roehmdo1 Absent Member.
Absent Member.
1078 views

New SSPR install on dedicated server

Not sure if this is the correct forum to ask this question but:

Just installed SSPR on a dedicated server SLES11 SP4.. Everything seems to be working just fine.. We currently access the server as follows:
http://servername.company.net:8080/sspr... this works however we would like to modify 2 things with it...
1) make it secure
2) access it simply by entering https://servername.company.net

Apache is installed on this server and it has our certificate installed so we can access the server via https:
We would like to have apache redirect to the tomcat page without having to mess with another set of certificates on the tomcat.

I have read somewhere that if you access the server thru apache (secured) you dont need to secure tomcat also ??
Does anyone have a idea of what config changes I need to do to the apache to have it default to a redirect to the sspr page automatically on access and have that page secure ??

As I said this is the only thing that will run on this server therefore no other functions need to be considered
Thanks in advance for any assistance
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: New SSPR install on dedicated server

On 1/12/2017 11:06 PM, roehmdo wrote:
>
> Not sure if this is the correct forum to ask this question but:
>
> Just installed SSPR on a dedicated server SLES11 SP4.. Everything seems
> to be working just fine.. We currently access the server as follows:
> http://servername.company.net:8080/sspr... this works however we would
> like to modify 2 things with it...
> 1) make it secure
> 2) access it simply by entering https://servername.company.net
>
> Apache is installed on this server and it has our certificate installed
> so we can access the server via https:
> We would like to have apache redirect to the tomcat page without having
> to mess with another set of certificates on the tomcat.
>
> I have read somewhere that if you access the server thru apache
> (secured) you dont need to secure tomcat also ??


Not secure Tomcat is not quite the correct way of phrasing it. You mean
install a private key in Tomcat.

In which case, you can have Apache proxy the access to Tomcat.

Your clients browser talks to apache over SSL. Then Apache talks to
Tomcat and forwards the traffic as needed.

What we typically do is install the cert in Tomcat, use iptables via a
init script to redirect traffic from 443 to 8443 so that Tomcat can
still run without root permissions at a port greater than 1024, but the
simple redirect script with little surface area for compromise runs as
root to access port 443.

Or you could use NAM to redirect the traffic via the NAM Proxy.

Lots of options here.
> Does anyone have a idea of what config changes I need to do to the
> apache to have it default to a redirect to the sspr page automatically
> on access and have that page secure ??
>
> As I said this is the only thing that will run on this server therefore
> no other functions need to be considered
> Thanks in advance for any assistance
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: New SSPR install on dedicated server

Geoffrey Carman wrote:

> What we typically do is install the cert in Tomcat, use iptables via a init
> script to redirect traffic from 443 to 8443 so that Tomcat can still run
> without root permissions at a port greater than 1024, but the simple redirect
> script with little surface area for compromise runs as root to access port
> 443.


Mind sharing? Where's the CS url...?

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: New SSPR install on dedicated server

On 1/13/2017 1:51 AM, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> What we typically do is install the cert in Tomcat, use iptables via a init
>> script to redirect traffic from 443 to 8443 so that Tomcat can still run
>> without root permissions at a port greater than 1024, but the simple redirect
>> script with little surface area for compromise runs as root to access port
>> 443.

>
> Mind sharing? Where's the CS url...?


This one is Eric's to release, I can ask him to write it up.

0 Likes
roehmdo1 Absent Member.
Absent Member.

Re: New SSPR install on dedicated server

ok - this apache/tomcat config with iptables etc is out of my knowledge base... any way you could send me a sample config files (dummy out teh server names if you want) so I can compare/edit mine ?? (roehmdo(at)mtwp.net)
0 Likes
EVCIS Contributor.
Contributor.

Re: New SSPR install on dedicated server


I'll write it this weekend.

roehmdo did you still need the config? I just saw this post.


--
EVCIS
------------------------------------------------------------------------
EVCIS's Profile: https://forums.netiq.com/member.php?userid=9553
View this thread: https://forums.netiq.com/showthread.php?t=57187

0 Likes
roehmdo1 Absent Member.
Absent Member.

Re: New SSPR install on dedicated server

Sure if you have it..almost ready to give up on sles and go to windows
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.