x86)? portion:?SSLSessionCache "shmcb:C:/PROGRA\~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
?
?