r-Proxy installation

The OpenIAM Reverse Proxy (rProxy) is an Apache Web Server Plugin and requires the OpenIAM core platform to operate. The rProxy enhances security in the OpenIAM platform as well as enables SSO to web applications which do not support modern SSO standards such as SAML, oAuth 2 or OIDC.

While the RPM file provides the option to install the rProxy, the instructions below describe how to indepently install the OpenIAM rProxy. If you installed the rProxy as part of the primary RPM installation process, then you can skip this section

Note: If you are new to OpenIAM and are using the RPM installer, please use the default installer before attempting this more advanced configuration.

Install the rProxy module

First, install the Apache Web Server and mod_ssl:

sudo yum install httpd
sudo yum install mod_ssl

Install OpenIAM apache reverse proxy module:

sudo yum install mod_openiam-4.2.0-1.el7.x86_64.rpm

Configure the rProxy

Create configuration file for mod_openiam in /etc/httpd/conf.d

For example, if you don't use HTTPS, you can use this config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam.conf:

####################################################
# OpenIAM apache configurations
#

# Loading OpenIAM apache module
LoadModule openiam_module         modules/mod_openiam.so

# Turn Off Proxy Requests. Only Reverse Proxying will be allowed

ProxyRequests off


<ifModule ssl_module>
    # Enable SSL Proxying just in case it will be used for reverse-proxying
    SSLProxyEngine on
</ifModule>


# OpenIAM ESB path

OPENIAM_ESBPath       http://localhost:9080

#LogLevel debug
LogLevel warn

<VirtualHost *:80>

#ServerName vm.openiamdemo.com:80

# Debug options. Turned off by default.
#OPENIAM_Verbose on
#OPENIAM_DebugPatterns on
#OPENIAM_DebugCookies on
#OPENIAM_DebugESB on
#OPENIAM_DebugCertAuth on
#OPENIAM_DumpRequests on
#OPENIAM_DumpRequestsBody  on
#OPENIAM_DumpResponses     on
#OPENIAM_AllowDumpHeaders  on
#OPENIAM_DumpNoAuth        off

ErrorLog logs/mod_openiam_error_log
TransferLog logs/mod_openiam_access_log


#OPENIAM_UseCurl on
#OPENIAM_RandomIV on

KeepAlive on

<Location />
    AuthType openiam
    AuthName "OpenIAM"
    Require valid-openiam-federation
    Require openiam-configure

    OPENIAM_DefaultUrl /selfservice/

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll on
</Location>

# Begin Websockets support

<Location /idp/openiam-socket/>
    AuthType none
    AuthName "none"
    Require all granted

    ProxyPass ws://localhost:8080/idp/openiam-socket/
    ProxyPassReverse ws://localhost:8080/idp/openiam-socket/
    ProxyPreserveHost on
</Location>


<Location /idp/openiam-socket/info>
    AuthType openiam
    AuthName "OpenIAM"
    Require valid-openiam-federation

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll off
</Location>

# End Websockets support

<Location /static>
    AuthType none
    AuthName "none"

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll off
</Location>

<Location /server-status>
    SetHandler server-status
    AuthType none
    AuthName "none"
    Require local
</Location>

SetEnvIf Request_URI "^/server-status$" dontlog

#OPENIAM_Substitute "s|Original|Replacement|niq"

RewriteEngine On
RewriteRule ^/webconsole$      /webconsole/      [NC,R=302,L]
RewriteRule ^/selfservice$     /selfservice/     [NC,R=302,L]
RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]


ErrorDocument 401 /openiam-ui-static/401
ErrorDocument 404 /openiam-ui-static/404

#Configure Host

OPENIAM_ConfigureHost /webconsole/setup
OPENIAM_ConfigureUrls /webconsole/setup/contentprovider
OPENIAM_ConfigureUrls /webconsole/challengeResponse

OPENIAM_FixRedirectForLang  off

OPENIAM_ConfigureBackend http://localhost:8080

OPENIAM_DefaultUrl /selfservice/

############ COMPRESSION CONFIG OPTIONS

<ifModule mod_deflate.c>

    #SetOutputFilter DEFLATE

    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/rss+xml

    DeflateCompressionLevel 6

    <ifModule mod_setenvif.c>
        #Do not compress following file types
        SetEnvIfNoCase Request_URI \.(?:exe|dll|so)$                                        no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$                                       no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:sit)$                                               no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$                              no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$                               no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$                                       no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$      no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$  no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$                     no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$                            no-gzip dont-vary

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    </ifModule>

</ifModule>

############ COMPRESSION CONFIG OPTIONS END

</VirtualHost>

If you want to use HTTPS, you can use this example config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam_ssl.conf:

####################################################
# OpenIAM apache configurations
#

# Loading OpenIAM apache module
LoadModule openiam_module         modules/mod_openiam.so


# Turn Off Proxy Requests. Only Reverse Proxying will be allowed
ProxyRequests off

####################################################
# Default ssl configs from /etc/httpd/ssl.conf
#

#
# When we also provide SSL we have to listen to the.
# the HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism.
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the.
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly..
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

####################################################
# end of default ssl configs from /etc/httpd/ssl.conf
#

<ifModule ssl_module>
    # Enable SSL Proxying just in case it will be used for reverse-proxying
    SSLProxyEngine on
</ifModule>

# OpenIAM ESB path
OPENIAM_ESBPath       http://localhost:9080

#LogLevel debug
LogLevel warn

<VirtualHost *:443>

#ServerName vm.openiamdemo.com:80

# Debug options. Turned off by default.
#OPENIAM_Verbose on
#OPENIAM_DebugPatterns on
#OPENIAM_DebugCookies on
#OPENIAM_DebugESB on
#OPENIAM_DebugCertAuth on
#OPENIAM_DumpRequests on
#OPENIAM_DumpRequestsBody  on
#OPENIAM_DumpResponses     on
#OPENIAM_AllowDumpHeaders  on
#OPENIAM_DumpNoAuth        off

ErrorLog logs/mod_openiam_ssl_error_log
TransferLog logs/mod_openiam_ssl_access_log


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on

#SSLCertificateFile /etc/pki/tls/certs/super_openiam_com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/super_openiam_com.key
#SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#OPENIAM_UseCurl on
#OPENIAM_RandomIV on

KeepAlive on

<Location />
    AuthType openiam
    AuthName "OpenIAM"
    Require valid-openiam-federation
    Require openiam-configure

    OPENIAM_DefaultUrl /selfservice/

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll on
</Location>

# Begin Websockets support

<Location /idp/openiam-socket/>
    AuthType none
    AuthName "none"
    Require all granted

    ProxyPass ws://localhost:8080/idp/openiam-socket/
    ProxyPassReverse ws://localhost:8080/idp/openiam-socket/
    ProxyPreserveHost on
</Location>


<Location /idp/openiam-socket/info>
    AuthType openiam
    AuthName "OpenIAM"
    Require valid-openiam-federation

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll on
</Location>

# End Websockets support

<Location /static>
    AuthType none
    AuthName "none"

    OPENIAM_CSPEnabled on
    OPENIAM_CORSAllowAll on
</Location>


# Uncomment next 3 lines to redirect all users to Under Construction page
#RedirectMatch ^/$ /static/underconstruction
#RedirectMatch ^/idp/login /static/underconstruction
#RedirectMatch ^/selfservice/ /static/underconstruction
# end of Under Construction

<Location /server-status>
    SetHandler server-status
    AuthType none
    AuthName "none"
    Require local
</Location>

SetEnvIf Request_URI "^/server-status$" dontlog

RewriteEngine On
RewriteRule ^/webconsole$      /webconsole/      [NC,R=302,L]
RewriteRule ^/selfservice$     /selfservice/     [NC,R=302,L]
RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]

ErrorDocument 401 /openiam-ui-static/401
ErrorDocument 404 /openiam-ui-static/404

#Configure Host

OPENIAM_ConfigureHost /webconsole/setup
OPENIAM_ConfigureUrls /webconsole/setup/contentprovider
OPENIAM_ConfigureUrls /webconsole/challengeResponse

OPENIAM_FixRedirectForLang  off

OPENIAM_ConfigureBackend http://localhost:8080

############ COMPRESSION CONFIG OPTIONS

<ifModule mod_deflate.c>

    #SetOutputFilter DEFLATE

    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/rss+xml

    DeflateCompressionLevel 6

    <ifModule mod_setenvif.c>
        #Do not compress following file types
        SetEnvIfNoCase Request_URI \.(?:exe|dll|so)$                                        no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$                                       no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:sit)$                                               no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$                              no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$                               no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$                                       no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$      no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$  no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$                     no-gzip dont-vary
        SetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$                            no-gzip dont-vary

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    </ifModule>

</ifModule>

############ COMPRESSION CONFIG OPTIONS END

</VirtualHost>

If you have any conflicts with VirtualHost from mod_openiam_ssl.conf or if you don't need default VirtualHost from ssl.conf, edit ssl.conf and comment VirtualHost in it.

Note that examples of config files is a part of mod_openiam rpm and can be found after installation in /usr/share/doc/mod_openiam-4.2.0 directory

If ESB and UI not installed on the same server where apache r-proxy is installed, you need to change OPENIAM_ESBPath and OPENIAM_ConfigureBackend with urls to ESB and UI respectively.

If SELinux is installed, you need to run this command: to allow mod_openiam to call ESB

sudo setsebool -P httpd_can_network_connect 1

Now you can restart apache:

systemctl restart httpd

Make sure you have port 80 (or 443 for https) for http open. If not, you can use this firewalld rules:

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --reload

sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --reload

If you see 'Service Not Available' error. Usually it is wrong configuration of OPENIAM_ESBPath, OPENIAM_ConfigureBackend or, if selinux is enabled on the server: forgot to run command: setsebool -P httpd_can_network_connect 1

Hit some url from OpenIAM, for example: http://localhost/webconsole/

On first hit, if no Content Provider configured in the OpenIAM, you will be redirected to /webconsole/setup It is page where you can configure Content Provider.

You need to fill fields on this page:

Name: you can use any unique name.

Domain Pattern: This field should be filled automatically. Different Content Providers use different Domain Names. You can't use the same Domain Pattern for different Content Providers. For example, for url like this: http://localhost/webconsole, Domain Pattern should be localhost
is SSL?: If you don't fill this field, newly created Content Provider can be used both for http and https. If you select one, you can use created Content Provider only for specified schema.
Application Servers: This field should be filled automatically. You need to fill server name where OpenIAM UI is installed. Usually if it is installed on the same server on port 8080, this value should be http://localhost:8080 Note that this value usually is identical to OPENIAM_ConfigureBackend from config file.

After you check all fields, click 'Save' button.

Wait approximatelly 5 minutes. After that you can use newly created Content Provider. This delay related to caching config options.

If httpd restarted successfully, you can check it in browser: hit http://localhost/webconsole If you already created Content Provider in steps above, you will be redirected to the login page: /idp/login, if not, you will be redirected to /webconsole/setup. Use it to configure Content Provider as described above.

Certificate key and file is default self signed certificates in this example:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

if you want to install your own certificates, you need to change this config options.

Note, that if you have SELinux enabled on the server, you can't put ssl certificates to any directory. Or you need to reconfigure SELinux. Easier is to put certificates and keys in the same locations where it should be by default. Use /etc/pki/tls/certs/ for certificates and /etc/pki/tls/private/ for private keys

If you want to keep only HTTPS and redirect all request to HTTP to HTTPS, create file named http_to_https.conf in /etc/httpd/conf.d with this content:


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

Restart apache:

systemctl restart httpd

Additional information about configuring the rProxy can be found at: rProxy SSO to Legacy Apps

Installation without Internet Access

Backup / recovery