Use > Hardening > Using a Reverse Proxy > Connect the Data Flow Probe by Reverse Proxy and Self-signed Certificate

Connect the Data Flow Probe by Reverse Proxy and Self-signed Certificate

This section introduces how to connect the Data Flow Probe and UCMDB Server by using the self-signed certificates and Apache as the proxy server.

Step 1. Prepare the certificates

Step 2. Import the certificates to UCMDB and Probe's truststore

Step 3. Configure the Apache proxy server

Step 4. Configure the UCMDB Server and the Data Flow Probe

Note The commands in this section assume the following installation paths:

  • UCMDB Server: C:\UCMDB\UCMDBServer
  • Data Flow Probe: C:\UCMDB\DataFlowProbe
  • Apache: C:\Apache24\

You may need to update the commands according to your actual environment.

Step 1. Prepare the certificates

  1. Create the ssl folder under C:\Apache24\conf\.

  2. Generate the server certificates. To do this, execute the following commands under the C:\Apache24\bin folder and follow the prompted instructions to provide necessary information:

    openssl genrsa -out ..\conf\ssl\server-key.pem 2048
    openssl req -new -out ..\conf\ssl\server-req.csr -key ..\conf\ssl\server-key.pem
    openssl x509 -req -in ..\conf\ssl\server-req.csr -out ..\conf\ssl\server-cert.pem -signkey ..\conf\ssl\server-key.pem -days 1095
    openssl pkcs12 -export -clcerts -in ..\conf\ssl\server-cert.pem -inkey ..\conf\ssl\server-key.pem -out ..\conf\ssl\server.p12
    

    Note In the last command, use the default password: changeit.

  3. Generate the client certificates and then export the public cert and private key into one file. To do this, execute the following commands under the C:\Apache24\bin folder and follow the prompted instructions to provide necessary information:

    openssl genrsa -out ..\conf\ssl\client-key.pem 2048
    openssl req -new -out ..\conf\ssl\client-req.csr -key ..\conf\ssl\client-key.pem
    openssl x509 -req -in ..\conf\ssl\client-req.csr -out ..\conf\ssl\client-cert.pem -signkey ..\conf\ssl\client-key.pem -days 1095
    openssl pkcs12 -export -clcerts -in ..\conf\ssl\client-cert.pem -inkey ..\conf\ssl\client-key.pem -out ..\conf\ssl\client.p12

    Note In the last command, use the default password: changeit.

  4. Export the UCMDB server public certificate files as PEM format. To do this, follow these steps:

    1. Execute the following commands on the UCMDB Server, and then enter the keystore password.

      cd C:\UCMDB\UCMDBServer\bin\jre\bin\
      keytool.exe -export -alias hpcert -keystore C:\ucmdb\ucmdbserver\conf\security\server.keystore -file C:\UCMDB\UCMDBServer\conf\security\server.cert
    2. Copy this server.cert certificate to the Apache server under the C:\Apache24\conf\ssl folder, and then convert it to the PEM format by executing the following commands:

      cd C:\Apache24\bin
      openssl x509 -out ../conf/ssl/ucmdb-cert.pem -outform pem -text -in ../conf/ssl/server.cert -inform der
  5. Export the Data Flow Probe public certificate files as PEM format. To do this, follow these steps:

    1. Execute the following commands on the Data Flow Probe, and then enter the keystore password (the default keystore password is logomania).

      cd C:\UCMDB\DataFlowProbe\bin\jre\bin\
      keytool.exe -export -alias hpprobe -keystore C:\UCMDB\DataFlowProbe\conf\security\HPProbeKeyStore.jks -file C:\UCMDB\DataFlowProbe\conf\security\hprobe.cert
    2. Copy this hprobe.cert certificate to the Apache server under the C:\Apache24\conf\ssl folder, and then convert it to the PEM format by executing the following commands:

      cd C:\Apache24\bin
      openssl x509 -out ..\conf\ssl\hprobe-cert.pem -outform pem -text -in ..\conf\ssl\hprobe.cert -inform der

Step 2. Import the certificates to UCMDB and Probe's truststore

  1. Import the certificate to the Data Flow Probe's truststore. To do this, follow these steps:

    1. Copy the server-cert.pem certificate to the C:\UCMDB\DataFlowProbe\conf\security\ folder of the Data Flow Probe.
    2. Execute the following command on the Data Flow Probe:

      cd C:\UCMDB\DataFlowProbe\bin\jre\bin\
      keytool.exe –import -v -keystore C:\UCMDB\DataFlowProbe\conf\security\HPProbeTrustStore.jks  -file C:\UCMDB\DataFlowProbe\conf\security\server-cert.pem –alias proxycert

      When you are prompted, enter the keystore password (the default keystore password is logomania) and type yes to trust the certificate.

  2. Import the certificate to the UCMDB Server's truststore. To do this, follow these steps:

    1. Copy the client-cert.pem certificate to the C:\UCMDB\UCMDBServer\conf\security\ folder of the UCMDB Server.
    2. Execute the following command on the UCMDB Server:

      cd C:\UCMDB\UCMDBServer\bin\jre\bin\
      keytool.exe -import -v -keystore C:\UCMDB\UCMDBServer\conf\security\server.truststore -file C:\UCMDB\UCMDBServer\conf\security\client-cert.pem -alias proxyclient

      When you are prompted, enter the keystore password and type yes to trust the certificate.

Step 3. Configure the Apache proxy server

  1. Modify the C:\Apache24\conf\httpd.conf file and uncomment the lines for the following modules (by removing the "#" character at the beginning of each line): mod_ssl.so, mod_access_compat.so, mod_proxy.so, mod_xml2enc.so.

  2. In the C:\Apache24\conf\httpd.conf file, uncomment the line for httpd-ssl.conf in the <IfModule ssl_module> section.

  3. Locate the following configurations in the C:\Apache24\conf\extra\httpd-ssl.conf file and update the configurations as follows:

    SSLCertificateFile "${SRVROOT}/conf/ssl/server-cert.pem"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server-key.pem"
    SSLCACertificateFile "${SRVROOT}/conf/ssl/hprobe-cert.pem"
    SSLVerifyClient require
    SSLVerifyDepth 10
    
  4. Add the following configurations in the C:\Apache24\conf\extra\httpd-ssl.conf file:

    # SSL CONFIGURATION – CLIENT SIDE
    # Enable SSL Client on this virtualhost (the traffic to the backends can be encrypted)
    SSLProxyEngine on
    # Apache client CA certificate (certificate of who released your client certificate)
    #SSLProxyMachineCertificateChainFile "${SRVROOT}/conf/ssl/ca-cert.pem"
    # Apache client private key + client certificate (concatenated in a single file)
    SSLProxyMachineCertificateFile "${SRVROOT}/conf/ssl/client.p12"
    # Backends’ CA certificates (list of certificates of who released your backends’ certificates)
    SSLProxyCACertificateFile "${SRVROOT}/conf/ssl/ucmdb-cert.pem"
    # It’s mandatory for apache to authenticate the backends’ certificate
    SSLProxyVerify require
    #SSLProxyVerify none
    SSLProxyVerifyDepth 10
    #by default the CN name for ucmd-cert.pem is different from the IP/FQDN, so we need to turn off them
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    
    # END OF SSL CONFIGURATION – CLIENT SIDE
    
  5. Add the following in the < VirtualHost> section in the C:\Apache24\conf\extra\httpd-ssl.conf file:

    <Proxy *>
    Order deny,allow
    Deny from all
    Allow from all
    </Proxy>
    ProxyPass / https://<UCMDB_Server_IP_Address>:8444/
    ProxyPassReverse / https://<UCMDB_Server_IP_Address>:8444/

Step 4. Configure the UCMDB Server and Data Flow Probe

  1. Change the probe configuration file DataFlowProbe.properties as follows. The probe now should connect to the virtual host configured in Apache.

    # Can be either HTTP or HTTPS
    appilog.agent.probe.protocol = HTTPS
    
    # Name of the Server machine to which this probe reports
    #This should be configured with proxy server’s IP/FQDN
    serverName = <Apache_IP_Address>
    
    # Ports used for HTTP/s traffic
    #change the port to proxy server listening port, which I configured in httpd-ssl.conf.
    serverPort = 8080
    serverPortHttps = 443
    
  2. Change the UCMDB configuration via JMX. To do this, follow these steps:

    1. Access the UCMDB JMX console: In your Web browser, enter the following URL: https://localhost:8443/jmx-console. You may have to log in with a user name and password.

    2. Select the service: Ports Management Services.

    3. Invoke the PortsDetails method, and note the port number for HTTPS with client authentication. (Default: 8444) Ensure that the value in the Is Enabled column is True.

    4. Return to Ports Management Services.

    5. To map the Data Flow Probe connector to mutual authentication mode, invoke the mapComponentToConnectors method with the following parameters:

      • componentName: mam-collectors

      • isHTTPSWithClientAuth: true

      • All other flags: false

      The following message is displayed:

      Operation succeeded. Component mam-collectors is now mapped to: HTTPS_CLIENT_AUTH ports.

      Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
    6. Return to Ports Management Services.

    7. To map the Confidential Manager connector to mutual authentication mode, invoke the mapComponentToConnectors method with the following parameters:

      • componentName: cm

      • isHTTPSWithClientAuth: true

      • All other flags: false

      The following message is displayed:

      Operation succeeded. Component cm is now mapped to: HTTPS_CLIENT_AUTH ports.

      Note: If you want to use multiple authentication methods, make sure you check the ports used by each of them and set them to true (when mapping both cm and mam-collectors).
  3. (Optional) Disable other ports. For example, 8080.
  4. Restart the UCMDB Server, Data Flow Probe, and Apache proxy server.

Tip You can enable the debug log by editing the C:\Apache24\conf\httpd.conf file as follows:

<IfModule ssl_module>
Include conf/extra/httpd-ssl.conf
#Include conf/extra/httpd-ahssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

ErrorLog logs/ssl_engine.log
LogLevel debug

</IfModule>

If any error occurs during configuration, you can check the ssl_engine.log file.