Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server



Similar documents
How to setup HTTP & HTTPS Load balancer for Mediator

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

HTTPS Configuration for SAP Connector

HP ALM. Software Version: External Authentication Configuration Guide

Configure Security for SAP Mobile Platform (MP5)

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

CentraSite SSO with Trusted Reverse Proxy

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain

SecuritySpy Setting Up SecuritySpy Over SSL

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X

unigui Developer's Manual 2014 FMSoft Co. Ltd.

How to Implement Two-Way SSL Authentication in a Web Service

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

To enable https for appliance

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

e-cert (Server) User Guide For Apache Web Server

Enterprise SSL Support

esync - Receiving data over HTTPS

Technical specification

Installing Rails 2.3 Under Windows XP and Apache 2.2

Securing the OpenAdmin Tool for Informix web server with HTTPS

LoadMaster SSL Certificate Quickstart Guide

Chapter 1: How to Configure Certificate-Based Authentication

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

SolarWinds Technical Reference

How to: Install an SSL certificate

HP Cloud Service Automation Deployment Architectures

2013 IBM SINGLE SIGN-ON WITH CA SITEMINDER FOR SAMPLE WEB APPLICATION

SITEMINDER SSO FOR EMC DOCUMENTUM REST

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

SSL Certificate Generation

Deploying Certificates with Cisco pxgrid. Using Self-Signed Certificates with ISE pxgrid node and pxgrid Client

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

Creating a Free Trusted SSL Cert with StartSSL for use with Synctuary

Implementing HTTPS in CONTENTdm 6 September 5, 2012

CA Workload Automation DE

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Federated Access to an HTTP Web Service Using Apache (WSTIERIA Project Technical Note 1)

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION AND TROUBLESHOOTING

White Paper DEPLOYING WDK APPLICATIONS ON WEBLOGIC AND APACHE WEBSERVER CLUSTER CONFIGURED FOR HIGH AVAILABILITY AND LOAD BALANCE

xcp Application Deployment On Tomcat Cluster

10gAS SSL / Certificate Based Authentication Configuration

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date:

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Setting Up CAS with Ofbiz 5

CA Nimsoft Unified Management Portal

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Lotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC

Generating and Renewing an APNs Certificate. Technical Paper May 2012

CHAPTER 7 SSL CONFIGURATION AND TESTING

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

Using LDAP Authentication in a PowerCenter Domain

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Browser-based Support Console

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.2 Web Applications Deployed on BEA WebLogic Server 9.2

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date: 19 Apr 2011

Configuring TLS Security for Cloudera Manager

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

HP Business Service Management

Obtaining SSL Certificates for VMware View Servers

WEB SERVICES CERTIFICATE GUIDE

Setting Up SSL From Client to Web Server and Plugin to WAS

HP Business Service Management

Securing Web Access with a Private Certificate Authority

How to Implement Transport Layer Security in PowerCenter Web Services

SWITCHBOARD SECURITY

Step-by-Step guide to setup an IBM WebSphere Portal and IBM Web Content Manager V8.5 Cluster From Zero to Hero (Part 2.)

Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration

Protect your CollabNet TeamForge site

Obtaining SSL Certificates for VMware Horizon View Servers

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Apache 2 mod_ssl by example

Use Enterprise SSO as the Credential Server for Protected Sites

SSL Certificates in IPBrick

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Installing and Configuring vcloud Connector

Forward proxy server vs reverse proxy server

Scenarios for Setting Up SSL Certificates for View

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

Preface. Limitations. Disclaimers. Technical Support. Luna SA and IBM HTTP Server/IBM Web Sphere Application Server Integration Guide

SSL CONFIGURATION GUIDE

Transcription:

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server Technical Note Dated: 23 June 2015 Page 1 of 8

Overview This document describes how by installing an Apache HTTP Server and OpenSSL you can expose Informatica Secure Agent s Process Server SOAP, JSON and REST services. This is achieved by configuring an Apache HTTP server through which to access the Process Server that otherwise are exclusively used for internal purposes. Secure Agent Configuration The first step requires the configuration of the Secure Agent s InfaAgent.Port which is randomly selected from a range at installation time. This port, once configured is exposed in the infaagent.ini file (usually located at {agent-install-directory}/main/infaagent.ini), and specified as e.g. InfaAgent.Port=18152. Software Requirements This document will show how to configure Apache HTTP Server version 2.4 using self-signed client certificate authentication to access services running on a secure agent's process server. Software needed: ICS Org o must be licensed for use with the ICRT service o must have a secure agent correctly configured ICS Secure Agent o must have the process-engine package installed o must have a process deployed to the agent process-engine Apache HTTP Server 2.4 installed Use the one from http://www.wampserver.com/en/ or https://www.apachelounge.com/download/(for the latter one you may have to install the VC11 redistributable) openssl (http://slproweb.com/download/win32openssl_light-1_0_1h.exe) jdk 1.6 or newer (java.oracle.com) Page 2 of 8

Generating Keys/Certificates Pre-requisite: Before you run any openssl command type the following. 1. set OPENSSL_CONF=[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg 2. Identify your agent name by logging into your IC Org In order to support HTTPS Apache requires cryptographic material and X.509 server certificates. Apache expects its crypto keys and certs in PEM format. The following is a cookbook how to create crypto material. There are a number of other options to do so. This information is offered as an example. You need to use your agent s host name, rather than the one provided in the sample as ctw181361.informatica.com. Generate a Key and Self-Signed Cert with OpenSSL openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt Generate a pkcs12 version Key Store openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12 Convert the pkcs12 keystore to jks keystore keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12 Log Output of the Above Set of Commands C:\ssl>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt Loading 'screen' into random state - done Generating a 2048 bit RSA private key...+++...+++ writing new private key to 'ctw181361.informatica.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Page 3 of 8

Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CT Locality Name (eg, city) []:Shelton Organization Name (eg, company) [Internet Widgits Pty Ltd]:Informatica Corp Organizational Unit Name (eg, section) []:Cloud Services Common Name (e.g. server FQDN or YOUR name) []:ctw181361.informatica.com Email Address []:xxxx@informatica.com C:\ssl>ls -al total 109 drwxrwxrwx 1 user group 0 Jun 3 23:55. drwxrwxrwx 1 user group 0 Jan 1 1980.. -rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key C:\ssl>openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12 Loading 'screen' into random state - done Enter Export Password: Verifying - Enter Export Password: C:\ssl>ls -al total 112 drwxrwxrwx 1 user group 0 Jun 4 00:08. drwxrwxrwx 1 user group 0 Jan 1 1980.. -rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12 C:\ssl>keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled C:\ssl>ls -al total 115 drwxrwxrwx 1 user group 0 Jun 4 00:10. drwxrwxrwx 1 user group 0 Jan 1 1980.. -rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2423 Jun 4 00:10 keystore.jks -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12 Page 4 of 8

Install/Configure Apache HTTP Server To install Apache HTTP Server follow the instructions provided by the installation application or Apache documentation. Make sure that the Apache server is up and running by launching the console in the default port that they are installed. Make a copy of the httpd conf file, somewhere outside the actual apache directory so you have a copy of it before performing the changes listed below. Edit conf/httpd.conf and uncomment the following modules Once Apache HTTP Server is installed, change directory to its installation location e.g. C:\Program Files (x86)\apache Software Foundation\Apache2.4 Edit conf/httpd.conf, and uncomment the following. LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so LoadModule substitute_module modules/mod_substitute.so Page 5 of 8

Edit conf/httpd.conf and comment the following modules LoadModule env_module modules/mod_env.so Add Virtual Hosts Append the following to the end of the httpd.conf. Specify the necessary path or information as highlighted below. Listen 443 <VirtualHost *:443> ServerName <Provide your agent server name> # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile <provide the path to your agent server certificate> SSLCertificateKeyFile <provide the path to your agent server key> # activate the client certificate authentication SSLCACertificateFile <provide the path to your agent client certificate> SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass http://localhost:<provide the agent secure port>/process-engine ProxyPassReverse http://localhost:<provide the agent secure port>/process-engine </Location> </VirtualHost> <VirtualHost *:80> ServerName <Provide your agent server name> SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE # Fix the service endpoints Substitute "s http://localhost:([0-9]+)/ https://<provide your agent server name>/agent/ i" # As a temporary workaround, makes catalog listings this is a tempora Substitute "s../../../loc/catalog/project_-c-_/../catalog/project_-c-_/ i" RewriteEngine On RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:<provide the agent secure port>/process-engine/services/$1?wsdl [P] ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:<provide the agent secure port>/process-engine/catalog/$1 ProxyPassReverse /agent/process-engine http://localhost:<provide the agent secure port>/process-engine </VirtualHost> Page 6 of 8

Example of a sample virtual host with the changes listed above: Listen 443 <VirtualHost *:443> ServerName ctw181361.informatica.com # activate HTTPS on the reverse proxy SSLEngine On SSLCertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLCertificateKeyFile C:\ssl\bin\ctw181361.informatica.com.key # activate the client certificate authentication SSLCACertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass http://localhost:20186/process-engine ProxyPassReverse http://localhost:20186/process-engine </Location> </VirtualHost> <VirtualHost *:80> ServerName ctw181361.informatica.com SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE # Fix the service endpoints Substitute "s http://localhost:([0-9]+)/ https://ctw181361.informatica.com/agent/ i" # As a temporary workaround, makes catalog listings this is a tempora Substitute "s../../../loc/catalog/project_-c-_/../catalog/project_-c-_/ i" RewriteEngine On RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:20186/processengine/services/$1?wsdl [P] ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:20186/processengine/catalog/$1 ProxyPassReverse /agent/process-engine http://localhost:20186/process-engine </VirtualHost> Page 7 of 8

Verify the configuration 1. Restart the apache server and make sure that it is in the Running status as seen in the task tray. If it is not in the running status, then that may be an indication that there something incorrect with the httpd.conf file. Double check the changes as listed above. 2. Create a simple SOAP orchestration project using the Informatica Process Developer and deploy the service to the agent. Alternatively, you can create a Process Designer s JSON service and find a client that support cert-based authentication to verify your configuration. 3. If exposing a SOAP endpoint, install SOAP UI (Source: http://www.soapui.org/) 4. In SOAPUI, File > preferences > SSL settings i) Provide the path to the.jks that you created above. ii) Provide the password. iii) Enable the Client Authentication check box. Then, click on OK. 5. Create a new SOAPUI project and provide the URL: https://<your agent server name>/agent/process-engine/services/service Name?wsdl Example: https://ctw181361.informatica.com/agent/process-engine/services/helloworld?wsdl This would create the required bindings/operation 6. Send a request to the operation and that should receive a response as expected. Worldwide Headquarters, 2100 Seaport Blvd, Redwood City, CA 94063, USA Phone: 650.385.5000 Fax: 650.385.5500 Toll-free in the US: 1.800.653.3871 informatica.com linkedin.com/company/informatica twitter.com/informaticacorp 2014 Informatica Corporation. All rights reserved. Informatica and Put potential to work are trademarks or registered trademarks of Informatica Corporation in the United States and in jurisdictions throughout the world. All other company and product names may be trade names or trademarks. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information