How to Set Up Access to Unified Management Portal (UMP) Through a DMZ

For CA Nimsoft Monitor

This article describes how a system administrator sets up access to UMP through a DMZ using an Apache proxy web server and Tomcat Connector.

Why use a DMZ?

A “demilitarized zone” is an area between nations in which military operations are not permitted. When you use a DMZ to access UMP, it limits your network’s vulnerability to attack because external users have direct access only to the proxy web server in the DMZ and not your internal network.

Before you set up the DMZ:

• Install NMS
• Install UMP
• Download and install Apache and the Tomcat Connector on the server in the DMZ
• Designate a public IP address for the Apache web server (if you want to access UMP from the Internet)

Overview of setting up the DMZ:

1. Set up the Tomcat Connector
2. Define proxy configuration between the Apache and UMP servers
3. Configure SSL support on the Apache server

First, set up the Tomcat Connector.

Here’s how:

1. In C:\Program Files (x86)\Apache Software Foundation\Apache\conf, create the workers.properties file, in which you specify the UMP server name or IP.For Example:

   # Define 1 real worker using ajp13
     worker.list=worker1
     # Set properties for worker1 (ajp13)
     worker.worker1.type=ajp13
     worker.worker1.host=10.10.10.10
     worker.worker1.port=8009

2. On the Apache server, download the version of mod_jk.so that matches your version of Apache and save it to C:\Program Files (x86)\Apache Software Foundation\Apache\modules.
3. Add the Tomcat Connector configuration to the Apache configuration file, httpd.conf:For example:

   # Load mod_jk module
   # Update this path to match your modules location
   LoadModule    jk_module  modules/mod_jk.so
   # Where to find workers.properties
   # Update this path to match your conf directory location (put workers.properties next to httpd.conf)
   JkWorkersFile conf/workers.properties
   # Where to put jk shared memory
   # Update this path to match your local state directory or logs directory
   JkShmFile     logs/mod_jk.shm
   # Where to put jk logs
   # Update this path to match your logs directory location (put mod_jk.log next to access_log)
   JkLogFile     logs/mod_jk.log
   # Set the jk log level [debug/error/info]
   JkLogLevel    debug
   # Select the timestamp log format
   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
   # Send everything for context / to worker named worker1 (ajp13)
   JkMount / worker1

   Note: Ensure you have a JkMount directive appropriate for your configuration.

Second, define proxy configuration between the Apache and UMP servers.

Here’s how:

1. Edit the Apache configuration file, httpd.conf, as follows:
   • Uncomment the following lines:

     LoadModule proxy_module modules/mod_proxy.so
     LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

   • Locate: #ServerName www.example.com; uncomment and change it to:

     ServerName <Apache_server_name>.<domain>.com:80

• Add the following lines to the end of the httpd.conf file:

• ProxyRequests On
  <Proxy *>
  Order deny,allow
  Allow from all
  </Proxy>
  ProxyPass / ajp://<ump_server_name_orIP>:8009/
  ProxyPass /c/portal ajp://<ump_server_name_orIP>:8009/c/portal
  ProxyPass /web/guest ajp://<ump_server_name_orIP>:8009/web/guest
  ProxyRequests Off

• On the inside firewall, open:
  • Port 8009
• On the outside firewall, open:
  • Port 80
  • OR Port 443 (or an alternative port) if you are using SSLNote: You must assign a public IP address to a hub in the DMZ if you want to access it from the Internet.
• Restart the Apache server.
• To test whether the Apache web server proxies you to the UMP login page, access the URL of the proxy server in your web browser.

Third, configure SSL support on the Apache server.

Here’s how:

1. In the Apache configuration file, httpd.conf, uncomment the following:

   LoadModule ssl_module modules/mod_ssl.so
   Include conf/extra/httpd-ssl.conf

2. In the Apache configuration file conf/extra/httpd-ssl.conf, edit the following:
   • Listen port: port number opened on the inside firewall for SSL as requiredNote: You can use the netstat command to make sure no other applications are using the port you specify, particularly if you use port 443 on an Internet Information Services (IIS) web server.
   • <VirtualHost>: port number opened on the inside firewall for SSLNote: Default value is 443.
   • ServerName: name for the Apache server, including port number (for example: 10.10.10.10:443)
   • ServerAdmin: email address
   • SSLCertificateFile: path to the PEM encoded certificate
   • SSLCertificateKeyFile: path to the private key if it is not already combined with the certificateNote: If you do not have a certificate, follow the instructions in step 3 to generate a self-signed certificate.
   • For these parameters, accept the default or specify the desired path:
     • DocumentRoot
     • SSLSessionCache
     • ErrorLog
     • TransferLog
     • CustomLog
3. If you need to generate a self-signed certificate, open a command prompt on the web server and execute the following:
   1. Change directories:

      C:\Program Files\Apache\conf

   2. Generate a private key

      ..\bin\openssl genrsa -des3 -out server.key 1024

   3. Generate a CSR (Certificate Signing Request):

      ..\bin\openssl req -config ..\conf\openssl.cnf 
      -new -key server.key -out server.csr

   4. Remove the passphrase from the key :

      copy server.key server.key.org
      ..\bin\openssl rsa -in server.key.org -out server.key

   5. Generate a self-signed certificate:

      ..\bin\openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. If you created a certificate, edit httpd-ssl.conf to update paths to SSLCertificateFile and SSLCertificateKeyFile.
5. Restart the Apache web server.

For more information on configuring UMP, see the UMP Guide on docs.nimsoft.com.

We hope you find the CA Cookbooks on Flipboard interesting and useful. If so, tell us about it!