The following will guide the buildout of an OpenAM server which utilizes an Apache Reverse Proxy, OWF (Ozone Widget Framework), and 2-way SSL authentication. The backend OWF and OpenAM server names will not be displayed in the URL after configuration (this is expected in a reverse proxy environment). This environment was built on CentOS 6.x 64-bit. This guide will go into detail where needed, but basic understanding of the Apache web server is expected.
The following list contains the packages that were utilized to build the environment.
- OpenAm openam_10.1.0.zip
- OWF OWF-bundle-7-GA.zip
- CentOS 6.x x86_64
- Other packages as needed to satisfy dependencies
Red Hat Enterprise Linux 6.x
Standard build, including exceptions in firewall, SELinux, etc for the Apache services. DNS and or hosts files must be complete and functional for this configuration to operate correctly.
Proxying Web Server
NOTE: Additional supporting dependencies must be installed to accommodate the full functionality of the proxy and associated packages.
The OpenAM Server
OpenAM must be configured to accept user certificates from proxy.
The OWF Server
It is assumed the OWF server already allows OpenAM to manage certificate-based authentication for its services.
**Note: To ensure functionality, all of the backend servers must trust each other's certificates and the end user's clients certificate.
- ProxyHTMLDocType "<!DOCTYPE html>" XML'
- Header Edits:
- It will likely be necessary to implement rewrites to the header location field and using a browser console, such as Firebug within Firefox, will assist in correctly configuring the rewrites Using the "Net" portion of the console with the "All" tab selected will display output with "GET"s and they should not contain internal addresses either in the "Location" field
- ##The following two examples will (first) rewrite the response from pointing to the internal openam server and the internal owf server to the external addresses (second) it will rewrite the response where the external openam is specficied, but still needs the external owf address rewritten to specify the owf external address
- ##These are examples, but should provide a good starting point for the rewrites The "(.*)" just directs the rewrite to store that portion of the string, in this case "?goto=https", and just insert it into the rewrite via the "$1" back reference.
Inside The Virtual Host Container
- <VirtualHost _default_:8443> (this is from the default of 443)
- SetOutputFilter INFLATE
- ##Do not keep the origininator's address
- ProxyPreserveHost Off
- ##Make sure cookies can be translated between the two domains (It may be necessary to prefix the leading dot to the domain names ie: .domain.internal )
- ProxyPassReverseCookieDomain domain.internal domain.external
- ##This is used to setup the backend server to server SSL from proxy to OWF/OpenAM
- ##This file is a concatenation of the server certificate and key (Just cat the server's key and certificate into one file!!)
- SSLProxyMachineCertificateFile /etc/pki/tls/private/sslproxymach.crt
- ##Proxy’s CA file -- this is sent to ask for client certs
- SSLProxyCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
- ##Proxy OWF to backend
- <Location /owf>
- ##Proxy OpenAM to backend
- <Location /openam>
Change To httpd.conf (typically found at /etc/httpd/conf/httpd.conf)
- LoadModule deflate_module modules/mod_deflate.so
- LoadModule headers_module modules/mod_headers.so
- LoadModule substitute_module modules/mod_substitute.so
- LoadModule rewrite_module modules/mod_rewrite.so
- LoadModule proxy_module modules/mod_proxy.so
- LoadModule proxy_http_module modules/mod_proxy_http.so
- LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
- LoadModule proxy_connect_module modules/mod_proxy_connect.so
- LoadModule ssl_module modules/mod_ssl.so
- LoadModule proxy_html_module modules/mod_proxy_html.so
Changes To proxy_html.conf(typically found at /etc/httpd/conf.d/proxy_html.conf)
Add the following to proxy_html.conf
- ProxyHTMLLinks td style
- ProxyHTMLLinks tr style
- ProxyHTMLLinks table background
This configuration assumes an already working and configured PKI instance protecting the OWF server.
Within the OpenAM console, go to “Access Control><REALM>>Authentication><PKIAuthModule>>.”
- Under “Trusted Remote Hosts>Current Values”, add the following (server IP is for example):
- ***NOTE: It must be an IP address not a hostname
- ie:10.10.10.10 (IP address of
- Under “HTTP Header Name for Client Certificate:”, add the following (The actual header name is arbitrary, but it must be the same header created by Apache in the ssl.conf configuration file. The name was used for convention’s sake.):
The Ozone Widget Framework configuration should not need to change since it is assumed protected via OpenAM
**Other Applications Of This Configuration
This configuration has also been used in other builds which utilized a standard Tomcat6 server which required certificate-based authentication.