Installing Apache as an HTTP Proxy to the
local port of the Secure Agent’s Process
Server
Technical Note
Overview
This document describes how by installing an Apache HTTP Server and OpenSSL you can expose
Informatica Secure Agent’s Process Server SOAP, JSON and REST services. This is achieved by
configuring an Apache HTTP server through which to access the Process Server that otherwise are
exclusively used for internal purposes.
Secure Agent Configuration
The first step requires the configuration of the Secure Agent’s InfaAgent.Port which is randomly selected
from a range at installation time. This port, once configured is exposed in the infaagent.ini file (usually
located at {
agent-install-directory}/main/infaagent.ini
), and specified as e.g. InfaAgent.Port=18152.
Software Requirements
This document will show how to configure Apache HTTP Server version 2.4 using self-signed client
certificate authentication to access services running on a secure agent's process server.
Software needed:
ICS Org
o must be licensed for use with the ICRT service
o must have a secure agent correctly configured
ICS Secure Agent
o must have the process-engine package installed
o must have a process deployed to the agent process-engine
Apache HTTP Server 2.4 installed
Use the one from
http://www.wampserver.com/en/
or
https://www.apachelounge.com/download/(for the latter one you may have to install the VC11
redistributable
)
openssl (http://slproweb.com/download/Win32OpenSSL_Light-1_0_1h.exe)
Generating Keys/Certificates
Pre-requisite:
Before you run any openssl command type the following.
1.
set OPENSSL_CONF=[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg
2.Identify your agent name by logging into your IC Org
In order to support HTTPS Apache requires cryptographic material and X.509 server certificates. Apache
expects its crypto keys and certs in PEM format. The following is a cookbook how to create crypto
material. There are a number of other options to do so. This information is offered as an example. You
need to use your agent’s host name, rather than the one provided in the sample as
“
ctw181361.informatica.com”.
Generate a Key and Self-Signed Cert with OpenSSL
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt
Generate a pkcs12 version Key Store
openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12
Convert the pkcs12 keystore to jks keystore
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12
Log Output of the Above Set of Commands
C:\ssl>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt
Loading 'screen' into random state - done Generating a 2048 bit RSA private key ....+++
...+++
writing new private key to 'ctw181361.informatica.com.key' ---
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CT Locality Name (eg, city) []:Shelton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Informatica Corp Organizational Unit Name (eg, section) []:Cloud Services
Common Name (e.g. server FQDN or YOUR name) []:ctw181361.informatica.com Email Address []:[email protected]
C:\ssl>ls -al total 109
drwxrwxrwx 1 user group 0 Jun 3 23:55 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..
-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key
C:\ssl>openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12
Loading 'screen' into random state - done Enter Export Password:
Verifying - Enter Export Password:
C:\ssl>ls -al total 112
drwxrwxrwx 1 user group 0 Jun 4 00:08 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..
-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12
C:\ssl>keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12
Enter destination keystore password: Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
C:\ssl>ls -al total 115
drwxrwxrwx 1 user group 0 Jun 4 00:10 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..
-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2423 Jun 4 00:10 keystore.jks
Install/Configure Apache HTTP Server
To install Apache HTTP Server follow the instructions provided by the installation application or Apache
documentation.
Make sure that the Apache server is up and running by launching the console in the default port
that they are installed.
Make a copy of the httpd conf file, somewhere outside the actual apache directory so you have a
copy of it before performing the changes listed below.
Edit conf/httpd.conf and uncomment the following modules
Once Apache HTTP Server is installed, change directory to its installation location e.g. C:\Program Files
(x86)\Apache Software Foundation\Apache2.4
Edit conf/httpd.conf, and uncomment the following.
LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so
Edit conf/httpd.conf and comment the following modules
LoadModule env_module modules/mod_env.so
Add Virtual Hosts
Append the following to the end of the httpd.conf. Specify the necessary path or information as
highlighted below.
Listen 443
<VirtualHost *:443>
ServerName <Provide your agent server name>
# activate HTTPS on the reverse proxy SSLEngine On
SSLCertificateFile <provide the path to your agent server certificate> SSLCertificateKeyFile <provide the path to your agent server key>
# activate the client certificate authentication
SSLCACertificateFile <provide the path to your agent client certificate> SSLVerifyDepth 10
<Location /agent/process-engine> SSLVerifyClient require
ProxyPass http://localhost:<provide the agent secure port>/process-engine ProxyPassReverse http://localhost:<provide the agent secure port>/process-engine </Location>
</VirtualHost>
<VirtualHost *:80>
ServerName <Provide your agent server name>
SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE
# Fix the service endpoints
Substitute "s|http://localhost:([0-9]+)/|https://<provide your agent server name>/agent/|i"
# As a temporary workaround, makes catalog listings – this is a tempora Substitute "s|../../../loc/catalog/project_-c-_/|../catalog/project_-c-_/|i"
RewriteEngine On
RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:<provide the agent secure port>/process-engine/services/$1?wsdl [P]
ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:<provide the agent secure port>/process-engine/catalog/$1
ProxyPassReverse /agent/process-engine http://localhost:<provide the agent secure port>/process-engine
Example of a sample virtual host with the changes listed above:
Listen 443
<VirtualHost *:443>
ServerName ctw181361.informatica.com
# activate HTTPS on the reverse proxy SSLEngine On
SSLCertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLCertificateKeyFile C:\ssl\bin\ctw181361.informatica.com.key
# activate the client certificate authentication
SSLCACertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass http://localhost:20186/process-engine ProxyPassReverse http://localhost:20186/process-engine </Location> </VirtualHost> <VirtualHost *:80> ServerName ctw181361.informatica.com SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE
# Fix the service endpoints
Substitute "s|http://localhost:([0-9]+)/|https://ctw181361.informatica.com/agent/|i"
# As a temporary workaround, makes catalog listings – this is a tempora Substitute "s|../../../loc/catalog/project_-c-_/|../catalog/project_-c-_/|i"
RewriteEngine On
RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:20186/process-engine/services/$1?wsdl [P]
ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:20186/process-engine/catalog/$1
ProxyPassReverse /agent/process-engine http://localhost:20186/process-engine </VirtualHost>
Verify the configuration
1. Restart the apache server and make sure that it is in the Running status as seen in the task tray.
If it is not in the running status, then that may be an indication that there something incorrect with
the httpd.conf file. Double check the changes as listed above.
2. Create a simple SOAP orchestration project using the Informatica Process Developer and deploy
the service to the agent. Alternatively, you can create a Process Designer’s JSON service and
find a client that support cert-based authentication to verify your configuration.
3. If exposing a SOAP endpoint, install SOAP UI (Source:
http://www.soapui.org/
)
4. In SOAPUI , File > preferences > SSL settings
i)
Provide the path to the .jks that you created above.
ii)
Provide the password.
iii)
Enable the Client Authentication check box. Then, click on OK.
5. Create a new SOAPUI project and provide the URL:
https://<Your agent server name>/agent/process-engine/services/Service Name?wsdl
Example: https://ctw181361.informatica.com/agent/process-engine/services/HelloWorld?wsdl
This would create the required bindings/operation
6. Send a request to the operation and that should receive a response as expected.
Worldwide Headquarters, 2100 Seaport Blvd, Redwood City, CA 94063, USA Phone: 650.385.5000 Fax: 650.385.5500 Toll-free in the US: 1.800.653.3871 informatica.com linkedin.com/company/informatica twitter.com/InformaticaCorp © 2014 Informatica Corporation. All rights reserved. Informatica® and Put potential to work™ are trademarks or registered trademarks of Informatica
Corporation in the United States and in jurisdictions throughout the world. All other company and product names may be trade names or trademarks.
