Apache Archive

How to configure SSL Between Weblogic and Apache

SSL between Apache and Weblogic

 

 

1) Set WLS Environment

C:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

2) Go to the lib directory and covert WLS Root Certificate to .pem format

C:\Oracle\Middleware\wlserver_10.3\server\lib>java utils.der2pem CertGenCA.der

C:\Oracle\Middleware\wlserver_10.3\server\lib>dir CertGen*
Volume in drive C is Windows8_OS
Volume Serial Number is 8C04-A406

Directory of C:\Oracle\Middleware\wlserver_10.3\server\lib

01/03/2015 09:29 PM 540 CertGenCA.der
01/19/2015 07:47 PM 786 CertGenCA.pem
01/03/2015 09:29 PM 388 CertGenCAKey.der
3) Go to D:\Apache2.2\conf\httpd.conf and add the following entries

LoadModule weblogic_module modules/mod_wl128_22.so

<Location /console>
   SetHandler weblogic-handler
   SecureProxy ON
   TrustedCAFile C:/Oracle/Middleware/wlserver_10.3/server/lib/CertGenCA.pem
   RequireSSLHostMatch false
   WebLogicHost localhost
   WebLogicPort 7002
   WLLogFile D:/temp/wlproxy.log
   WLTempDir D:/temp
   Debug ALL

</Location>

Note: The Admin/Managed Server should be up and running on the ip& port mentioned in the location directive.

If there are any issues you can check the proxy logs. If you are still not able to resolve the issues please feel free to post here.

 

 

Configure Apache Webserver to authenticate from LDAP Server

1. Connect to the LDAP Server from an LDAP Browser

ldap browser

ldap browser connected

2. Uncomment these two modules in httpd.conf

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

3. Add the following Location directive

<Location />

AuthType Basic
Require valid-user
AuthName   “Enter Your ldap Username/Password”
AuthBasicProvider   ldap
AuthzLDAPAuthoritative   off
AuthLDAPURL    ldap://localhost:444
AuthLDAPBindDN    “uid=faisal,ou=People, dc=bea,dc=com”
AuthLDAPBindPassword    faisal
ErrorDocument    401   “Please use your ldap username and password to login.”

</Location>

4. Restart Apapche Webserver

5. Log in to the server with LDAP Credentials

login

 

 

login success

How and Why we need to SECURE our Web Server

Introduction: Over the year’s internet and the internet based applications had revolutioned our life. They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a major factor for online success or failure.

Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host.  Hence, securing web server is as important as securing the website or web application itself.  If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.

 

What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:

*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.

The security implementation inside the web server is implemented in two different steps:-

1) Installation of SSL Certificate

2) By following the security guide lines

Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:

1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal

 

  1. For a webserver generate a CSR and a private key, use the following command:                                                       openssl req -config openssl.cnf -new -out my-server.csr

 

2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:

rsa -in privkey.pem -out my-server.key

3.  Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)

x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

 

4.  Create an Apache/conf/ssl directory and move my-server.key and cert into it

 

5.  Open the httpd.conf file and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

 

6.   Add the following to the end of httpd.conf:

<code>        SSLMutex sem</code>
<code>        SSLRandomSeed startup builtin</code>
<code>        SSLSessionCache none</code>
<code> </code>
<code>        SSLLog logs/SSL.log</code>
<code>        SSLLogLevel info</code>
<code>        &lt;VirtualHost&gt;</code>
<code>        SSLEngine On</code>
<code>        SSLCertificateFile conf/ssl/my-server.cert</code>
<code>        SSLCertificateKeyFile conf/ssl/my-server.key</code>

</VirtualHost>

 

Restart the Apache server and access the applications with the SSL mode.

 

Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-

1)      Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)

2)      Hide the Apache Version number, and other sensitive information as below inside httpd.conf:

                       ServerSignature Off
                       ServerTokens Prod
<strong><span style="text-decoration: underline">Note</span></strong>: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

3)      Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:

        User apache
        Group apache

 

4)      Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):

 

               <Directory />
                 Order Deny,Allow
                 Deny from all
                 Options None
                 AllowOverride None
                </Directory>
               <Directory /web>
                 Order Allow,Deny
                 Allow from all
                </Directory>

 

5)      In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:

 

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

 

6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.

 

7)      Allowing users to execute ***CGI scripts in any directory should only be considered if:

Ø      You trust your users not to write scripts which will deliberately or          accidentally expose your system to an attack.

Ø      You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.

Ø      You have no users, and nobody ever visits your server

 

8)      Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

chown -R root:root /usr/local/apache
               chmod -R o-rwx /usr/local/apache
<em><span style="text-decoration: underline">Note</span></em>: /usr/local/apache is Apache installation directory

9)      Lower the time out and restrict request body requests as follows:

               Timeout 45
               LimitRequestBody 1048576

10)   Restrict the accessing of resource by using the IP restriction:

               Order Deny,Allow
               Deny from all
               Allow from 127.0.0.1

 

Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.

 

***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users

 

References:

1)      http://httpd.apache.org/docs/2.0/misc/security_tips.html

2)      http://www.google.com

3)      http://www.modssl.org/docs/2.8/ssl_reference.html

Apache Administration FAQ’s

How to disable Case Sensitivity in Apache?

Apache is case sensitive. When you application is hosted in case-insensitive webserver(like IIS) and moved to case-sensitive webserver (like Apache) you may get some problems related to non availability of URLS(HTTP 404 error). Apach provides a module which helps to make URLs case-insensitive.

Open httpd.conf(your apache configuration file) and find out the below line

LoadModule speling_module modules/mod_speling.so

If the above module is avilable with your apache, turn on the CheckSpelling directive

CheckSpelling On

How to monitor Apache server status?

There is a built in module mod_status available in apache which helps to get server status from a web browser

To monitor Apache webserver,

Open httpd.conf(Placed at <Apache Install Dir>/conf/httpd.conf)

vi httpd.conf

Set the Location directive as below. It will alow only from 192.13.24.57

<Location /server-status>

SetHandler server-status

Order Deny,Allow

Deny from all

Allow from 192.13.24.57

</Location>

Set ExtendendStatus to on

ExtendedStatus on

Save the httpd.conf and restart the webserver

Now you can monitor your apache webserver with http://servername/server-status from 192.13.24.57 browser

How to know whether a library is built on 32-bit or 64-bit?

Type below command at shell

file /usr/local/apache2.2.11/lib/libapr-1.so.0.3.3

The output of above command is,

/usr/local/apache2.2.11/lib/libapr-1.so.0.3.3: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped

The output tells that the libapr-1.so.0.3.3 file is built on 32-bit machines

Working with Reverse proxy servers


The term “Proxy Servers” is mostly popular among our middleware techies as: “Server which forwards the request”.

But, for simple multiple reasons, this one lined defined server is vastly used in each and every environment in multiple forms like Forward Proxy Server, Reverse Proxy Server and Open Proxy Server.

The basic purpose of this document is to cover what is a proxy server, understanding of different proxy servers, configuration of Reverse proxy server.

Defining Proxy Server: Proxy Server is an intermediary server between your web browser (client) which requests for some information/data and your server (web server/Application server) that process the data.

Following is the schematic representation of the proxy server:-

Types of Proxy Server: They are three different types of proxy servers. They are as follows:

1)      Forward Proxy Server

2)      Open Proxy Server

3)      Reverse Proxy Server

Forward Proxy Servers: Forward Proxy Server is a server which forwards the request from the intranet clients (web browser) to the internet servers. These proxy servers are present in the same network of your client. Schematically, we can represent any forward proxy servers as follows:

Open Proxy Server: An open proxy is a proxy server which is accessible by any Internet user. Any proxy server that doesn’t restrict its client base to its own set of clients and allows any other client to connect to it is known as an “Open Proxy”. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. They are in numerous open proxy servers present in Internet. For converting any flavor of proxy servers to Open Proxy servers we just have to enable the flag “ProxyRequests On” in the configuration file.

Following is the pictorial view of understanding our open proxy servers:

Reverse Proxy Server: A Proxy Server which takes requests from external clients (web browsers) or Internet and forwards them to servers in an internal network is called as Reverse Proxy Server. Generally, the reverse proxy servers are present in the same network where we have our App/Web servers.

Schematically we can represent all of our reverse proxy servers as follows:

After understanding the different types of proxy servers lets try knowing more about reverse proxy servers especially the advantages and configuration of proxy servers.

Advantages of using Reverse Proxy Servers:

The various advantages of using the proxy servers are as follows:

1)      Filtering

2)      Caching

3)      Bypassing filters and censorship

4)      Logging and eavesdropping

5)      Gateways to private networks

6)      Accessing services anonymously

Understanding and comparing these advantages with the other flavors of proxy servers every one of us would be interested to use the reverse proxy servers. So, lets try understanding how do we do the configuration of the reverse proxy servers.

Most of the present day proxy servers have the ability or the behavior to act as reverse proxy servers with an addition of a small module. Since, discussing about the configuration of all of those reverse proxy server with weblogic server wouldn’t be possible, this document restricts its scope only to Apache Server.

Configuration of Apache Reverse Proxy Server with Weblogic Server:

To begin the configuration of apache reverse proxy server, Lets consider a public site http://weblogic-wonders.com (or an application you deployed on cluster) which has a public IP and DNS entry and could be accessed across the globe.

Let’s consider that the application server on which this site is hosted is our weblogic application server having the two instances weblogic_Instance1.com, weblogic_Instance2.com.

Following are the steps for configuring the apache proxy server with weblogic servers:-

1)      Post installing and creating a domain in weblogic server copy mod_wl_20.so file from weblogic server to apache server modules folder.

2)      Download libxml2 (version shouldn’t be older than 2.6) from http://xmlsoft.org and install it.

3)      Copy and paste the file to the paths: /usr/lib/libxml2.so, with headers in /usr/include/libxml2/libxml/

4)      Download mod_proxy_html and mod_xml2enc from http://apache.webthing.com/

5)      Load the following configuration inside the httpd.conf of our apache server:-

LoadModule proxy_module      modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule headers_module    modules/mod_headers.so

LoadFile   /usr/lib/libxml2.so

LoadModule proxy_html_module modules/mod_proxy_html.so

LoadModule xml2enc_module modules/mod_xml2enc.so

ProxyRequests off

ProxyPass /app1/ http://weblogic_Instance1.com/

ProxyPass /app2/ http:// weblogic_Instance2.com/

ProxyHTMLURLMap http:// weblogic_Instance1.com /app1

ProxyHTMLURLMap http:// weblogic_Instance2.com /app2

<Location /app1/>

ProxyPassReverse /

ProxyHTMLEnable On

ProxyHTMLURLMap  /      /app1/

RequestHeader    unset  Accept-Encoding

</Location>

<Location /app2/>

ProxyPassReverse /

ProxyHTMLEnable On

ProxyHTMLURLMap /       /app2/

RequestHeader   unset   Accept-Encoding

</Location>

6)      Now, restart the apache server and weblogic application server instances.

Reference:

1)      http://www.google.com – Special, Special thanks ..  🙂

2)      http://cybergav.in/2009/09/09/how-to-configure-apache-2-x-as-a-reverse-proxy/

Working with Proxy Plug-in Issues

Working with Proxy Plug-in Issues

Before we understand how to deal with the proxy plug-in we need to understand what these proxy plugin are, how are they different from web servers, where they are present, etc. Let’s try to discuss each of these in details.

Introduction to Proxy Plug-in: Proxy Plug-in are mainly used to re-direct the requests to the application server based on the configurations specified inside plug-in config file.

The advantages of using the proxy plug-in are as follows:

1)      Re-direction of requests

2)      Load Balancing of requests

3)      Serves the static data (using the proxy cache)

Please find the below pictorial representation of a dynamic application server architecture containing the Proxy plug-in:

fig (a): proxy plug-in inside the dynamic application server architecture

Following are the list of proxy servers supported by Oracle BEA:-

1)      IIS plug-in

2)      Apache plug-in

3)      Netscape/SunOne plug-in

As we can observe from the above pic, the proxy plug-in is always available inside the webservers.  (They are different reasons for this)

 

 

 

Working with Proxy Plug-in related issues:

Following are most of the common problems/issues seen while working with the proxy plug-ins:

1)      Uneven Load balancing of the HTTP requests

2)      Frequent or unexpected session failover

3)      Unexpected http status codes in HTTP responses like 400, 404, 500, 503, etc for which the diagnosing at the weblogic server didn’t gave any clue.

*Note: for most of these issues updating of your existing plug-in will resolve the issue.

Enable the following debug flags inside the proxy sever plug-in config files to get more information about the issue:

1)      Set Debug=”ALL” :  Enabling these debug flag will give more traces of the following information:

a)      Headers sent to and from client.

b)      Headers sent to and from WLS.

c)      Information and error messages

2) Set DebugConfigInfo=”ON”: Enabling this flag will help the plug-in to log the following information:

a)      Returns the config information and runtime statistics to the browser

b)      Responds to the request that contain the string _WebLogicBridgeConfig

c)      Append the string _WebLogicBridgeConfigPath at the end of the URL.

Following is the example on how to use _WebLogicBridgeConfig:– http://hostname:portNo/contextPath/servletPath/pathInfo_WebLogicBridgeConfig

Executing the above URL will give the output that contains the complete information about the proxy plug-in like number if requests handled, max response time, min response time, time out, etc

Note:  Enabling any of the above parameters would require a server restart.

After enabling the above debug flags the output would by default routed to the following files depending up on the OS we are using:

1)      UNIX( related OS): /tmp/wlproxy.log

2)      Windows (related OS): C:\TEMP\wlproxy.log

 

Depending up on the Web Server we are using the proxy plug-in file name could be any of these two:

1)      Apache HttpServer: httpd.conf file

2)      Iplanet/SunOne: obj.conf file

3)      Microsoft IIS: iisProxy.Ini