Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Transcription

1 Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server Technical Note Dated: 23 June 2015 Page 1 of 8

2 Overview This document describes how by installing an Apache HTTP Server and OpenSSL you can expose Informatica Secure Agent s Process Server SOAP, JSON and REST services. This is achieved by configuring an Apache HTTP server through which to access the Process Server that otherwise are exclusively used for internal purposes. Secure Agent Configuration The first step requires the configuration of the Secure Agent s InfaAgent.Port which is randomly selected from a range at installation time. This port, once configured is exposed in the infaagent.ini file (usually located at {agent-install-directory}/main/infaagent.ini), and specified as e.g. InfaAgent.Port= Software Requirements This document will show how to configure Apache HTTP Server version 2.4 using self-signed client certificate authentication to access services running on a secure agent's process server. Software needed: ICS Org o must be licensed for use with the ICRT service o must have a secure agent correctly configured ICS Secure Agent o must have the process-engine package installed o must have a process deployed to the agent process-engine Apache HTTP Server 2.4 installed Use the one from or the latter one you may have to install the VC11 redistributable) openssl ( jdk 1.6 or newer (java.oracle.com) Page 2 of 8

3 Generating Keys/Certificates Pre-requisite: Before you run any openssl command type the following. 1. set OPENSSL_CONF=[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg 2. Identify your agent name by logging into your IC Org In order to support HTTPS Apache requires cryptographic material and X.509 server certificates. Apache expects its crypto keys and certs in PEM format. The following is a cookbook how to create crypto material. There are a number of other options to do so. This information is offered as an example. You need to use your agent s host name, rather than the one provided in the sample as ctw informatica.com. Generate a Key and Self-Signed Cert with OpenSSL openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw informatica.com.key -out ctw informatica.com.crt Generate a pkcs12 version Key Store openssl pkcs12 -export -in ctw informatica.com.crt -inkey ctw informatica.com.key > keystore.p12 Convert the pkcs12 keystore to jks keystore keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12 Log Output of the Above Set of Commands C:\ssl>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw informatica.com.key -out ctw informatica.com.crt Loading 'screen' into random state - done Generating a 2048 bit RSA private key writing new private key to 'ctw informatica.com.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Page 3 of 8

4 Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CT Locality Name (eg, city) []:Shelton Organization Name (eg, company) [Internet Widgits Pty Ltd]:Informatica Corp Organizational Unit Name (eg, section) []:Cloud Services Common Name (e.g. server FQDN or YOUR name) []:ctw informatica.com Address C:\ssl>ls -al total 109 drwxrwxrwx 1 user group 0 Jun 3 23:55. drwxrwxrwx 1 user group 0 Jan rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw informatica.com.key C:\ssl>openssl pkcs12 -export -in ctw informatica.com.crt -inkey ctw informatica.com.key > keystore.p12 Loading 'screen' into random state - done Enter Export Password: Verifying - Enter Export Password: C:\ssl>ls -al total 112 drwxrwxrwx 1 user group 0 Jun 4 00:08. drwxrwxrwx 1 user group 0 Jan rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw informatica.com.key -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12 C:\ssl>keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled C:\ssl>ls -al total 115 drwxrwxrwx 1 user group 0 Jun 4 00:10. drwxrwxrwx 1 user group 0 Jan rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw informatica.com.key -rw-rw-rw- 1 user group 2423 Jun 4 00:10 keystore.jks -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12 Page 4 of 8

5 Install/Configure Apache HTTP Server To install Apache HTTP Server follow the instructions provided by the installation application or Apache documentation. Make sure that the Apache server is up and running by launching the console in the default port that they are installed. Make a copy of the httpd conf file, somewhere outside the actual apache directory so you have a copy of it before performing the changes listed below. Edit conf/httpd.conf and uncomment the following modules Once Apache HTTP Server is installed, change directory to its installation location e.g. C:\Program Files (x86)\apache Software Foundation\Apache2.4 Edit conf/httpd.conf, and uncomment the following. LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so LoadModule substitute_module modules/mod_substitute.so Page 5 of 8

6 Edit conf/httpd.conf and comment the following modules LoadModule env_module modules/mod_env.so Add Virtual Hosts Append the following to the end of the httpd.conf. Specify the necessary path or information as highlighted below. Listen 443 <VirtualHost *:443> ServerName <Provide your agent server name> # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile <provide the path to your agent server certificate> SSLCertificateKeyFile <provide the path to your agent server key> # activate the client certificate authentication SSLCACertificateFile <provide the path to your agent client certificate> SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass the agent secure port>/process-engine ProxyPassReverse the agent secure port>/process-engine </Location> </VirtualHost> <VirtualHost *:80> ServerName <Provide your agent server name> SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE # Fix the service endpoints Substitute "s your agent server name>/agent/ i" # As a temporary workaround, makes catalog listings this is a tempora Substitute "s../../../loc/catalog/project_-c-_/../catalog/project_-c-_/ i" RewriteEngine On RewriteRule ^/agent/process-engine/services/(.*)$ the agent secure port>/process-engine/services/$1?wsdl [P] ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ the agent secure port>/process-engine/catalog/$1 ProxyPassReverse /agent/process-engine the agent secure port>/process-engine </VirtualHost> Page 6 of 8

7 Example of a sample virtual host with the changes listed above: Listen 443 <VirtualHost *:443> ServerName ctw informatica.com # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile C:\ssl\bin\ctw informatica.com.crt SSLCertificateKeyFile C:\ssl\bin\ctw informatica.com.key # activate the client certificate authentication SSLCACertificateFile C:\ssl\bin\ctw informatica.com.crt SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass ProxyPassReverse </Location> </VirtualHost> <VirtualHost *:80> ServerName ctw informatica.com SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE # Fix the service endpoints Substitute "s i" # As a temporary workaround, makes catalog listings this is a tempora Substitute "s../../../loc/catalog/project_-c-_/../catalog/project_-c-_/ i" RewriteEngine On RewriteRule ^/agent/process-engine/services/(.*)$ [P] ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ ProxyPassReverse /agent/process-engine </VirtualHost> Page 7 of 8

8 Verify the configuration 1. Restart the apache server and make sure that it is in the Running status as seen in the task tray. If it is not in the running status, then that may be an indication that there something incorrect with the httpd.conf file. Double check the changes as listed above. 2. Create a simple SOAP orchestration project using the Informatica Process Developer and deploy the service to the agent. Alternatively, you can create a Process Designer s JSON service and find a client that support cert-based authentication to verify your configuration. 3. If exposing a SOAP endpoint, install SOAP UI (Source: 4. In SOAPUI, File > preferences > SSL settings i) Provide the path to the.jks that you created above. ii) Provide the password. iii) Enable the Client Authentication check box. Then, click on OK. 5. Create a new SOAPUI project and provide the URL: agent server name>/agent/process-engine/services/service Name?wsdl Example: This would create the required bindings/operation 6. Send a request to the operation and that should receive a response as expected. Worldwide Headquarters, 2100 Seaport Blvd, Redwood City, CA 94063, USA Phone: Fax: Toll-free in the US: informatica.com linkedin.com/company/informatica twitter.com/informaticacorp 2014 Informatica Corporation. All rights reserved. Informatica and Put potential to work are trademarks or registered trademarks of Informatica Corporation in the United States and in jurisdictions throughout the world. All other company and product names may be trade names or trademarks. Page 8 of 8