Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Using a Reverse Proxy
- Reverse Proxy Overview
- Security Aspects of Using a Reverse Proxy Server
- Configure a Reverse Proxy
- Distributed Denial of Service Attack Protection
- Connect the Data Flow Probe by Reverse Proxy or Load Balancer Using Mutual Authentication
- Connect the Data Flow Probe by Reverse Proxy and Self-signed Certificate
- Configure CAC Support on UCMDB by Reverse Proxy
Configure CAC Support on UCMDB by Reverse Proxy
This section describes how to configure Common Access Card (CAC) support on UCMDB using a reverse proxy.
-
Open the JMX console by launching the Web browser and entering the Server address, as follows: https://localhost:8443/jmx-console.
You may have to log in with a user name and password.
-
Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.
-
(optional) Click ComponentsConfigurations. Do the following:
- Set HTTPSetPort to 8080 and click Invoke.
- Click Back to MBean.
-
Click mapComponentToConnectors. Do the following:
-
In the mapComponentToConnectors service, set componentName to ucmdb-ui.
-
Set only isHTTP to true, and click Invoke.
- Click Back to MBean.
-
In the mapComponentToConnectors service, set componentName to root.
- Set only isHTTP to true, and click Invoke.
-
-
-
Under UCMDB, click UCMDB:service=Security Services to open the Operations page.
- Set loginWithCAC to true, and click Invoke.
- Click Back to MBean.
-
Set withReverseProxy to true, and click Invoke.
This setting tells the UCMDB server to extract from the UCMDB_SSL_CLIENT_CERT header the user name to be used in UCMDB and the certificate to be used for authentication.
- Click Back to MBean.
-
(optional) Set onlyCACCerts to true, and click Invoke.
Set this operation to true to accept only certificates that come from a physical CAC device.
-
(optional) Click usernameField to specify the field from the certificate that will be used by UCMDB to extract a username, and click Invoke.
Note If you do not specify a field, the default of PRINCIPAL_NAME_FROM_SAN_FIELD is used.
- Restart the UCMDB Server.
(Optional) Configure LocationMatch in Apache Reverse Proxy httpd-ssl.conf for CAC Setup
When using Apache as a reverse proxy while accessing the UCMDB server with CAC enabled, sometimes you might encounter cascading pin request popups.
To skip the appler.jsp pin prompt, you may add the LocationMatch setting as follows to the httpd-ssl.conf file:
<LocationMatch "^/ucmdb-ui/login_page.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
</LocationMatch>
This section describes a sample configuration file for Apache 2.4.4.
Note This example presumes that the Apache server was installed in c:\Apache24; if it is installed in a different folder, you must change the example in all cases to specify the correct location.
The port for mutual authentication used in this example is 443. In the c:\Apache24\conf\ folder, copy the following:
- the certificate used by the apache server (server.crt)
- the private key of the Apache server (server.key)
- the trusted CAs of the Apache server (ssl.crt)
- the certification revocation list (ssl.crt).
Note These four files must all be in PEM format.
Replace the content of c:\Apache24\conf\httpd.conf with the following (change the [APACHE_MACHINE_FQD] accordingly):
ServerRoot "c:/Apache24" Listen 80 LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule allowmethods_module modules/mod_allowmethods.so LoadModule asis_module modules/mod_asis.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule cgi_module modules/mod_cgi.so LoadModule dir_module modules/mod_dir.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule include_module modules/mod_include.so LoadModule isapi_module modules/mod_isapi.so LoadModule log_config_module modules/mod_log_config.so LoadModule mime_module modules/mod_mime.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule xml2enc_module modules/mod_xml2enc.so <IfModule unixd_module> User daemon Group daemon </IfModule> ServerAdmin admin@example.com ServerName [APACHE_MACHINE_FQD]:80 <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "c:/Apache24/htdocs" <Directory "c:/Apache24/htdocs"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error.log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access.log" common </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/" </IfModule> <IfModule cgid_module> </IfModule> <Directory "c:/Apache24/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> Include conf/extra/httpd-ssl.conf <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule>
Also, replace the content of c:\Apache24\conf\extra\httpd-ssl.conf with the following (change the [APACHE_MACHINE_FQD]
, [UCMDB_SERVER_NAME]
, and [UCMDB_CM_SERVER_NAME]
accordingly):
Listen 443 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:c:/Apache24/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost _default_:443> DocumentRoot "c:/Apache24/htdocs" ServerName [APACHE_MACHINE_FQD]:443 ServerAdmin admin@example.com ErrorLog "c:/Apache24/logs/error.log" TransferLog "c:/Apache24/logs/access.log" SSLEngine on SSLCertificateFile "c:/Apache24/conf/server.crt" SSLCertificateKeyFile "c:/Apache24/conf/server.key" SSLCACertificateFile "c:/Apache24/conf/ssl.crt" SSLCARevocationFile "c:/Apache24/conf/ssl.crl" SSLCARevocationCheck leaf SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +ExportCertData <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "c:/Apache24/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "c:/Apache24/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" RequestHeader set UCMDB_SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e ProxyRequests off <Proxy *> Order deny,allow Deny from all Allow from all </Proxy> ProxyPass / http://[UCMDB_SERVER_NAME]:8080/ ProxyPassReverse / http://[UCMDB_SERVER_NAME]:8080/ ProxyPass /mam http://[UCMDB_SERVER_NAME]:8080/mam ProxyPassReverse /mam http://[UCMDB_SERVER_NAME]:8080/mam ProxyPass /mam_images http://[UCMDB_SERVER_NAME]:8080/mam_images ProxyPassReverse /mam_images http://[UCMDB_SERVER_NAME]:8080/mam_images ProxyPass /mam-collectors http://[UCMDB_SERVER_NAME]:8080/mam-collectors ProxyPassReverse /mam-collectors http://[UCMDB_SERVER_NAME]:8080/mam-collectors ProxyPass /ucmdb http://[UCMDB_SERVER_NAME]:8080/ucmdb ProxyPassReverse /ucmdb http://[UCMDB_SERVER_NAME]:8080/ucmdb ProxyPass /site http://[UCMDB_SERVER_NAME]:8080/site ProxyPassReverse /site http://[UCMDB_SERVER_NAME]:8080/site ProxyPass /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui ProxyPassReverse /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui ProxyPass /status http://[UCMDB_SERVER_NAME]:8080/status ProxyPassReverse /status http://[UCMDB_SERVER_NAME]:8080/status ProxyPass /jmx-console http://[UCMDB_SERVER_NAME]:8443/jmx-console ProxyPassReverse /jmx-console http://[UCMDB_SERVER_NAME]:8443/jmx-console ProxyPass /axis2 http://[UCMDB_SERVER_NAME]:8080/axis2 ProxyPassReverse /axis2 http://[UCMDB_SERVER_NAME]:8080/axis2 ProxyPass /icons http://[UCMDB_SERVER_NAME]:8080/icons ProxyPassReverse /icons http://[UCMDB_SERVER_NAME]:8080/icons ProxyPass /ucmdb-api http://[UCMDB_SERVER_NAME]:8080/ucmdb-api ProxyPassReverse /ucmdb-api http://[UCMDB_SERVER_NAME]:8080/ucmdb-api ProxyPass /ucmdb-docs http://[UCMDB_SERVER_NAME]:8080/ucmdb-docs ProxyPassReverse /ucmdb-docs http://[UCMDB_SERVER_NAME]:8080/ucmdb-docs ProxyPass /ucmdb-api/8.0 http://[UCMDB_SERVER_NAME]:8080/ucmdb-api/8.0 ProxyPassReverse /ucmdb-api/8.0 http://[UCMDB_SERVER_NAME]:8080/ucmdb-api/8.0 ProxyPass /cm http://[UCMDB_SERVER_NAME]:8080/cm ProxyPassReverse /cm http://[UCMDB_SERVER_NAME]:8080/cm ProxyPass /cnc http://[UCMDB_CM_SERVER_NAME]/cnc ProxyPassReverse /cnc http://[UCMDB_CM_SERVER_NAME]/cnc ProxyPass /docs http://[UCMDB_CM_SERVER_NAME]/docs ProxyPassReverse /docs http://[UCMDB_CM_SERVER_NAME]/docs ProxyPass /ucmdb-browser http://[UCMDB_CM_SERVER_NAME]/ucmdb-browser ProxyPassReverse /ucmdb-browser http://[UCMDB_CM_SERVER_NAME]/ucmdb-browser </VirtualHost> <LocationMatch "^/ucmdb-ui/login_page.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
</LocationMatch>
Now you can access the UCMDB server through revers proxy by going to https://[APACHE_MACHINE_FQD].
Note You must have a valid certificate imported in Internet Explorer. A valid certificate is one that was signed by a CA of the Apache trusted CAs (it must be present in the ssl.crt file).
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to cms-doc@microfocus.com.
Help Topic ID:
Product:
Topic Title:
Feedback: