Task 8: Deploy and configure the web server

In this task, you will deploy and configure the web server for Service Manager Collaboration.

Apache

Task A: Deploy the Apache HTTP server

In this task, you will deploy and configure the Apache HTTP server for Service Manager Collaboration.

Note The deployment instructions in this document are for a sample OpenSSL Apache server. If you have profound web server knowledge, you can also customize your web server by following your own business rules.

Follow these steps:

  1. Download Apache with OpenSSL (for example, httpd-2.4.xx-x64.zip for Apache 2.4) from here.

    You can also download a pre-configured Apache 2.4 from Micro Focus Marketplace.

    Extract the zip file to C:\. This unzip process creates a new C:\Apache24 directory .

  2. Navigate to the C:\Apache24\conf folder.

  3. Make a copy of the httpd.conf file and save it as httpd_OOB.conf.

  4. Open the httpd.conf file with a text editor.

  5. Locate httpd-vhosts.conf, and then uncomment Include conf/extra/httpd-vhosts.conf.

  6. Save and close the httpd.conf file.
  7. Navigate to the C:\Apache24\conf\extra directory.

  8. Make a copy of the httpd-vhosts.conf file and save it as httpd-vhosts_OOB.conf.

  9. Navigate to the C:\Apache24\bin folder.

  10. Double-click httpd.exe to start the Apache server.

    The httpd.exe window opens. Click the minimize button to minimize this window.

  11. In your web browser, type http://localhost and press Enter. The following page is displayed, indicating Apache has started successfully.

  12. Close the browser.

  13. Close the Apache httpd.exe window.

    Note The steps below will install Apache as a Windows service.

  14. Navigate to the C:\Apache24\bin folder. Open a DOS command prompt and change the directory to C:\Apache24\bin.

    cd C:\Apache24\bin
  15. Run the httpd –k install command to install the Windows service.

    Note If you see an error here, navigate to the logs directory and check the error.log file. Depending on the error, you may need to repeat the steps above. To verify whether the error still exists, type httpd –k start to start Apache from the command line.

  16. Go to Windows Services, and start the newly installed Apache2.4 service.

Open Apache SSL connection

Follow these steps:

  1. Navigate to the C:\Apache24\conf\extra directory.

  2. Make a copy of the httpd-ahssl.conf file and save it as httpd-ahssl_OOB.conf.

  3. Open httpd-ahssl.conf with a text editor.
  4. Locate the SSL Protocols section.

  5. Change SSLProtocol all to SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 so that only TLS v1.0, TLS v1.1, and TLSv1.2 are enabled on the Apache server.

    #   SSL Protocols:
    #   List the protocols that the client is permitted to negotiate.
    #   See the mod_ssl documentation for a complete list.
    SSLProtocol all +TLSv1 +TLSv1.1 +TLSv1.2

    Tip For more information about Apache SSL configuration, click here.

  6. Save and close the httpd-ahssl.conf file.
  7. Restart Apache server.

  8. In your web browser, type https://localhost and press Enter. The following page is displayed, indicating SSL is enabled successfully.

    Note If the following screen is displayed, click I Understand the Risks and proceed.

Task B: Connect Apache to Tomcat

In this task, you will set up Apache to connect to Tomcat through the AJP port. Consequently, Secure Sockets Layer (SSL) is open by default. You can perform this step rather than enable full SSL on the Service Manager environment.

Follow these steps:

  1. Navigate to the C:\Program Files\Apache Software Foundation\Tomcat 8.0_SMWeb\conf directory.

  2. Open the server.xml file with a text editor.
  3. Make sure that the AJP 1.3 Connector port is set to 8009.

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    Note If you need to change it to another port, make a note of that port number as you will need it later in this task.

  4. Save and close the server.xml file.

Steps for Apache 2.4

Note If you are using the pre-configured Apache downloaded from Micro Focus Marketplace, skip step 1 to 15 and start with step 16.

  1. Navigate to the C:\Apache24\conf directory.
  2. Open the httpd.conf file with a text editor.

    The next few steps describe how to uncomment a number of LoadModule codes in the httpd.conf file.

  3. Locate lbmethod.

    #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
    #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
    #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
    #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
    #LoadModule ldap_module modules/mod_ldap.so
  4. Uncomment two lines as shown below:

    #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
    LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
    LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
    #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
    #LoadModule ldap_module modules/mod_ldap.so
  5. Locate the following section by searching for proxy_module.

    #LoadModule proxy_module modules/mod_proxy.so
    #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    #LoadModule proxy_connect_module modules/mod_proxy_connect.so
    #LoadModule proxy_express_module modules/mod_proxy_express.so
    #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
    #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
    #LoadModule proxy_html_module modules/mod_proxy_html.so
    #LoadModule proxy_http_module modules/mod_proxy_http.so
    #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
  6. Uncomment 8 lines as shown in the following:

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_express_module modules/mod_proxy_express.so
    #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
    LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
    LoadModule proxy_html_module modules/mod_proxy_html.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
  7. Locate the following section by searching for slotmem_shm.

    LoadModule setenvif_module modules/mod_setenvif.so
    #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
    #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
  8. Uncomment the following line:

    LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
  9. Locate the following section by searching for xml2enc_module.

    #LoadModule version_module modules/mod_version.so
    #LoadModule vhost_alias_module modules/mod_vhost_alias.so
    #LoadModule watchdog_module modules/mod_watchdog.so
    #LoadModule xml2enc_module modules/mod_xml2enc.so
    <IfModule unixd_module>
  10. Uncomment the following line:

    LoadModule xml2enc_module modules/mod_xml2enc.so
  11. Locate the following section. You may need to search for mod_proxy_html twice.

    # Configure mod_proxy_html to understand HTML4/XHTML1
    <IfModule proxy_html_module>
    Include conf/extra/httpd-proxy-html.conf
    </IfModule>
  12. If the Include line does not contain Include conf/extra/httpd-proxy-html.conf, change the Include line to Include conf/extra/httpd-proxy-html.conf.

  13. Browse to the end of the file, and then add the line in bold:

    <IfModule http2_module>
    	ProtocolsHonorOrder On
    	Protocols h2 h2c http/1.1
    </IfModule>
    Include conf/httpd-proxy_ajp_loadbalanced.conf
  14. Comment out the lines in bold by inserting # in front of each line:

    #<IfModule http2_module>
    	#ProtocolsHonorOrder On
    	#Protocols h2 h2c http/1.1
    #</IfModule>
    Include conf/httpd-proxy_ajp_loadbalanced.conf
  15. Save and close the httpd.conf file.
  16. Navigate to the C:\Apache24\conf directory, and then create a new file called httpd-proxy_ajp_loadbalanced.conf.

    <Proxy balancer://smcluster>
    BalancerMember ajp://localhost:8009 route=161652175430301
    Require all granted
    </Proxy>
    <Location /webtier-9.61>
    Options FollowSymLinks
    Require all granted
    ProxyPass balancer://smcluster/webtier-9.61 stickysession=JSESSIONID|jsessionid nofailover=On
    </Location>
    <Location /chatui>
    Options FollowSymLinks
    Require all granted
    ProxyPass balancer://smcluster/chatui stickysession=JSESSIONID|jsessionid nofailover=On
    </Location>
    

    Caution

    • You must paste ProxyPass balancer://smcluster/webtier-9.61 stickysession=JSESSIONID|jsessionid nofailover=On in one line.
    • You must paste ProxyPass balancer://smcluster/chatui stickysession=JSESSIONID|jsessionid nofailover=On in one line.

  17. The script in the previous step assumes that the web tier directory is webtier-9.61 and the chat UI directory is chatui(see the line below). If your web tier or chat UI uses another name, update the httpd-proxy_ajp_loadbalanced.conf file with the actual name of your web tier.

    <Location /webtier-9.61>
    balancer://smcluster/webtier-9.61
    <Location /chatui>
    balancer://smcluster/chatui
  18. In step 3 in this task, you configured the AJP 1.3 Connector port in the server.xml file. If this port is 8009, continue with the next step; if the connector listens on another port, update the following line in the httpd-proxy_ajp_loadbalanced.conf file with that port number.

    If Apache is deployed on the same computer in the all-in-one example described in this document, use ajp://localhost:8009. Otherwise, you need to update this value to the correct IP of Tomcat.

    BalancerMember ajp://localhost:8009 route=161652175430301
  19. Access Apache’s link with Apache’s FQDN. In this all-in-one example, access https://training.sm-demo.com/webtier-9.61/index.do, and then log on to Service Manager as a system administrator. The system displays the administrator's To Do Queue.

    If you are directed to a Logout Successful page, there may be some issues with the LW-SSO setup. Check all your files from the previous tasks and then try again.

  20. Log out from Service Manager.

Open SSL connection to Webtier

  1. Open the web.xml file with a text editor.
  2. Locate the secureLogin parameter and set it to true.

  3. Save and close the web.xml file.

  4. Go to Windows Services and restart the Service Manager 9.61 Server service.

  5. Access https://training.sm-demo.com/webtier-9.61/index.do, and then log on to Service Manager as a system administrator. The system displays the administrator's To Do Queue.

    If you are directed to a Logout Successful page, there may be some issues with the LW-SSO setup. Check all your files from the previous tasks and then try again.

    Note From now on, you must use HTTPS and the fully qualified domain name (FQDN) in the web tier URL when logging on to the Service Manager web client.

  6. Log out from Service Manager.

Task C: Enable reverse proxy in Apache

In this task, you will enable the reverse proxy in Apache to protect sensitive information of Openfire (the IP address, ports, and so on).

Important You must use the same Apache server that connects to Tomcat in the previous task.

Open Apache 2.4 SSL reverse proxy connection

Follow these steps:

  1. Navigate to the C:\Apache24\conf\extra directory.

  2. Open the httpd-ahssl.conf file with a text editor.
  3. Locate the following section by searching for "ServerName localhost".

    <VirtualHost _default_:443>
    SSLEngine on
    ServerName localhost:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
    DocumentRoot "${SRVROOT}/htdocs"
    # DocumentRoot access handled globally in httpd.conf
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    </virtualhost>
    
  4. Insert the lines in bold to this section as shown below (insert 5 lines below the "SSLEngine on" line and 6 lines between </Directory> and </virtualhost>).

    <VirtualHost _default_:443>
    SSLEngine on
    SSLProxyEngine On
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ServerName localhost:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
    DocumentRoot "${SRVROOT}/htdocs"
    # DocumentRoot access handled globally in httpd.conf
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    ProxyPass /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPassReverse /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPass /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPassReverse /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPass /chatservice https://training.sm-demo.com:8448
    ProxyPassReverse /chatservice https://training.sm-demo.com:8448
    </virtualhost>

    Note

    • /of-http-bind is the path of the Openfire HTTP binding (also known as BOSH) reverse configuration, whereas /of-plugins is the identifier of the Openfire plugin directory. These two parameters have been used in Task 6.
    • /chatservice is the path of chat service reverse configuration. This parameter has been used in Task 6.

    • You need to change training.sm-demo.com to your own host name. In addition, 9091 is the secure admin console port for the chat server. If you changed this port from the default value during the chat server installation, you need to update the port number here.

  5. Locate the following section by searching for "ServerName serverone.tld" .

    <VirtualHost *:443>
    SSLEngine on
    ServerName serverone.tld:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/serverone.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/serverone.key"
    DocumentRoot "${SRVROOT}/htdocs"
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    </virtualhost>
  6. Insert the lines in bold to this section as shown below (insert 5 lines below the "SSLEngine on" line and 6 lines between </Directory> and </virtualhost>).

    <VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine On
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ServerName serverone.tld:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/serverone.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/serverone.key"
    DocumentRoot "${SRVROOT}/htdocs"
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    ProxyPass /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPassReverse /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPass /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPassReverse /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPass /chatservice https://training.sm-demo.com:8448
    ProxyPassReverse /chatservice https://training.sm-demo.com:8448
    </virtualhost>
    
  7. Locate the following section by searching for "ServerName servertwo.tld".

    <VirtualHost *:443>
    SSLEngine on
    ServerName servertwo.tld:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/servertwo.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/servertwo.key"
    DocumentRoot "${SRVROOT}/htdocs"
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    </virtualhost>
    
  8. Insert the lines in bold to this section as shown below (insert 5 lines below the "SSLEngine on" line and 6 lines between </Directory> and </virtualhost>).

    <VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine On
    SSLProxyVerify none 
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ServerName servertwo.tld:443
    SSLCertificateFile "${SRVROOT}/conf/ssl/servertwo.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/servertwo.key"
    DocumentRoot "${SRVROOT}/htdocs"
    CustomLog "${SRVROOT}/logs/ssl_request.log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    ProxyPass /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPassReverse /of-http-bind https://training.sm-demo.com:7443/http-bind
    ProxyPass /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPassReverse /of-plugins https://training.sm-demo.com:9091/plugins
    ProxyPass /chatservice https://training.sm-demo.com:8448
    ProxyPassReverse /chatservice https://training.sm-demo.com:8448
    </virtualhost>
    
  9. Save and close the httpd-ahssl.conf file.

IIS

Important You must resolve the certificates’ trust between the chat server, the chat service, Tomcat and IIS.

Follow these steps:

  1. Download and install Application Request Routing as an extension for IIS.

  2. Download and install URL Rewrite as an extension for IIS.

  3. After you have successfully installed these two modules, open Internet Information Services (IIS) Manager from Control Panel> All Control Panel Items > Administrative Tools.

  4. Go to the website node, and then open Application Request Rounting Cache in feature view:

  5. Open ARP, and then click Server Proxy Settings.

  6. On the Proxy Settings page, select the Enable proxy check box and set other fields by following your company policies:

    Save your changes.

  7. Click the URL Rewrite… button on the right panel, and then add three new rules for Collaboration as follows:

  8. Save your changes.

F5

Follow these steps:

  1. Create a pool named training-sm-demo-com-7443 for port 7443 of the chat server.
  2. Create a pool named training-sm-demo-com-9091 for port 9091 of the chat server.
  3. Create a pool named training-sm-demo-com-8448 for port 8448 of the chat server.
  4. Create a pool named training-sm-demo-com-8443 for port 8443 of Tomcat.
  5. Configure iRules as follows:

    when HTTP_REQUEST {
    if { [HTTP::host] contains "training.sm-demo.com" and [HTTP::uri] starts_with "/of-http-bind" } { 
      set uri [string map {"/of-http-bind/" "/http-bind"} [HTTP::uri]]
      HTTP::uri $uri
      pool training-sm-demo-com-7443
      return
    }
    elseif { [HTTP::host] contains "training.sm-demo.com" and [HTTP::uri] starts_with "/of-plugins" } { 
      set uri [string map {"/of-plugins/" "/plugins"} [HTTP::uri]]
      HTTP::uri $uri
      pool training-sm-demo-com-9091
      return
    }
    elseif { [HTTP::host] contains "training.sm-demo.com" and [HTTP::uri] starts_with "/chatservice" } { 
      set uri [string map {"/chatservice/" "/"} [HTTP::uri]]
      HTTP::uri $uri
      pool training-sm-demo-com-8448
      return
    }
    elseif { [HTTP::host] contains "training.sm-demo.com" and [HTTP::uri] starts_with "/chatui" } { 
      
      pool training-sm-demo-com-8443
      return
    }
    elseif { [HTTP::host] contains "training.sm-demo.com" and [HTTP::uri] starts_with "/webtier-9.51" } { 
      
      pool training-sm-demo-com-8443
      return
    }
    }
    
  6. Save your changes.