OneClick Customization is affected when enable Apache ModSecurity Firewall

Document ID : KB000007193
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

CA Spectrum Oneclick-Console R10.1(++) view is missing customizations (Branding, custom logos and images) while default functionality and view appears to be fine after ModSecurity firewall application is enabled.

Environment:
CA Spectrum Oneclick-Web-Server R10.1(++) for all platforms / OS when enabled ModSecurity Web Application firewall.
Cause:

When for a CA Spectrum R10.1(or higher) Oneclick-Server the ModSecurity Web Application firewall is enabled (see default setup procedure per CA Spectrum R10.1++ documentation), then the OC-Console related customization for loading a "Branding" or custom logos or images are not available in the OC-Console view. 

 

Background here is, that the default setup for the Apache ModSecurity firewall rules is limited and granting access to the default Spectrum installation data and all data not accessible per this path are stripped off. Due to the common advise to add all CA Spectrum OC-Server customization via path $SPECROOT/custom and not to add the "customization files" into the default Spectrum data/file directories, the files (logos, images, ...) are not loaded. 

To resolve this the Apache ModSecurity application firewall setup (Apache WebService setup) needs to be modified by specific "ProxyPass" and "ProxyPassReverse" configuration entries in the "httpd.conf" (or when "https/ssl" is enabled in ./extra/httpd-ssl.conf).

Resolution:

CA Spectrum R10.3 and higher will cover out of the box functionality to enable Oneclick-Console view and configuration customizations when Apache ModSecurity application firewall is enabled. Find attached document covering workaround sample for CA Spectrum R10.1* and R10.2.* reconfiguration for the Apache webservice. 

Modsecurity_R10.1.1_OC_customization.pdf

Additional Information:

This is a CA Spectrum "Apache" webservice configuration item - which is an additional webserver ahead fo the CA Spectrum default OC-web-server (OneClick Tomcat server). 

File Attachments:
TEC1230131.zip