Configuring SSL - Deprecated
Configuring All SFX Instances
- Log on as an instance user.
- Configure the virtual host for the HTTP server by editing the following file:
/exlibris/sfx_ver/sfx4_1/<instance>/config/httpd.conf
- Load the SSL module by removing the comment sign (#) from the following lines:
#<IfModule mod_ssl.c> #Include /exlibris/sfx_ver/sfx4_1/<instance>/config/ssl.config #</IfModule> |
- Before this section, add the following line:
LoadModule ssl_module /exlibris/sfx_ver/sfx4_1/app/apache/modules/mod_ssl.so |
- HTTPS and HTTP should have different log files. To create different log files, create a virtual host configuration. Locate the following text:
Include /exlibris/sfx_ver/sfx4_1/<instance>/config/local_httpd.conf |
Add the following lines before it:
<VirtualHost _default_:INSTANCE_PORT_NUMBER> #ServerAdmin webmaster@dummy-host.example.com #DocumentRoot /www/docs/dummy-host.example.com
ServerName _default_:INSTANCE_PORT_NUMBER ErrorLog /exlibris/sfx_ver/sfx4_1/<instance>/logs/apache/error_log CustomLog /exlibris/sfx_ver/sfx4_1/<instance>/logs/apache/access_log common </VirtualHost> |
- Verify that there are no additional VirtualHost sections in the file.
Configuring the Virtual Host for HTTPS
- A site certificate can be obtained through a UW/IST Certificate Authority. This is recommended for a production environment.
- You can generate your own certificate for testing purposes.
- Create a subdirectory for the certificate and key:
cd /exlibris/sfx_ver/sfx4_1/<instance>/config
mkdir keys
cd keys
|
- Create an RSA private key:
openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
|
- Remove the pass-phrase from the key:
openssl rsa -in server.key -out server.pem
|
- Generate the CSR:
openssl req -new -key server.key -out server.csr
|
- Enter the server host name in the Common Name field.
- Generate a self-signed certificate:
openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt -set_serial XX
|
- Replace the XX in the command with any random two-digit number. This is the certificate serial number and it should be unique among your instances.
- For security reasons (not obligatory), the owner of the directory keys and the files located inside should be the root user:
su -
cd /exlibris/sfx_ver/sfx4_1/<instance>/config/keys
chown root:root *
chmod 775 *
cd ..
chown root:root keys
|
- HTTP and HTTPS cannot share the same port.
- Each instance should have its own certificate and key.
- Copy the sample file listed in the config directory of your instance:
sx
cp config/ssl.config.sample config/ssl.config
cn
|
- Edit the file /ssl.config content by replacing the following placeholders with their actual values:
- INSTANCE_SSL_PORT_NUMBER – Replace this placeholder with the desired port number for SSL communication for the instance. (Note the default port number for SSL is 443, which can be used only by the root user.)
- SERVER_HOST_NAME – Replace this placeholder with the server host name. The value is the same for all instances.
- INSTANCE – Replace this placeholder with the instance name.
Configuring the Reverse Proxy Server
- Create the configuration file reverse_proxy_ssl.config
- Generate an SSL certificate and key
- Log on as the sfxglb41 user and type the following:
cn
cp reverse_proxy_httpd.config__ reverse_proxy_httpd_ssl.config__
|
- All the instances use the same reverse proxy configuration file.
- Use a text editor to edit reverse_proxy_httpd_ssl.config_.
- Before the following line:
ProxyPass /sfxadmin/sfxglb41 http://localhost:3101/sfxadmin/sfxglb41
|
add:
SSLProxyEngine on
|
- For instances that works with SSL, there is a section with 13 lines with the name of the instance in the line. Change each line as follows:
- Replace http with https.
- Change the port to the SSL port of the instance.
The following is an example of the text before the changes:
ProxyPassReverse /sfxadmin/sfxlcl41
http://localhost:80/sfxadmin/sfxlcl41
|
The following is an example of the line after the changes – http has been changed to https, and port 80 has been changed to 90:
ProxyPassReverse /sfxadmin/sfxlcl41
http://localhost:90/sfxadmin/sfxlcl41
|
- Log on as the sfxglb41 user.
- Create a subdirectory for the certificate and key:
cd /exlibris/sfx_ver/sfx4_1/app/apache/conf mkdir keys cd keys |
- Create an RSA private key:
openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024 |
- Remove the pass-phrase from the key:
openssl rsa -in server.key -out server.pem
|
- Generate the CSR.
openssl req -new -key server.key -out server.csr
|
- Generate a self-signed certificate.
openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt -set_serial XX
|
- Replace the XX in the command with any random serial number made of two digits. This is the certificate serial number and it should be unique among your instances.
- For security reasons (not obligatory), the owner of the directory keys and the files located inside should be the root user:
su -
cd /exlibris/sfx_ver/sfx4_1/app/apache/conf/keys
chown root:root *
chmod 775 *
cd ..
chown root:root keys
|
- Configure the virtual host for HTTP by adding the following lines at the end of /exlibris/sfx_ver/sfx4_1/proxy/conf/httpd.conf:
<VirtualHost default:PROXY_HTTP_PORT >
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /www/docs/dummy-host.example.com
ServerName default:PROXY_HTTP_PORT
ErrorLog /exlibris/sfx_ver/sfx4_1/proxy/logs/
error_log
CustomLog /exlibris/sfx_ver/sfx4_1/proxy/logs/
access_log common
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
Include /exlibris/sfx_ver/sfx4_1/sfxglb41/config/
reverse_proxy_httpd.config__
</VirtualHost>
|
In the previous example, PROXY_HTTP_PORT is the port number for accessing the HTTP proxy server (for example, 3020).
- Add SSL support by adding the following lines at the end of /exlibris/sfx_ver/sfx4_1/proxy/conf/httpd.conf
<IfModule mod_ssl.c> Include /exlibris/sfx_ver/sfx4_1/app/apache/conf/ssl.config </IfModule> |
:
- Configure SSL Enabled Virtual Hosts.
- Copy the sample file located in the config directory of the sfxglb41 instance:
cp /exlibris/sfx_ver/sfx4_1/sfxglb41/config/proxy_ssl.config.sample /exlibris/sfx_ver/sfx4_1/app/apache/conf/ssl.config |
- Edit the new file content by replacing the following placeholders with their proper values:
- PROXY_HTTPS_PORT – Replace this placeholder with the desired port value (for example, 3050).
- SERVER_HOST_NAME – Replace this placeholder with the server host name. This value is the same for all instances.