Administer > Hardening > Configure secure access to the OMi reverse proxy > Configure a reverse proxy - Apache

Configure a reverse proxy - Apache

This section contains the procedures describing how to configure a reverse proxy using an Apache web server.

This section includes:

Configure Apache to work as a reverse proxy

  1. Configure Apache to work as a reverse proxy.

    Apache must be manually configured to function as a reverse proxy.

    For example:

    1. Open the Apache httpd.conf file in the following directory:

      <OMi_Home>/newconfig/WebServer/conf/httpd.conf

    2. Make sure the following modules are enabled:

      LoadModule proxy_module modules/mod_proxy.so
      LoadModule proxy_http_module modules/mod_proxy_http.so
    3. Add the following lines:

      ProxyRequests off
      
      <Proxy *>
      	Order deny,allow
      	Deny from all
      	Allow from all
      </Proxy>
      ProxyTimeout 300
      
  2. Add support for application users and data collectors as seen in the following example. For more details, see Reference - support for OMi application users and Reference - support for OMi data collectors.

    In the following, the placeholder DATA refers to the Virtual Host for Data Collectors and USERS refers to the Virtual Host for Application Users.

    Data Collectors:

    ProxyPass		/topaz/topaz_api	http://DATA/topaz/topaz_api
    ProxyPassReverse	/topaz/topaz_api	http://DATA/topaz/topaz_api
    ProxyPass		/mam-collectors		http://DATA/mam-collectors
    ProxyPassReverse	/mam-collectors		http://DATA/mam-collectors

    Application Users:

    ProxyPass		/mercuryam		http://USERS/mercuryam
    ProxyPassReverse	/mercuryam		http://USERS/mercuryam
    ProxyPass		/hpbsm			http://USERS/hpbsm
    ProxyPassReverse	/hpbsm			http://USERS/hpbsm
    ProxyPass		/topaz			http://USERS/topaz
    ProxyPassReverse	/topaz			http://USERS/topaz
    ProxyPass		/webinfra		http://USERS/webinfra
    ProxyPassReverse	/webinfra		http://USERS/webinfra
    ProxyPass		/filters		http://USERS/filters
    ProxyPassReverse	/filters		http://USERS/filters
    ProxyPass		/TopazSettings		http://USERS/TopazSettings
    ProxyPassReverse	/TopazSettings		http://USERS/TopazSettings
    ProxyPass		/mam			http://USERS/mam
    ProxyPassReverse	/mam			http://USERS/mam
    ProxyPass		/mam_images		http://USERS/mam_images
    ProxyPassReverse	/mam_images		http://USERS/mam_images
    ProxyPass		/mcrs			http://USERS/mcrs
    ProxyPassReverse	/mcrs			http://USERS/mcrs
    ProxyPass		/odb			http://USERS/odb
    ProxyPassReverse	/odb			http://USERS/odb
    ProxyPass		/uim			http://USERS/uim
    ProxyPassReverse	/uim			http://USERS/uim
    ProxyPass		/ucmdb-api		http://USERS/ucmdb-api
    ProxyPassReverse	/ucmdb-api		http://USERS/ucmdb-api
    ProxyPass		/ucmdb-ui 		http://USERS/ucmdb-ui
    	connectiontimeout=1000 timeout=1000  
    ProxyPassReverse	/ucmdb-ui		http://USERS/ucmdb-ui
    ProxyPass 		/opr-admin-server/messagebroker/amfsecure 
    		http://USERS/opr-admin-server/messagebroker/amf
    ProxyPassReverse 	/opr-admin-server/messagebroker/amfsecure 
    		http://USERS/opr-admin-server/messagebroker/amf
    ProxyPass 		/opr-admin-server/messagebroker/amfpollingsecure 
    		http://USERS/opr-admin-server/messagebroker/amfpolling
    ProxyPassReverse 	/opr-admin-server/messagebroker/amfpollingsecure 
    		http://USERS/opr-admin-server/messagebroker/amfpolling
    ProxyPass 		/opr-console/messagebroker/amfsecure 
    		http://USERS/opr-console/messagebroker/amf
    ProxyPassReverse 	/opr-console/messagebroker/amfsecure 
    		http://USERS/opr-console/messagebroker/amf
    ProxyPass		/opr-admin-server	http://USERS/opr-admin-server
    ProxyPassReverse	/opr-admin-server	http://USERS/opr-admin-server
    ProxyPass		/opr-console		http://USERS/opr-console
    ProxyPassReverse	/opr-console		http://USERS/opr-console
    ProxyPass		/opr-gateway		http://USERS/opr-gateway
    ProxyPassReverse	/opr-gateway		http://USERS/opr-gateway
    ProxyPass		/opr-web		http://USERS/opr-web
    ProxyPassReverse	/opr-web		http://USERS/opr-web
    ProxyPass		/opr-config-server	http://USERS/opr-config-server
    ProxyPassReverse	/opr-config-server	http://USERS/opr-config-server
    ProxyPass		/OVPM			http://USERS/OVPM
    ProxyPassReverse	/OVPM			http://USERS/OVPM
    ProxyPass 		/topaz/sitescope 	http://USERS/topaz/sitescope
    ProxyPassReverse 	/topaz/sitescope 	http://USERS/topaz/sitescope
    ProxyPass		/cm 			http://USERS/cm
    ProxyPassReverse	/cm			http://USERS/cm
    ProxyPass		/bsm			http://USERS/bsm
    ProxyPassReverse	/bsm			http://USERS/bsm
    ProxyPass		/omi			http://USERS/omi
    ProxyPassReverse	/omi			http://USERS/omi
    
    
    

    Note If you are using IDM-SSO, you may need to add the following lines (replace siteminderagent in the syntax below with the name of your IDM-SSO vendor):

    ProxyPass         /siteminderagent    http://USERS/siteminderagent
    ProxyPassReverse  /siteminderagent    http://USERS/siteminderagent
    
  3. Verify reverse proxy points to OMi:

    • Restart Apache.

    • Go to http://<RP>/omi and verify that you see the OMi log-in page. At this point, if you enter your credentials you would see an empty page because OMi is not yet configured to work with a reverse proxy.

Configure Apache reverse proxy to work with TLS

If not already done automatically by your Apache installation, you may need to manually configure Apache to work with TLS as described below.

  1. Convert the root CA certificate obtained earlier to base 64 format.

    Example for Windows:

    openssl > x509 -in c:\ca_64.cer -out c:\ca.pem

  2. Split certificate and private key.

    If the server certificate is in PFX format, split the certificate to generate both the certificate and private key in PEM format:

    Example for Windows:

    pkcs12 -in C:\<server_certificate>.pfx -clcerts -nokeys -out C:\mycert.pem
    Enter Import Password: <your_password>
    MAC verified OK
    pkcs12 -in C:\<server_certificate>.pfx -nocerts -nodes -out C:\mykey.pem
    Enter Import Password: <your_password>
    MAC verified OK
  3. Configure Apache to use the certificates.

    For example:

    1. Open the Apache httpd.conf file. OMi places the file in the following directory:

      <OMi_Home>/newconfig/WebServer/conf/httpd.conf

    2. Uncomment these lines (remove #):

      LoadModule ssl_module modules/mod_ssl.so
      Include conf/extra/httpd-ssl.conf
    3. Open the Apache httpd-ssl.conf file. OMi places the file in the following directory:

      <OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.conf

      • Update SSLCertificateFile with the path to <mycert.pem>.

      • Update SSLCertificateKeyFile with the path to <mykey.pem>.

      • Insert the following lines in the virtual host section in httpd-ssl.conf with the path to the certificate authority key in PEM format:

        VirtualHost <Reverse Proxy FQDN>
        ProxyRequests Off
        SSLProxyEngine On
        SSLProxyCACertificateFile <path to file of CA who issued the proxy certificate, for example c:\ca.pem>
        SSLProxyVerify require
        # General setup for the virtual host
  4. Close port 80.

    Open the Apache httpd.conf file and comment out listen 80 by adding # as a prefix.

  5. Verify that Apache runs using TLS:

    1. Restart Apache.

    2. Go to HTTPS://<Reverse Proxy FQDN>.

      Do not use localhost, use the full server name that matches the name on the certificate. You should see the message "it works!"

    3. Go to HTTP://<Reverse Proxy FQDN>.

      It should not work.

Configure the secure reverse proxy to require client authentication - optional

Configuring a secure reverse proxy to require client authentication involves the following manual procedures:

  1. Make the following changes in the following file:

    <OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.conf

    1. Uncomment (remove the #) the following lines:

      SSLVerifyClient require
      SSLVerifyDepth 10
    2. Search for SSLCACertificateFile, uncomment it, and update the path to the client CA root certificate for the authority that issued your client certificate.

      SSLCACertificateFile "C:\CA.pem"

    3. Locate the following line:

      #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

      Add the following line right below it:

      SSLOptions +ExportCertData

    4. Add the following line before </VirtualHost>:

      RequestHeader set CLIENT_CERT_HEADER "%{SSL_CLIENT_CERT}s"

  2. Edit the <OMi_Home>/newconfig/WebServer/conf/httpd.conf file:

    Uncomment (remove the #) from the following lines:

    LoadModule headers_module modules/mod_headers.so
    LoadModule rewrite_module modules/mod_rewrite.so
  3. Restart Apache.

    Go to https://<Reverse Proxy FQDN>/omi

    Verify that you see a prompt for a client certificate.

Configure BBC port 383 connection on reverse proxy

For the OM server, Operations Agents, and other integrations to be able to forward events to the OMi server in the reverse proxy environment, port 383 used by the BBC protocol must be configured on the reverse proxy.

The following general steps use Apache as an example:

  1. Make sure you have established the trust relationship between all the OM server and the OMi servers as described in the Integrate section.

    If you add an additional trust relationship to OMi after performing the following procedure, you must issue the certificate for the ReverseProxy node and run this procedure again.

  2. Use the utility below to issue a certificate for the ReverseProxy node. This can be done from the OMi data processing server, but not from the OMi gateway server.

    Example:

    ovcm -issue -file <certificate_file> -name <FQDN of Reverse Proxy> [-pass <passphrase>]

  3. Use openssl to convert it for use by Apache reverse proxy, as in the following:

    SSLCertificateFile:
    openssl pkcs12 -in <certificate_file> -out oprcl.crt

    SSLCertificateKeyFile:
    openssl rsa -in oprcl.crt -out oprcl.pem

    SSLProxyMachineCertificateFile:
    openssl pkcs12 -in <certificate_file> -out oprcl.p12 -nodes -clcerts

    SSLCACertificateFile:
    ovcert -exporttrusted -file trusts.cer

  4. Copy the files to the following directories:

    SSLCertificateFile:
    <Apache_Install_Dir>/Apache2.4/conf/oprcl.crt

    SSLCertificateKeyFile:
    <Apache_Install_Dir>/Apache2.4/conf/oprcl.pem

    SSLProxyMachineCertificateFile:
    <Apache_Install_Dir>/Apache2.4/conf/oprcl.p12

    SSLCACertificateFile:
    <Apache_Install_Dir>/Apache2.4/conf/trusts.cer

  5. Modify the <OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.conffile:

    1. Add the following line before the line Listen 443:

      Listen 383

    2. Add a virtual host section for port 383 before the SSL Virtual Host Context section.

      Example:

                                      <VirtualHost <FQDN of Reverse Proxy>:383>
      ServerName <value of "friendlyName" in oprcl.crt>
      ServerAlias <hostname of RP>
      ServerAdmin <admin email>
      DocumentRoot "<Apache_Install_Dir>/Apache2.4/htdocs"
      ErrorLog "<Apache_Install_Dir>/Apache2.4/logs/<FQDN of Reverse Proxy>-error.log"
      TransferLog "<Apache_Install_Dir>/Apache2.4/logs/<FQDN of Reverse Proxy>-access.log"
      ProxyRequests Off
      SSLProxyEngine on
      SSLEngine on
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      SSLCertificateFile "<Apache_Install_Dir>/Apache2.4/conf/oprcl.crt"
      SSLCertificateKeyFile "<Apache_Install_Dir>/Apache2.4/conf/oprcl.pem"
      SSLProxyMachineCertificateFile "<Apache_Install_Dir>/Apache2.4/conf/oprcl.p12"
      SSLCACertificateFile "<Apache_Install_Dir>/Apache2.4/conf/trusts.cer"
      SSLVerifyClient require
      SSLVerifyDepth 5
      <Proxy *>
      Order deny,allow
      Allow from "<DomainName> e.g. .devlab.ad"
      </Proxy>
      ProxyPass / "https://<FQDN of OMi Gateway>:383/"
      ProxyPassReverse / "https://<FQDN of OMi Gateway>:383/"
      </VirtualHost>
                                  

Reference - support for OMi application users

The following table can be used as a reference for application users to connect via the reverse proxy.

Requests for … on the
Reverse Proxy Server
Proxy Request to be Served by:
/bsm/* http://[Virtual Host for Application Users]/bsm/*
https://[Virtual Host for Application Users]/bsm/*
/hpbsm/* http://[Virtual Host for Application Users]/hpbsm/*
https://[Virtual Host for Application Users]/hpbsm/*
/filters/* http://[Virtual Host for Application Users]/filters/*
https://[Virtual Host for Application Users]/filters/*
/mam/* http://[Virtual Host for Application Users]/mam/*
https://[Virtual Host for Application Users]/mam/*
/mam_images/* http://[Virtual Host for Application Users]/mam_images/*
https://[Virtual Host for Application Users]/mam_images/*
/mcrs/* http://[Virtual Host for Application Users]/mcrs/*
https://[Virtual Host for Application Users]/mcrs/*
/mercuryam/* http://[Virtual Host for Application Users]/mercuryam/*
https://[Virtual Host for Application Users]/mercuryam/*
/odb/* http://[Virtual Host for Application Users]/odb/*
https://[Virtual Host for Application users]/odb/*
/omi/* http://[Virtual Host for Application Users]/omi/*
https://[Virtual Host for Application users]/omi/*
/opr-admin-server/
messagebroker/amfpolling/*

http://[Virtual Host for Application Users]/opr-admin-server/
  messagebroker/amfpolling/*
https://[Virtual Host for Application Users]/opr-admin-server/
  messagebroker/amfpollingsecure/*

Note: Append the word secure to each resource URL when using https.

/opr-admin-server/
messagebroker/amf/*

http://[Virtual Host for Application Users]/opr-admin-server/
  messagebroker/amf/*
https://[Virtual Host for Application Users]/opr-admin-server/
  messagebroker/amfsecure/*

Note: Append the word secure to each resource URL when using https.

/opr-console/
messagebroker/amf/*

http://[Virtual Host for Application Users]/opr-console/
  messagebroker/amf/*
https://[Virtual Host for Application Users]/opr-console/
  messagebroker/amfsecure/*

Note: Append the word secure to each resource URL when using https.

/opr-admin-server/* http://[Virtual Host for Application Users]/opr-admin-server/*
https://[Virtual Host for Application Users]/opr-admin-server/*
/opr-config-server/* http://[Virtual Host for Application Users]/opr-config-server/*
https://[Virtual Host for Application Users]/opr-config-server/*
/opr-console/* http://[Virtual Host for Application Users]/opr-console/*
https://[Virtual Host for Application Users]/opr-console/*
/opr-gateway/* http://[Virtual Host for Application Users]/opr-gateway/*
https://[Virtual Host for Application Users]/opr-gateway/*
/opr-web/* http://[Virtual Host for Application Users]/opr-web/*
https://[Virtual Host for Application Users]/opr-web/*
/OVPM/* http://[Virtual Host for Application Users]/OVPM/*
https://[Virtual Host for Application Users]/OVPM/*
/topaz/* http://[Virtual Host for Application Users]/topaz/*
https://[Virtual Host for Application Users]/topaz/*
/TopazSettings/* http://[Virtual Host for Application Users]/TopazSettings/*
https://[Virtual Host for Application Users]/TopazSettings/*
/ucmdb-api/* http://[Virtual Host for Application Users]/ucmdb-api/*
https://[Virtual Host for Application users]/ucmdb-api/*
/ucmdb-ui/*

http://[Virtual Host for Application Users]/ucmdb-ui/*
https://[Virtual Host for Application users]/ucmdb-ui/*

Note: If you are using a Reverse Proxy and you have an integration with UCMDB, make sure your reverse proxy timeout setting is at least 1000 seconds.

For example, in your reverse proxy http.conf file, modify the line that starts with ProxyPass as follows:

ProxyPass /ucmdb-ui http://<my OMi GW server>/ucmdb-ui connectiontimeout=1000 timeout=1000

/uim/* http://[Virtual Host for Application Users]/uim/*
https://[Virtual Host for Application Users]/uim/*
/webinfra/* http://[Virtual Host for Application Users]/webinfra/*
https://[Virtual Host for Application Users]/webinfra/*

Reference - support for OMi data collectors

The following table can be used as a reference for data collectors to connect via the reverse proxy.

Requests for... on the Reverse Proxy Server Proxy Request to be Served by:
/topaz/topaz_api/* http://[Virtual Host for Data Collectors]/topaz/topaz_api/*
https://[Virtual Host for Data Collectors]/topaz/topaz_api/*
/topaz/sitescope/* http://[Virtual Host for Data Collectors]/topaz/sitescope/*
https://[Virtual Host for Data Collectors]/topaz/sitescope/*
/cm/* http://[Virtual Host for Data Collectors]/cm/*
https://[Virtual Host for Data Collectors]/cm/*
/mam-collectors/* http://[Virtual Host for Data Collectors]/mam-collectors/*
https://[Virtual Host for Data Collectors]/mam-collectors/*
/axis2/*

http://[Virtual Host for Data Collectors]/axis2/*
https://[Virtual Host for Data Collectors]/axis2/*

Note: Required if SOAP adapter is used with embedded Run-time Service Model (RTSM) for replication into secure OMi via reverse proxy.

Note  

  • Make sure your reverse proxy supports priority handling logic, which enables a specific expression to be handled before a more generic one, if required. For example, the /topaz/topaz_api/* expression must be handled before the /topaz/* expression.
  • For some reverse proxies, a reverse pass is also required. The reverse pass changes the HTTP or HTTPS headers returned from the server to relative headers. For an example of a reverse pass, see Configure Apache to work as a reverse proxy.