DX NetOps

Expand all | Collapse all

Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

  • 1.  Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Broadcom Employee
    Posted 06-28-2016 01:11 AM

    Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Document ID:  TEC1911552

    ShowHide Technical Document Details

    • Products
      • CA Spectrum
    • Releases
      • CA Spectrum:Release:10.1
    • Components
      • OneClick / Apache HTTP Server

    ISSUE: Starting from Spectrum 10.1 onward we can enable ModSecurity Web Application Firewall in Spectrum to prevent malicious remote clients from accessing OneClick Server (Tomcat). Some of you may have configured Tomcat in SSL before we have this feature. In this case, if you want to utilize this ModSecurity feature for improved security, that naturally means that you want to configure ModSecurity in SSL mode reusing existing digital certificate on the OneClick Server. This article explains how you can migrate digital certificate for Tomcat to be reusable for Apache HTTP server where ModSecurity is implemented.

     

    Knowledge Document Link:

     

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1911552.aspx



  • 2.  RE: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Posted 02-12-2021 12:53 PM
    The Link needs to be corrected -



  • 3.  RE: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Posted 02-15-2021 11:29 AM
    Edited by Donald Laberge 02-15-2021 12:00 PM
    the Actual Documentation need to be *Corrected* to be correct !
    Looking through the Documentation it states:
    " To enable ModSecurity in SSL mode, the Apache server is first configured to run in SSL mode. The following configuration tasks are performed to execute Apache in SSL mode:

    Editing the "$SPECROOT\apache\conf\extra\httpd-ssl.conf" file to configure the virtual host configuration (setting the Apache SSL port, proxypass and proxypassreverse directives) to map the OneClick url with the Apache SSL port."

    The " proxypass and proxypassreverse directives" Do Not exist in the httpd-ssl.conf file as stated, which does Little to bolster my confidence in the rest of the *Documented* steps

    There are however references to those Directives in these files :
    ./conf/extra/proxy-html.conf:# ProxyPassReverse /
    ./conf/httpd.conf: ProxyPassReverse /spectrum http://localhost:8080/spectrum

    So are we supposed to Add those Entries to the SSL file ? ( Maybe - Probably ...)



  • 4.  RE: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Posted 03-19-2021 04:50 PM
    PS: The documentation dealing with the Mod Security was been extensively updated !

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/enable-modsecurity-web-application-firewall.html


  • 5.  RE: Spec KB: How to enable ModSecurity in SSL mode reusing existing digital certificate used for Spectrum Tomcat

    Broadcom Employee
    Posted 05-11-2021 01:30 PM
    Abreviated Notes of the steps to Enable ModSecurity for One Click with HTTPS is enabled.
    Make copies of each of the files before updating their contents.

    Update the apache configuration file
    Make the following changes to the $SPECROOT/apache/conf/httpd.conf file
    UnComment the line to include the httpd.ssl configuration
    # Secure (SSL/TLS) connections
    Include conf/extra/httpd-ssl.conf
    #
    Uncomment the line to enable the mod_ssl security plugin
    LoadModule ssl_module modules/mod_ssl.so
    Update the references to $SPECROOT to the apache absolute path and the One Click FQDN
    ServerRoot "/app/ca/Spectrum/apache"
    ServerName YOUR-SERVERS-FQDN-NAME-HERE:8443
    DocumentRoot "/app/ca/Spectrum/apache/htdocs"
    <Directory "/app/ca/Spectrum/apache/htdocs">
    ScriptAlias /cgi-bin/ "/apps/CA/Spectrum/apache/cgi-bin/"
    <Directory "/app/ca/Spectrum/apache/cgi-bin">
    Comment the following lines to disable the httpd Virtual host (SSL support will be enabled later in the process )
    #Listen 8080
    #<VirtualHost *:8080>
    # ProxyPreserveHost On
    # ProxyPass /spectrum http://localhost:9090/spectrum
    # ProxyPassReverse /spectrum http://localhost:9090/spectrum
    #</VirtualHost>

    Update the Apache ssl configuration

    Edit ${SPECROOT|/apache/conf/extra/httpd-ssl.conf
    Update the listen port from 443 to the Tomcat port that is currently in use.
    ( The Apache server will be replacing the Tomcat server that was listening on that port.)
    Listen 8443
    Add the following section using the proper port - eg: 8443 to have the Apache listening on the former One Click Tomcat port.
    <VirtualHost *:8443>
    ProxyPreserveHost On
    SSLEngine on
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass /spectrum/ https://localhost:6443/spectrum/
    ProxyPassReverse /spectrum/ https://localhost:6443/spectrum/
    </VirtualHost>
    Note: Using Local Host as the proxy address prevents user from circumventing the Apache front end.

    If CAPC integration is enabled this section would be added to httpd-ssl.conf to enable SSL communication for integrations
    ProxyPass /axis2 https://localhost:6443/axis2
    ProxyPassReverse /axis2 https://localhost:6443/axis2

    Update Server Name - this name should match the name for which the SSL certificates were issued.

    ServerName OUR-SERVERS-FQDN-NAME-HERE:8443

    Update the references to $SPECROOT to the apache absolute path.

    DocumentRoot "/apps/ca/Spectrum/apache/htdocs"
    ErrorLog "/apps/ca/Spectrum/apache/logs/error_log"
    TransferLog "/apps/ca/Spectrum/apache/logs/access_log"
    SSLCertificateFile "/apps/ca/Spectrum/apache/conf/server.crt"
    SSLCertificateKeyFile "/apps/ca/Spectrum/apache/conf/server.key"
    <Directory "/apps/ca/Spectrum/apache/cgi-bin">
    CustomLog "/apps/ca/Spectrum/apache/logs/ssl_request_log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    Update the Apache keystore with SSL certificates

    Export existing Tomcat SSL certs and create files for use with Apache.
    keytool -importkeystore -srcalias tomcatssl -srckeystore /app/ca/Spectrum/custom/keystore/cacerts -srcstorepass XXXXXX -destkeystore tomcatkey.p12 -deststoretype pkcs12

    openssl pkcs12 -in tomcatkey.p12 -clcerts -nokeys -out server.crt

    openssl pkcs12 -in tomcatkey.p12 -nocerts -out server.key
    Note: When prompted to enter PEM pass phrase: do not enter anything. If something is entered it will be required to be entered when the Apache server is started.

    Update the Tomcat Configuration

    Make the following changes to the Existing Tomcat configuration file to match the Apache configuration changes made.

    Change the port="8443" in the tomcat/conf/server.xml file to an unused port eg: port="6443"
    and add the Loop back as the address entry
    Note: Using 127.0.0.1 as the bind address prevents user from circumventing the Apache front end.
    <Connector
    address="127.0.0.1"
    port="6443"
    enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
    acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
    clientAuth="false" sslProtocol="TLS"
    sslEnabledProtocols="TLSv1.2"
    ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
    keystoreFile="/apps/CA/Spectrum/custom/keystore/cacerts"
    keystorePass="XXXXXXX">
    </Connector>

    Update the WebSwing Launcher configuration to point to Local host

    The next change that must be made is to update the WebSwing Launch arguments:

    Update the Port reflect the new Tomcat port set in the Server.xml file : eg: 6443

    Stop and Start the tomcat and WebTomcat services and Apache services
    /app/ca/Spectrum/tomcat/bin/stopTomcat.sh
    /app/ca/Spectrum/webtomcat/bin/stopWebTomcat.sh
    /app/ca/Spectrum/webtomcat/bin/startWebTomcat.sh
    /app/ca/Spectrum/tomcat/bin/startTomcat.sh
    /app/ca/Spectrum/apache/bin/httpd -d /apps/CA/Spectrum/apache -k start


    The command to stop the apache server-
    /app/ca/Spectrum/apache/bin/httpd -d /apps/CA/Spectrum/apache -k stop