r-Proxy installation
The OpenIAM Reverse Proxy (rProxy) is an Apache Web Server Plugin and requires the OpenIAM core platform to operate. The rProxy enhances security in the OpenIAM platform as well as enables SSO to web applications which do not support modern SSO standards such as SAML, oAuth 2 or OIDC.
While the RPM file provides the option to install the rProxy, the instructions below describe how to independently install the OpenIAM rProxy. If you installed the rProxy as part of the primary RPM installation process, then you can skip this section
Note: If you are new to OpenIAM and are using the RPM installer, please use the default installer before attempting this more advanced configuration.
Install the rProxy module
- First, install the Apache Web Server and mod_ssl:
sudo yum install httpdsudo yum install mod_ssl
- Install OpenIAM apache reverse proxy module:
sudo yum install mod_openiam-4.2.0-1.el7.x86_64.rpm
Configure the rProxy
Create configuration file for mod_openiam in /etc/httpd/conf.d
For example, if you don't use HTTPS, you can use this config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam.conf
:
##################################################### OpenIAM apache configurations## Loading OpenIAM apache moduleLoadModule openiam_module modules/mod_openiam.so# Turn Off Proxy Requests. Only Reverse Proxying will be allowedProxyRequests off<ifModule ssl_module># Enable SSL Proxying just in case it will be used for reverse-proxyingSSLProxyEngine on</ifModule># OpenIAM ESB pathOPENIAM_ESBPath http://localhost:9080#LogLevel debugLogLevel warn<VirtualHost *:80>#ServerName vm.openiamdemo.com:80# Debug options. Turned off by default.#OPENIAM_Verbose on#OPENIAM_DebugPatterns on#OPENIAM_DebugCookies on#OPENIAM_DebugESB on#OPENIAM_DebugCertAuth on#OPENIAM_DumpRequests on#OPENIAM_DumpRequestsBody on#OPENIAM_DumpResponses on#OPENIAM_AllowDumpHeaders on#OPENIAM_DumpNoAuth offErrorLog logs/mod_openiam_error_logTransferLog logs/mod_openiam_access_log#OPENIAM_UseCurl on#OPENIAM_RandomIV onKeepAlive on<Location />AuthType openiamAuthName "OpenIAM"Require valid-openiam-federationRequire openiam-configureOPENIAM_DefaultUrl /selfservice/OPENIAM_CSPEnabled onOPENIAM_CORSAllowAll on</Location># Begin Websockets support<Location /idp/openiam-socket/>AuthType noneAuthName "none"Require all grantedProxyPass ws://localhost:8080/idp/openiam-socket/ProxyPassReverse ws://localhost:8080/idp/openiam-socket/ProxyPreserveHost on</Location><Location /idp/openiam-socket/info>AuthType openiamAuthName "OpenIAM"Require valid-openiam-federationOPENIAM_CSPEnabled onOPENIAM_CORSAllowAll off</Location># End Websockets support<Location /static>AuthType noneAuthName "none"OPENIAM_CSPEnabled onOPENIAM_CORSAllowAll off</Location><Location /server-status>SetHandler server-statusAuthType noneAuthName "none"Require local</Location>SetEnvIf Request_URI "^/server-status$" dontlog#OPENIAM_Substitute "s|Original|Replacement|niq"RewriteEngine OnRewriteRule ^/webconsole$ /webconsole/ [NC,R=302,L]RewriteRule ^/selfservice$ /selfservice/ [NC,R=302,L]RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]ErrorDocument 401 /openiam-ui-static/401ErrorDocument 404 /openiam-ui-static/404#Configure HostOPENIAM_ConfigureHost /webconsole/setupOPENIAM_ConfigureUrls /webconsole/setup/contentproviderOPENIAM_ConfigureUrls /webconsole/challengeResponseOPENIAM_FixRedirectForLang offOPENIAM_ConfigureBackend http://localhost:8080OPENIAM_DefaultUrl /selfservice/############ COMPRESSION CONFIG OPTIONS<ifModule mod_deflate.c>#SetOutputFilter DEFLATEAddOutputFilterByType DEFLATE text/htmlAddOutputFilterByType DEFLATE text/plainAddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xmlAddOutputFilterByType DEFLATE text/cssAddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascriptAddOutputFilterByType DEFLATE application/jsonAddOutputFilterByType DEFLATE application/rss+xmlDeflateCompressionLevel 6<ifModule mod_setenvif.c>#Do not compress following file typesSetEnvIfNoCase Request_URI \.(?:exe|dll|so)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:sit)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$ no-gzip dont-varyBrowserMatch ^Mozilla/4 gzip-only-text/htmlBrowserMatch ^Mozilla/4\.0[678] no-gzipBrowserMatch \bMSIE !no-gzip !gzip-only-text/html</ifModule></ifModule>############ COMPRESSION CONFIG OPTIONS END</VirtualHost>
If you want to use HTTPS, you can use this example config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam_ssl.conf
:
##################################################### OpenIAM apache configurations## Loading OpenIAM apache moduleLoadModule openiam_module modules/mod_openiam.so# Turn Off Proxy Requests. Only Reverse Proxying will be allowedProxyRequests off##################################################### Default ssl configs from /etc/httpd/ssl.conf### When we also provide SSL we have to listen to the.# the HTTPS port in addition.#Listen 443 https#### SSL Global Context#### All SSL configuration in this context applies both to## the main server and all SSL-enabled virtual hosts.### Pass Phrase Dialog:# Configure the pass phrase gathering process.# The filtering dialog program (`builtin' is a internal# terminal dialog) has to provide the pass phrase on stdout.SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog# Inter-Process Session Cache:# Configure the SSL Session Cache: First the mechanism.# to use and second the expiring timeout (in seconds).SSLSessionCache shmcb:/run/httpd/sslcache(512000)SSLSessionCacheTimeout 300# Pseudo Random Number Generator (PRNG):# Configure one or more sources to seed the PRNG of the.# SSL library. The seed data should be of good random quality.# WARNING! On some platforms /dev/random blocks if not enough entropy# is available. This means you then cannot use the /dev/random device# because it would lead to very long connection times (as long as# it requires to make more entropy available). But usually those# platforms additionally provide a /dev/urandom device which doesn't# block. So, if available, use this one instead. Read the mod_ssl User# Manual for more details.SSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtin#SSLRandomSeed startup file:/dev/random 512#SSLRandomSeed connect file:/dev/random 512#SSLRandomSeed connect file:/dev/urandom 512## Use "SSLCryptoDevice" to enable any supported hardware# accelerators. Use "openssl engine -v" to list supported# engine names. NOTE: If you enable an accelerator and the# server does not start, consult the error logs and ensure# your accelerator is functioning properly..#SSLCryptoDevice builtin#SSLCryptoDevice ubsec##################################################### end of default ssl configs from /etc/httpd/ssl.conf#<ifModule ssl_module># Enable SSL Proxying just in case it will be used for reverse-proxyingSSLProxyEngine on</ifModule># OpenIAM ESB pathOPENIAM_ESBPath http://localhost:9080#LogLevel debugLogLevel warn<VirtualHost *:443>#ServerName vm.openiamdemo.com:80# Debug options. Turned off by default.#OPENIAM_Verbose on#OPENIAM_DebugPatterns on#OPENIAM_DebugCookies on#OPENIAM_DebugESB on#OPENIAM_DebugCertAuth on#OPENIAM_DumpRequests on#OPENIAM_DumpRequestsBody on#OPENIAM_DumpResponses on#OPENIAM_AllowDumpHeaders on#OPENIAM_DumpNoAuth offErrorLog logs/mod_openiam_ssl_error_logTransferLog logs/mod_openiam_ssl_access_logSSLEngine onSSLProtocol all -SSLv2 -SSLv3SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5#SSLHonorCipherOrder on#SSLCertificateFile /etc/pki/tls/certs/super_openiam_com.crt#SSLCertificateKeyFile /etc/pki/tls/private/super_openiam_com.key#SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crtSSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateKeyFile /etc/pki/tls/private/localhost.keySSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt#OPENIAM_UseCurl on#OPENIAM_RandomIV onKeepAlive on<Location />AuthType openiamAuthName "OpenIAM"Require valid-openiam-federationRequire openiam-configureOPENIAM_DefaultUrl /selfservice/OPENIAM_CSPEnabled onOPENIAM_CORSAllowAll on</Location># Begin Websockets support<Location /idp/openiam-socket/>AuthType noneAuthName "none"Require all grantedProxyPass ws://localhost:8080/idp/openiam-socket/ProxyPassReverse ws://localhost:8080/idp/openiam-socket/ProxyPreserveHost on</Location><Location /idp/openiam-socket/info>AuthType openiamAuthName "OpenIAM"Require valid-openiam-federationOPENIAM_CSPEnabled onOPENIAM_CORSAllowAll on</Location># End Websockets support<Location /static>AuthType noneAuthName "none"OPENIAM_CSPEnabled onOPENIAM_CORSAllowAll on</Location># Uncomment next 3 lines to redirect all users to Under Construction page#RedirectMatch ^/$ /static/underconstruction#RedirectMatch ^/idp/login /static/underconstruction#RedirectMatch ^/selfservice/ /static/underconstruction# end of Under Construction<Location /server-status>SetHandler server-statusAuthType noneAuthName "none"Require local</Location>SetEnvIf Request_URI "^/server-status$" dontlogRewriteEngine OnRewriteRule ^/webconsole$ /webconsole/ [NC,R=302,L]RewriteRule ^/selfservice$ /selfservice/ [NC,R=302,L]RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]ErrorDocument 401 /openiam-ui-static/401ErrorDocument 404 /openiam-ui-static/404#Configure HostOPENIAM_ConfigureHost /webconsole/setupOPENIAM_ConfigureUrls /webconsole/setup/contentproviderOPENIAM_ConfigureUrls /webconsole/challengeResponseOPENIAM_FixRedirectForLang offOPENIAM_ConfigureBackend http://localhost:8080############ COMPRESSION CONFIG OPTIONS<ifModule mod_deflate.c>#SetOutputFilter DEFLATEAddOutputFilterByType DEFLATE text/htmlAddOutputFilterByType DEFLATE text/plainAddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xmlAddOutputFilterByType DEFLATE text/cssAddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascriptAddOutputFilterByType DEFLATE application/jsonAddOutputFilterByType DEFLATE application/rss+xmlDeflateCompressionLevel 6<ifModule mod_setenvif.c>#Do not compress following file typesSetEnvIfNoCase Request_URI \.(?:exe|dll|so)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:sit)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$ no-gzip dont-varySetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$ no-gzip dont-varyBrowserMatch ^Mozilla/4 gzip-only-text/htmlBrowserMatch ^Mozilla/4\.0[678] no-gzipBrowserMatch \bMSIE !no-gzip !gzip-only-text/html</ifModule></ifModule>############ COMPRESSION CONFIG OPTIONS END</VirtualHost>
If you have any conflicts with VirtualHost from mod_openiam_ssl.conf or if you don't need default VirtualHost from ssl.conf
, edit ssl.conf
and comment VirtualHost in it.
Note that examples of config files is a part of mod_openiam rpm and can be found after installation in
/usr/share/doc/mod_openiam-4.2.0
directory
If ESB and UI not installed on the same server where apache r-proxy is installed, you need to change OPENIAM_ESBPath
and OPENIAM_ConfigureBackend
with urls to ESB and UI respectively.
If SELinux is installed, you need to run this command: to allow mod_openiam to call ESB
sudo setsebool -P httpd_can_network_connect 1
Now you can restart apache:
systemctl restart httpd
Make sure you have port 80 (or 443 for https) for http open. If not, you can use this firewalld rules:
sudo firewall-cmd --permanent --zone=public --add-port=80/tcpsudo firewall-cmd --zone=public --add-service=httpsudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=public --add-port=443/tcpsudo firewall-cmd --zone=public --add-service=httpssudo firewall-cmd --reload
If you see 'Service Not Available' error. Usually it is wrong configuration of OPENIAM_ESBPath
, OPENIAM_ConfigureBackend
or, if selinux is enabled on the server: forgot to run command:
setsebool -P httpd_can_network_connect 1
Hit some url from OpenIAM, for example: http://localhost/webconsole/
On first hit, if no Content Provider configured in the OpenIAM, you will be redirected to /webconsole/setup It is page where you can configure Content Provider.
You need to fill fields on this page:
Name: you can use any unique name.
Domain Pattern: This field should be filled automatically. Different Content Providers use different Domain Names. You can't use the same Domain Pattern for different Content Providers. For example, for url like this: http://localhost/webconsole, Domain Pattern should be localhost
is SSL?: If you don't fill this field, newly created Content Provider can be used both for http and https. If you select one, you can use created Content Provider only for specified schema.
Application Servers: This field should be filled automatically. You need to fill server name where OpenIAM UI is installed. Usually if it is installed on the same server on port 8080, this value should be http://localhost:8080 Note that this value usually is identical to
OPENIAM_ConfigureBackend
from config file.
After you check all fields, click 'Save' button.
Wait approximately 5 minutes. After that you can use newly created Content Provider. This delay related to caching config options.
If httpd restarted successfully, you can check it in browser: hit http://localhost/webconsole
If you already created Content Provider in steps above, you will be redirected to the
login page: /idp/login
, if not, you will be redirected to /webconsole/setup
. Use it to configure
Content Provider as described above.
Certificate key and file is default self signed certificates in this example:
SSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateKeyFile /etc/pki/tls/private/localhost.key#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crtSSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
If you want to install your own certificates, you need to change this config options. More on configuring HTTPS can be found here.
Note, that if you have SELinux enabled on the server, you can't put ssl certificates to any directory.
Or you need to reconfigure SELinux. Easier is to put certificates and keys in the same locations where it should be by default. Use /etc/pki/tls/certs/
for certificates and /etc/pki/tls/private/
for private keys
- If you want to keep only HTTPS and redirect all request to HTTP to HTTPS, create file named
http_to_https.conf
in/etc/httpd/conf.d
with this content:
RewriteEngine OnRewriteCond %{HTTPS} offRewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
Restart apache:
systemctl restart httpd
Additional information about configuring the rProxy can be found at: rProxy SSO to Legacy Apps