Use > Hardening > Using a Reverse Proxy > Configure CAC Support on UCMDB by Reverse Proxy

Configure CAC Support on UCMDB by Reverse Proxy

This section describes how to configure Common Access Card (CAC) support on UCMDB using a reverse proxy.

How to configure CAC support on UCMDB using a reverse proxy

  1. Open the JMX console by launching the Web browser and entering the Server address, as follows: https://localhost:8443/jmx-console.

    You may have to log in with a user name and password.

  2. Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.

    • (optional) Click ComponentsConfigurations. Do the following:

      • Set HTTPSetPort to 8080 and click Invoke.
      • Click Back to MBean.
    • Click mapComponentToConnectors. Do the following:

      • In the mapComponentToConnectors service, set componentName to ucmdb-ui.

      • Set only isHTTP to true, and click Invoke.

      • Click Back to MBean.
      • In the mapComponentToConnectors service, set componentName to root.

      • Set only isHTTP to true, and click Invoke.
  3. Under UCMDB, click UCMDB:service=Security Services to open the Operations page.

    • Set loginWithCAC to true, and click Invoke.
    • Click Back to MBean.
    • Set withReverseProxy to true, and click Invoke.

      This setting tells the UCMDB server to extract from the UCMDB_SSL_CLIENT_CERT header the user name to be used in UCMDB and the certificate to be used for authentication.

    • Click Back to MBean.
    • (optional) Set onlyCACCerts to true, and click Invoke.

      Set this operation to true to accept only certificates that come from a physical CAC device.

    • (optional) Click usernameField to specify the field from the certificate that will be used by UCMDB to extract a username, and click Invoke.

      Note If you do not specify a field, the default of PRINCIPAL_NAME_FROM_SAN_FIELD is used.

  4. Restart the UCMDB Server.

(Optional) Configure LocationMatch in Apache Reverse Proxy httpd-ssl.conf for CAC Setup

When using Apache as a reverse proxy while accessing the UCMDB server with CAC enabled, sometimes you might encounter cascading pin request popups.

To skip the appler.jsp pin prompt, you may add the LocationMatch setting as follows to the httpd-ssl.conf file:

<LocationMatch "^/ucmdb-ui/login_page.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
</LocationMatch>

Example: Apache 2.4.4 Configuration

This section describes a sample configuration file for Apache 2.4.4.

Note This example presumes that the Apache server was installed in c:\Apache24; if it is installed in a different folder, you must change the example in all cases to specify the correct location.

The port for mutual authentication used in this example is 443. In the c:\Apache24\conf\ folder, copy the following:

  • the certificate used by the apache server (server.crt)
  • the private key of the Apache server (server.key)
  • the trusted CAs of the Apache server (ssl.crt)
  • the certification revocation list (ssl.crt).

Note These four files must all be in PEM format.

Replace the content of c:\Apache24\conf\httpd.conf with the following (change the [APACHE_MACHINE_FQD] accordingly):

ServerRoot "c:/Apache24"
Listen 80
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule xml2enc_module modules/mod_xml2enc.so
<IfModule unixd_module>
User daemon
Group daemon
</IfModule>
ServerAdmin admin@example.com
ServerName [APACHE_MACHINE_FQD]:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "c:/Apache24/htdocs"
<Directory "c:/Apache24/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error.log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access.log" common
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "c:/Apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Also, replace the content of c:\Apache24\conf\extra\httpd-ssl.conf with the following (change the [APACHE_MACHINE_FQD] , [UCMDB_SERVER_NAME], and [UCMDB_CM_SERVER_NAME] accordingly):

Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:c:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost _default_:443>
DocumentRoot "c:/Apache24/htdocs"
ServerName [APACHE_MACHINE_FQD]:443
ServerAdmin admin@example.com
ErrorLog "c:/Apache24/logs/error.log"
TransferLog "c:/Apache24/logs/access.log"
SSLEngine on
SSLCertificateFile "c:/Apache24/conf/server.crt"
SSLCertificateKeyFile "c:/Apache24/conf/server.key"
SSLCACertificateFile "c:/Apache24/conf/ssl.crt"
SSLCARevocationFile "c:/Apache24/conf/ssl.crl"
SSLCARevocationCheck leaf
SSLVerifyClient require
SSLVerifyDepth  10
SSLOptions +ExportCertData
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "c:/Apache24/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RequestHeader set UCMDB_SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e
ProxyRequests off
<Proxy *>
     Order deny,allow
     Deny from all
     Allow from all
</Proxy>
ProxyPass / http://[UCMDB_SERVER_NAME]:8080/
ProxyPassReverse / http://[UCMDB_SERVER_NAME]:8080/
ProxyPass /mam http://[UCMDB_SERVER_NAME]:8080/mam
ProxyPassReverse /mam http://[UCMDB_SERVER_NAME]:8080/mam
ProxyPass /mam_images http://[UCMDB_SERVER_NAME]:8080/mam_images
ProxyPassReverse /mam_images http://[UCMDB_SERVER_NAME]:8080/mam_images
ProxyPass /mam-collectors http://[UCMDB_SERVER_NAME]:8080/mam-collectors
ProxyPassReverse /mam-collectors http://[UCMDB_SERVER_NAME]:8080/mam-collectors
ProxyPass /ucmdb http://[UCMDB_SERVER_NAME]:8080/ucmdb
ProxyPassReverse /ucmdb http://[UCMDB_SERVER_NAME]:8080/ucmdb
ProxyPass /site http://[UCMDB_SERVER_NAME]:8080/site
ProxyPassReverse /site http://[UCMDB_SERVER_NAME]:8080/site
ProxyPass /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui
ProxyPassReverse /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui
ProxyPass /status http://[UCMDB_SERVER_NAME]:8080/status
ProxyPassReverse /status http://[UCMDB_SERVER_NAME]:8080/status
ProxyPass /jmx-console http://[UCMDB_SERVER_NAME]:8443/jmx-console
ProxyPassReverse /jmx-console http://[UCMDB_SERVER_NAME]:8443/jmx-console
ProxyPass /axis2 http://[UCMDB_SERVER_NAME]:8080/axis2
ProxyPassReverse /axis2 http://[UCMDB_SERVER_NAME]:8080/axis2
ProxyPass /icons http://[UCMDB_SERVER_NAME]:8080/icons
ProxyPassReverse /icons http://[UCMDB_SERVER_NAME]:8080/icons
ProxyPass /ucmdb-api http://[UCMDB_SERVER_NAME]:8080/ucmdb-api
ProxyPassReverse /ucmdb-api http://[UCMDB_SERVER_NAME]:8080/ucmdb-api
ProxyPass /ucmdb-docs http://[UCMDB_SERVER_NAME]:8080/ucmdb-docs
ProxyPassReverse /ucmdb-docs http://[UCMDB_SERVER_NAME]:8080/ucmdb-docs
ProxyPass /ucmdb-api/8.0 http://[UCMDB_SERVER_NAME]:8080/ucmdb-api/8.0
ProxyPassReverse /ucmdb-api/8.0 http://[UCMDB_SERVER_NAME]:8080/ucmdb-api/8.0
ProxyPass /cm http://[UCMDB_SERVER_NAME]:8080/cm
ProxyPassReverse /cm http://[UCMDB_SERVER_NAME]:8080/cm
ProxyPass /cnc http://[UCMDB_CM_SERVER_NAME]/cnc
ProxyPassReverse /cnc http://[UCMDB_CM_SERVER_NAME]/cnc
ProxyPass /docs http://[UCMDB_CM_SERVER_NAME]/docs
ProxyPassReverse /docs http://[UCMDB_CM_SERVER_NAME]/docs
ProxyPass /ucmdb-browser http://[UCMDB_CM_SERVER_NAME]/ucmdb-browser
ProxyPassReverse /ucmdb-browser http://[UCMDB_CM_SERVER_NAME]/ucmdb-browser
</VirtualHost>
<LocationMatch "^/ucmdb-ui/login_page.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
</LocationMatch>

Now you can access the UCMDB server through revers proxy by going to https://[APACHE_MACHINE_FQD].

Note You must have a valid certificate imported in Internet Explorer. A valid certificate is one that was signed by a CA of the Apache trusted CAs (it must be present in the ssl.crt file).