Running the Management Portal pages over HTTPS

Question

Question

Steve Pisani · Jun 6, 2017

Hi,

I'm unable to locate a set of instructions that would allow me to encrypt the traffic to/from the Cache' Management Portal (that is - run it over HTTPS)

I am referring to the Management portal as hosted by the private Apache Web server instance installed with Cache. (I know how to do this for regular web sites hosted on, for example, IIS).

I would imagine the steps would involve, (a) enable SSL on that apache instance and (b) deploy certificates into the Apache web server.

Does anyone have a step-by-step guide on how this is accomplished ?

Thanks in advance -

Steve

Discussion (6)2

Log in or sign up to continue

Jiri Svoboda · Jun 7, 2017

Greetings,

I have been dealing with the problem of securing the Portal on our Linux server a while ago, so I am pasting my notes on the necessary steps below. Hopefully, they will be of some use.

httpd for SSL-enabled Caché Management Portal

Download necessary tarballs:

wget http://mirror.dkm.cz/apache//httpd/httpd-2.4.25.tar.gz
wget http://apache.miloslavbrada.cz//apr/apr-util-1.5.4.tar.bz2
wget http://mirror.hosting90.cz/apache//apr/apr-1.5.2.tar.gz

Extract

tar xvvf ./httpd-2.4.25.tar.gz
tar xvvf ./apr-util-1.5.4.tar.bz2
tar xvvf ./apr-1.5.2.tar.gz

Copy Apache Portable Runtime sources in apache srclib directory

cp -r ./apr-1.5.2 ./httpd-2.4.25/srclib/apr
cp -r ./apr-util-1.5.4 ./httpd-2.4.25/srclib/apr-util

Configure

cd httpd-2.4.25

./configure --prefix=/cachesys/httpd --enable-ssl --enable-so --with-included-apr \
--enable-mods-static="log_config mime alias unixd authz_core rewrite ssl" --without-gdbm \
--without-ndbm --without-berkeley-db --with-expat=builtin --with-mpm=worker --disable-shared

Compile

make

Kill the original httpd

kill `cat /cachesys/httpd/logs/httpd.pid`

Backup the old httpd

sudo mv /cachesys/httpd /cachesys/httpd.old

Install the new httpd

sudo make install

Change /cachesys/httpd/conf/httpd.conf to look like this:

ServerRoot "/cachesys/httpd"
DocumentRoot "/cachesys/csp"

CSPModulePath /cachesys/csp/bin/

LoadModule csp_module_sa /cachesys/csp/bin/CSPa24.so

User cacheusr
Group cacheusr

<Location />
    CSP On
    SetHandler csp-handler-sa
</Location>

ServerName localhost
PidFile logs/httpd.pid
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120

UseCanonicalName Off

<VirtualHost *:57772>
        Redirect "/" "https://your.server.name:57782/"
</VirtualHost>

<VirtualHost *:57782>
        SSLEngine On
        SSLCertificateFile  "/path/to/your/public.key"
        SSLCertificateKeyFile "/path/to/your/private.key"
        <Directory />
            Options MultiViews FollowSymLinks
            AllowOverride None
            Require all granted
            <FilesMatch "\.(log|ini|pid|exe|so)$">
                Require all denied
            </FilesMatch>
        </Directory>
        <Location "/csp/bin/Systems/">
            SetHandler csp-handler-sa
        </Location>
        <Location "/csp/bin/RunTime/">
            SetHandler csp-handler-sa
        </Location>
        AddHandler csp-handler-sa csp cls cxw zen
</VirtualHost>

TypesConfig conf/mime.types
HostnameLookups Off

ErrorLog logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common
#CustomLog logs/access.log common

StartServers          1
MinSpareThreads       5
MaxSpareThreads      15
ThreadLimit          25
ThreadsPerChild       5
MaxClients           25
MaxRequestsPerChild 200

ServerTokens Prod

Listen 57772
Listen 57782

Finally, launch the new httpd

/cachesys/httpd/bin/httpd -d /cachesys/httpd -c "Listen 57772"

That's it.

IMO, SSL really should be on by default in 2017.

Jiri

1 0

Jeffrey Drumm · Jun 7, 2017

Steve, when I worked with the WRC to configure this (back in 2015), I got significant pushback on attempting to use the "private" server. I'm not sure what will happen with an in-place upgrade, either.

That may have changed since then. Regardless, installing the CSP gateway on an external, standalone web server is a solution supported by ISC, so please take that into consideration as you plan your implementation of SSL.

0 0

score 0 · Answer 1 · 2017-06-06T20:19:01-04:00

Unfortunately, InterSystems doesn't support SSL/TLS on the private server.

You'll need to set up a standalone Apache server (assuming Linux/Unix), install mod_ssl, install the CSP gateway for Apache, create and install certificates, configure CSP.ini, enable TLS on the SuperServer port, and a few other things. Not for the faint of heart.

That's only half of the battle, though.

If you want to secure Studio and the ODBC drivers, you'll also need to request a special version of ServerManager.exe from the WRC that supports some additional configuration options. Enabling TLS for Studio can cause some oddities for users that rely on the ability to access the class documentation from within Studio (although that may have been fixed; it was an issue in 2015.1).

I configured all of this for a customer in 2015 and wrote up detailed documentation. Since it was done under contract, though, it's not mine to distribute.

score 2 · Answer 2 · 2017-06-07T08:55:09-04:00

You don't need the servermanager.exe anymore. (Anymore includes 2015.1.) Details are here:

https://community.intersystems.com/post/configuring-cach%C3%A9-client-ap...

score 0 · Answer 3 · 2017-06-07T01:24:46-04:00

Vitaliy Serdtsev · Jun 7, 2017

Here my very old article on the subject (machine translation).

0 0

score 0 · Answer 4 · 2017-06-07T09:18:32-04:00