Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Installing Apache as an HTTP Proxy to the

local port of the Secure Agent’s Process

Server

Technical Note

Overview

This document describes how by installing an Apache HTTP Server and OpenSSL you can expose

Informatica Secure Agent’s Process Server SOAP, JSON and REST services. This is achieved by

configuring an Apache HTTP server through which to access the Process Server that otherwise are

exclusively used for internal purposes.

Secure Agent Configuration

The first step requires the configuration of the Secure Agent’s InfaAgent.Port which is randomly selected

from a range at installation time. This port, once configured is exposed in the infaagent.ini file (usually

located at {

agent-install-directory}/main/infaagent.ini

), and specified as e.g. InfaAgent.Port=18152.

Software Requirements

This document will show how to configure Apache HTTP Server version 2.4 using self-signed client

certificate authentication to access services running on a secure agent's process server.

Software needed:



ICS Org

o must be licensed for use with the ICRT service

o must have a secure agent correctly configured



ICS Secure Agent

o must have the process-engine package installed

o must have a process deployed to the agent process-engine



Apache HTTP Server 2.4 installed

Use the one from

http://www.wampserver.com/en/

or

https://www.apachelounge.com/download/(for the latter one you may have to install the VC11

redistributable

)



openssl (http://slproweb.com/download/Win32OpenSSL_Light-1_0_1h.exe)

Generating Keys/Certificates

Pre-requisite:

Before you run any openssl command type the following.

1.

set OPENSSL_CONF=[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg

Identify your agent name by logging into your IC Org

In order to support HTTPS Apache requires cryptographic material and X.509 server certificates. Apache

expects its crypto keys and certs in PEM format. The following is a cookbook how to create crypto

material. There are a number of other options to do so. This information is offered as an example. You

need to use your agent’s host name, rather than the one provided in the sample as

“

”.

Generate a Key and Self-Signed Cert with OpenSSL

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt

Generate a pkcs12 version Key Store

openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12

Convert the pkcs12 keystore to jks keystore

keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12

Log Output of the Above Set of Commands

C:\ssl>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ctw181361.informatica.com.key -out ctw181361.informatica.com.crt

Loading 'screen' into random state - done Generating a 2048 bit RSA private key ....+++

...+++

writing new private key to 'ctw181361.informatica.com.key' ---

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CT Locality Name (eg, city) []:Shelton

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Informatica Corp Organizational Unit Name (eg, section) []:Cloud Services

Common Name (e.g. server FQDN or YOUR name) []:ctw181361.informatica.com Email Address []:xxxx@informatica.com

C:\ssl>ls -al total 109

drwxrwxrwx 1 user group 0 Jun 3 23:55 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..

-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key

C:\ssl>openssl pkcs12 -export -in ctw181361.informatica.com.crt -inkey ctw181361.informatica.com.key > keystore.p12

Loading 'screen' into random state - done Enter Export Password:

Verifying - Enter Export Password:

C:\ssl>ls -al total 112

drwxrwxrwx 1 user group 0 Jun 4 00:08 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..

-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2677 Jun 4 00:08 keystore.p12

C:\ssl>keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12

Enter destination keystore password: Re-enter new password:

Enter source keystore password:

Entry for alias 1 successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

C:\ssl>ls -al total 115

drwxrwxrwx 1 user group 0 Jun 4 00:10 . drwxrwxrwx 1 user group 0 Jan 1 1980 ..

-rw-rw-rw- 1 user group 1513 Jun 3 23:55 ctw181361.informatica.com.crt -rw-rw-rw- 1 user group 1704 Jun 3 23:55 ctw181361.informatica.com.key -rw-rw-rw- 1 user group 2423 Jun 4 00:10 keystore.jks

Install/Configure Apache HTTP Server

To install Apache HTTP Server follow the instructions provided by the installation application or Apache

documentation.



Make sure that the Apache server is up and running by launching the console in the default port

that they are installed.



Make a copy of the httpd conf file, somewhere outside the actual apache directory so you have a

copy of it before performing the changes listed below.

Edit conf/httpd.conf and uncomment the following modules

Once Apache HTTP Server is installed, change directory to its installation location e.g. C:\Program Files

(x86)\Apache Software Foundation\Apache2.4

Edit conf/httpd.conf, and uncomment the following.

LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so

Edit conf/httpd.conf and comment the following modules

LoadModule env_module modules/mod_env.so

Add Virtual Hosts

Append the following to the end of the httpd.conf. Specify the necessary path or information as

highlighted below.

Listen 443

<VirtualHost *:443>

ServerName <Provide your agent server name>

# activate HTTPS on the reverse proxy SSLEngine On

SSLCertificateFile <provide the path to your agent server certificate> SSLCertificateKeyFile <provide the path to your agent server key>

# activate the client certificate authentication

SSLCACertificateFile <provide the path to your agent client certificate> SSLVerifyDepth 10

<Location /agent/process-engine> SSLVerifyClient require

ProxyPass http://localhost:<provide the agent secure port>/process-engine ProxyPassReverse http://localhost:<provide the agent secure port>/process-engine </Location>

</VirtualHost>

<VirtualHost *:80>

ServerName <Provide your agent server name>

SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE

# Fix the service endpoints

Substitute "s|http://localhost:([0-9]+)/|https://<provide your agent server name>/agent/|i"

# As a temporary workaround, makes catalog listings – this is a tempora Substitute "s|../../../loc/catalog/project_-c-_/|../catalog/project_-c-_/|i"

RewriteEngine On

RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:<provide the agent secure port>/process-engine/services/$1?wsdl [P]

ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:<provide the agent secure port>/process-engine/catalog/$1

ProxyPassReverse /agent/process-engine http://localhost:<provide the agent secure port>/process-engine

Example of a sample virtual host with the changes listed above:

Listen 443

<VirtualHost *:443>

ServerName ctw181361.informatica.com

# activate HTTPS on the reverse proxy SSLEngine On

SSLCertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLCertificateKeyFile C:\ssl\bin\ctw181361.informatica.com.key

# activate the client certificate authentication

SSLCACertificateFile C:\ssl\bin\ctw181361.informatica.com.crt SSLVerifyDepth 10 <Location /agent/process-engine> SSLVerifyClient require ProxyPass http://localhost:20186/process-engine ProxyPassReverse http://localhost:20186/process-engine </Location> </VirtualHost> <VirtualHost *:80> ServerName ctw181361.informatica.com SetOutputFilter INFLATE;SUBSTITUTE;DEFLATE

# Fix the service endpoints

Substitute "s|http://localhost:([0-9]+)/|https://ctw181361.informatica.com/agent/|i"

# As a temporary workaround, makes catalog listings – this is a tempora Substitute "s|../../../loc/catalog/project_-c-_/|../catalog/project_-c-_/|i"

RewriteEngine On

RewriteRule ^/agent/process-engine/services/(.*)$ http://localhost:20186/process-engine/services/$1?wsdl [P]

ProxyPassMatch ^/agent/process-engine/catalog/(.*)$ http://localhost:20186/process-engine/catalog/$1

ProxyPassReverse /agent/process-engine http://localhost:20186/process-engine </VirtualHost>

Verify the configuration

1. Restart the apache server and make sure that it is in the Running status as seen in the task tray.

If it is not in the running status, then that may be an indication that there something incorrect with

the httpd.conf file. Double check the changes as listed above.

2. Create a simple SOAP orchestration project using the Informatica Process Developer and deploy

the service to the agent. Alternatively, you can create a Process Designer’s JSON service and

find a client that support cert-based authentication to verify your configuration.

3. If exposing a SOAP endpoint, install SOAP UI (Source:

http://www.soapui.org/

)

4. In SOAPUI , File > preferences > SSL settings

i)

Provide the path to the .jks that you created above.

ii)

Provide the password.

iii)

Enable the Client Authentication check box. Then, click on OK.

5. Create a new SOAPUI project and provide the URL:

https://<Your agent server name>/agent/process-engine/services/Service Name?wsdl

Example: https://ctw181361.informatica.com/agent/process-engine/services/HelloWorld?wsdl

This would create the required bindings/operation

6. Send a request to the operation and that should receive a response as expected.

Worldwide Headquarters, 2100 Seaport Blvd, Redwood City, CA 94063, USA Phone: 650.385.5000 Fax: 650.385.5500 Toll-free in the US: 1.800.653.3871 informatica.com linkedin.com/company/informatica twitter.com/InformaticaCorp © 2014 Informatica Corporation. All rights reserved. Informatica® and Put potential to work™ are trademarks or registered trademarks of Informatica

Corporation in the United States and in jurisdictions throughout the world. All other company and product names may be trade names or trademarks.