Abreviated Notes of the steps to Enable ModSecurity for One Click with HTTPS is enabled.
Make copies of each of the files before updating their contents.
Update the apache configuration fileMake the following changes to the $SPECROOT/apache/conf/httpd.conf file
UnComment the line to include the httpd.ssl configuration
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
#
Uncomment the line to enable the mod_ssl security plugin
LoadModule ssl_module modules/mod_ssl.so
Update the references to $SPECROOT to the apache absolute path and the One Click FQDN
ServerRoot "/app/ca/Spectrum/apache"
ServerName YOUR-SERVERS-FQDN-NAME-HERE:8443
DocumentRoot "/app/ca/Spectrum/apache/htdocs"
<Directory "/app/ca/Spectrum/apache/htdocs">
ScriptAlias /cgi-bin/ "/apps/CA/Spectrum/apache/cgi-bin/"
<Directory "/app/ca/Spectrum/apache/cgi-bin">
Comment the following lines to disable the httpd Virtual host (SSL support will be enabled later in the process )
#Listen 8080
#<VirtualHost *:8080>
# ProxyPreserveHost On
# ProxyPass /spectrum
http://localhost:9090/spectrum# ProxyPassReverse /spectrum
http://localhost:9090/spectrum#</VirtualHost>
Update the Apache ssl configuration
Edit ${SPECROOT|/apache/conf/extra/httpd-ssl.conf
Update the listen port from 443 to the Tomcat port that is currently in use.
( The Apache server will be replacing the Tomcat server that was listening on that port.)
Listen 8443
Add the following section using the proper port - eg: 8443 to have the Apache listening on the former One Click Tomcat port.
<VirtualHost *:8443>
ProxyPreserveHost On
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass /spectrum/
https://localhost:6443/spectrum/ProxyPassReverse /spectrum/
https://localhost:6443/spectrum/</VirtualHost>
Note: Using Local Host as the proxy address prevents user from circumventing the Apache front end.
If CAPC integration is enabled this section would be added to httpd-ssl.conf to enable SSL communication for integrations
ProxyPass /axis2
https://localhost:6443/axis2ProxyPassReverse /axis2
https://localhost:6443/axis2Update Server Name - this name should match the name for which the SSL certificates were issued.
ServerName OUR-SERVERS-FQDN-NAME-HERE:8443
Update the references to $SPECROOT to the apache absolute path.
DocumentRoot "/apps/ca/Spectrum/apache/htdocs"
ErrorLog "/apps/ca/Spectrum/apache/logs/error_log"
TransferLog "/apps/ca/Spectrum/apache/logs/access_log"
SSLCertificateFile "/apps/ca/Spectrum/apache/conf/server.crt"
SSLCertificateKeyFile "/apps/ca/Spectrum/apache/conf/server.key"
<Directory "/apps/ca/Spectrum/apache/cgi-bin">
CustomLog "/apps/ca/Spectrum/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Update the Apache keystore with SSL certificates
Export existing Tomcat SSL certs and create files for use with Apache.
keytool -importkeystore -srcalias tomcatssl -srckeystore /app/ca/Spectrum/custom/keystore/cacerts -srcstorepass XXXXXX -destkeystore tomcatkey.p12 -deststoretype pkcs12
openssl pkcs12 -in tomcatkey.p12 -clcerts -nokeys -out server.crt
openssl pkcs12 -in tomcatkey.p12 -nocerts -out server.key
Note: When prompted to enter PEM pass phrase: do not enter anything. If something is entered it will be required to be entered when the Apache server is started.
Update the Tomcat ConfigurationMake the following changes to the Existing Tomcat configuration file to match the Apache configuration changes made.
Change the port="8443" in the tomcat/conf/server.xml file to an unused port eg: port="6443"
and add the Loop back as the address entry
Note: Using 127.0.0.1 as the bind address prevents user from circumventing the Apache front end.
<Connector
address="127.0.0.1"port="6443"enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
keystoreFile="/apps/CA/Spectrum/custom/keystore/cacerts"
keystorePass="XXXXXXX">
</Connector>
Update the WebSwing Launcher configuration to point to Local host
The next change that must be made is to update the WebSwing Launch arguments:
Update the Port reflect the new Tomcat port set in the Server.xml file : eg: 6443
Stop and Start the tomcat and WebTomcat services and Apache services
/app/ca/Spectrum/tomcat/bin/stopTomcat.sh
/app/ca/Spectrum/webtomcat/bin/stopWebTomcat.sh
/app/ca/Spectrum/webtomcat/bin/startWebTomcat.sh
/app/ca/Spectrum/tomcat/bin/startTomcat.sh
/app/ca/Spectrum/apache/bin/httpd -d /apps/CA/Spectrum/apache -k start
The command to stop the apache server-
/app/ca/Spectrum/apache/bin/httpd -d /apps/CA/Spectrum/apache -k stop
Original Message:
Sent: 03-19-2021 04:49 PM
From: Donald Laberge
Subject: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat
PS: The documentation dealing with the Mod Security was been extensively updated !
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall.html
Original Message:
Sent: 02-15-2021 11:28 AM
From: Donald Laberge
Subject: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat
the Actual Documentation need to be *Corrected* to be correct !
Looking through the Documentation it states:
" To enable ModSecurity in SSL mode, the Apache server is first configured to run in SSL mode. The following configuration tasks are performed to execute Apache in SSL mode:
Editing the "$SPECROOT\apache\conf\extra\httpd-ssl.conf" file to configure the virtual host configuration (setting the Apache SSL port, proxypass and proxypassreverse directives) to map the OneClick url with the Apache SSL port."
The " proxypass and proxypassreverse directives" Do Not exist in the httpd-ssl.conf file as stated, which does Little to bolster my confidence in the rest of the *Documented* steps
There are however references to those Directives in these files :
./conf/extra/proxy-html.conf:# ProxyPassReverse /
./conf/httpd.conf: ProxyPassReverse /spectrum http://localhost:8080/spectrum
So are we supposed to Add those Entries to the SSL file ? ( Maybe - Probably ...)
Original Message:
Sent: 02-12-2021 12:53 PM
From: Donald Laberge
Subject: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat
The Link needs to be corrected -
Original Message:
Sent: 06-28-2016 01:11 AM
From: Widjaja Sangtoki
Subject: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat
Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat
Document ID: TEC1911552
ShowHide Technical Document Details
- Components
- OneClick / Apache HTTP Server
ISSUE: Starting from Spectrum 10.1 onward we can enable ModSecurity Web Application Firewall in Spectrum to prevent malicious remote clients from accessing OneClick Server (Tomcat). Some of you may have configured Tomcat in SSL before we have this feature. In this case, if you want to utilize this ModSecurity feature for improved security, that naturally means that you want to configure ModSecurity in SSL mode reusing existing digital certificate on the OneClick Server. This article explains how you can migrate digital certificate for Tomcat to be reusable for Apache HTTP server where ModSecurity is implemented.
Knowledge Document Link:
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1911552.aspx