r-Proxy installation

The OpenIAM Reverse Proxy (rProxy) is an Apache Web Server Plugin and requires the OpenIAM core platform to operate. The rProxy enhances security in the OpenIAM platform as well as enables SSO to web applications which do not support modern SSO standards such as SAML, oAuth 2 or OIDC.

While the RPM file provides the option to install the rProxy, the instructions below describe how to independently install the OpenIAM rProxy. If you installed the rProxy as part of the primary RPM installation process, then you can skip this section

Note: If you are new to OpenIAM and are using the RPM installer, please use the default installer before attempting this more advanced configuration.

Install the rProxy module

  1. First, install the Apache Web Server and mod_ssl:
sudo yum install httpd
sudo yum install mod_ssl
  1. Install OpenIAM apache reverse proxy module:
sudo yum install mod_openiam-4.2.0-1.el7.x86_64.rpm

Configure the rProxy

Create configuration file for mod_openiam in /etc/httpd/conf.d

For example, if you don't use HTTPS, you can use this config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam.conf:

####################################################
# OpenIAM apache configurations
#
# Loading OpenIAM apache module
LoadModule openiam_module modules/mod_openiam.so
# Turn Off Proxy Requests. Only Reverse Proxying will be allowed
ProxyRequests off
<ifModule ssl_module>
# Enable SSL Proxying just in case it will be used for reverse-proxying
SSLProxyEngine on
</ifModule>
# OpenIAM ESB path
OPENIAM_ESBPath http://localhost:9080
#LogLevel debug
LogLevel warn
<VirtualHost *:80>
#ServerName vm.openiamdemo.com:80
# Debug options. Turned off by default.
#OPENIAM_Verbose on
#OPENIAM_DebugPatterns on
#OPENIAM_DebugCookies on
#OPENIAM_DebugESB on
#OPENIAM_DebugCertAuth on
#OPENIAM_DumpRequests on
#OPENIAM_DumpRequestsBody on
#OPENIAM_DumpResponses on
#OPENIAM_AllowDumpHeaders on
#OPENIAM_DumpNoAuth off
ErrorLog logs/mod_openiam_error_log
TransferLog logs/mod_openiam_access_log
#OPENIAM_UseCurl on
#OPENIAM_RandomIV on
KeepAlive on
<Location />
AuthType openiam
AuthName "OpenIAM"
Require valid-openiam-federation
Require openiam-configure
OPENIAM_DefaultUrl /selfservice/
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll on
</Location>
# Begin Websockets support
<Location /idp/openiam-socket/>
AuthType none
AuthName "none"
Require all granted
ProxyPass ws://localhost:8080/idp/openiam-socket/
ProxyPassReverse ws://localhost:8080/idp/openiam-socket/
ProxyPreserveHost on
</Location>
<Location /idp/openiam-socket/info>
AuthType openiam
AuthName "OpenIAM"
Require valid-openiam-federation
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll off
</Location>
# End Websockets support
<Location /static>
AuthType none
AuthName "none"
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll off
</Location>
<Location /server-status>
SetHandler server-status
AuthType none
AuthName "none"
Require local
</Location>
SetEnvIf Request_URI "^/server-status$" dontlog
#OPENIAM_Substitute "s|Original|Replacement|niq"
RewriteEngine On
RewriteRule ^/webconsole$ /webconsole/ [NC,R=302,L]
RewriteRule ^/selfservice$ /selfservice/ [NC,R=302,L]
RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]
ErrorDocument 401 /openiam-ui-static/401
ErrorDocument 404 /openiam-ui-static/404
#Configure Host
OPENIAM_ConfigureHost /webconsole/setup
OPENIAM_ConfigureUrls /webconsole/setup/contentprovider
OPENIAM_ConfigureUrls /webconsole/challengeResponse
OPENIAM_FixRedirectForLang off
OPENIAM_ConfigureBackend http://localhost:8080
OPENIAM_DefaultUrl /selfservice/
############ COMPRESSION CONFIG OPTIONS
<ifModule mod_deflate.c>
#SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/rss+xml
DeflateCompressionLevel 6
<ifModule mod_setenvif.c>
#Do not compress following file types
SetEnvIfNoCase Request_URI \.(?:exe|dll|so)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:sit)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</ifModule>
</ifModule>
############ COMPRESSION CONFIG OPTIONS END
</VirtualHost>

If you want to use HTTPS, you can use this example config: /usr/share/doc/mod_openiam-4.2.0.5/mod_openiam_ssl.conf:

####################################################
# OpenIAM apache configurations
#
# Loading OpenIAM apache module
LoadModule openiam_module modules/mod_openiam.so
# Turn Off Proxy Requests. Only Reverse Proxying will be allowed
ProxyRequests off
####################################################
# Default ssl configs from /etc/httpd/ssl.conf
#
#
# When we also provide SSL we have to listen to the.
# the HTTPS port in addition.
#
Listen 443 https
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism.
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the.
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly..
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
####################################################
# end of default ssl configs from /etc/httpd/ssl.conf
#
<ifModule ssl_module>
# Enable SSL Proxying just in case it will be used for reverse-proxying
SSLProxyEngine on
</ifModule>
# OpenIAM ESB path
OPENIAM_ESBPath http://localhost:9080
#LogLevel debug
LogLevel warn
<VirtualHost *:443>
#ServerName vm.openiamdemo.com:80
# Debug options. Turned off by default.
#OPENIAM_Verbose on
#OPENIAM_DebugPatterns on
#OPENIAM_DebugCookies on
#OPENIAM_DebugESB on
#OPENIAM_DebugCertAuth on
#OPENIAM_DumpRequests on
#OPENIAM_DumpRequestsBody on
#OPENIAM_DumpResponses on
#OPENIAM_AllowDumpHeaders on
#OPENIAM_DumpNoAuth off
ErrorLog logs/mod_openiam_ssl_error_log
TransferLog logs/mod_openiam_ssl_access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
#SSLCertificateFile /etc/pki/tls/certs/super_openiam_com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/super_openiam_com.key
#SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#OPENIAM_UseCurl on
#OPENIAM_RandomIV on
KeepAlive on
<Location />
AuthType openiam
AuthName "OpenIAM"
Require valid-openiam-federation
Require openiam-configure
OPENIAM_DefaultUrl /selfservice/
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll on
</Location>
# Begin Websockets support
<Location /idp/openiam-socket/>
AuthType none
AuthName "none"
Require all granted
ProxyPass ws://localhost:8080/idp/openiam-socket/
ProxyPassReverse ws://localhost:8080/idp/openiam-socket/
ProxyPreserveHost on
</Location>
<Location /idp/openiam-socket/info>
AuthType openiam
AuthName "OpenIAM"
Require valid-openiam-federation
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll on
</Location>
# End Websockets support
<Location /static>
AuthType none
AuthName "none"
OPENIAM_CSPEnabled on
OPENIAM_CORSAllowAll on
</Location>
# Uncomment next 3 lines to redirect all users to Under Construction page
#RedirectMatch ^/$ /static/underconstruction
#RedirectMatch ^/idp/login /static/underconstruction
#RedirectMatch ^/selfservice/ /static/underconstruction
# end of Under Construction
<Location /server-status>
SetHandler server-status
AuthType none
AuthName "none"
Require local
</Location>
SetEnvIf Request_URI "^/server-status$" dontlog
RewriteEngine On
RewriteRule ^/webconsole$ /webconsole/ [NC,R=302,L]
RewriteRule ^/selfservice$ /selfservice/ [NC,R=302,L]
RewriteRule ^/selfservice-ext$ /selfservice-ext/ [NC,R=302,L]
ErrorDocument 401 /openiam-ui-static/401
ErrorDocument 404 /openiam-ui-static/404
#Configure Host
OPENIAM_ConfigureHost /webconsole/setup
OPENIAM_ConfigureUrls /webconsole/setup/contentprovider
OPENIAM_ConfigureUrls /webconsole/challengeResponse
OPENIAM_FixRedirectForLang off
OPENIAM_ConfigureBackend http://localhost:8080
############ COMPRESSION CONFIG OPTIONS
<ifModule mod_deflate.c>
#SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml application/xhtml+xml application/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/rss+xml
DeflateCompressionLevel 6
<ifModule mod_setenvif.c>
#Do not compress following file types
SetEnvIfNoCase Request_URI \.(?:exe|dll|so)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:iso|bin|raw)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:sit)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:t?gz|zip|tar|bz2|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:png|jpe?g|gif|tif?f)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:flv|swf|mp3)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:3gp|mp3|aa|aac|flac|m4a|ogg|voc|wav|wma|webm)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:avi|mov|mkv|vob|ogv|gifv|mng|m?ts|qt|wmv|adf|amv)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:mp4|m4p|mpe?g|mp2|mpe|mpv|m4v)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:woff2?|svg|ttf|otf|eot)$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</ifModule>
</ifModule>
############ COMPRESSION CONFIG OPTIONS END
</VirtualHost>

If you have any conflicts with VirtualHost from mod_openiam_ssl.conf or if you don't need default VirtualHost from ssl.conf, edit ssl.conf and comment VirtualHost in it.

Note that examples of config files is a part of mod_openiam rpm and can be found after installation in /usr/share/doc/mod_openiam-4.2.0 directory

If ESB and UI not installed on the same server where apache r-proxy is installed, you need to change OPENIAM_ESBPath and OPENIAM_ConfigureBackend with urls to ESB and UI respectively.

If SELinux is installed, you need to run this command: to allow mod_openiam to call ESB

sudo setsebool -P httpd_can_network_connect 1

Now you can restart apache:

systemctl restart httpd

Make sure you have port 80 (or 443 for https) for http open. If not, you can use this firewalld rules:

sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --reload

If you see 'Service Not Available' error. Usually it is wrong configuration of OPENIAM_ESBPath, OPENIAM_ConfigureBackend or, if selinux is enabled on the server: forgot to run command: setsebool -P httpd_can_network_connect 1

Hit some url from OpenIAM, for example: http://localhost/webconsole/

On first hit, if no Content Provider configured in the OpenIAM, you will be redirected to /webconsole/setup It is page where you can configure Content Provider.

You need to fill fields on this page:

Name: you can use any unique name.

  • Domain Pattern: This field should be filled automatically. Different Content Providers use different Domain Names. You can't use the same Domain Pattern for different Content Providers. For example, for url like this: http://localhost/webconsole, Domain Pattern should be localhost

  • is SSL?: If you don't fill this field, newly created Content Provider can be used both for http and https. If you select one, you can use created Content Provider only for specified schema.

  • Application Servers: This field should be filled automatically. You need to fill server name where OpenIAM UI is installed. Usually if it is installed on the same server on port 8080, this value should be http://localhost:8080 Note that this value usually is identical to OPENIAM_ConfigureBackend from config file.

After you check all fields, click 'Save' button.

Wait approximately 5 minutes. After that you can use newly created Content Provider. This delay related to caching config options.

If httpd restarted successfully, you can check it in browser: hit http://localhost/webconsole If you already created Content Provider in steps above, you will be redirected to the login page: /idp/login, if not, you will be redirected to /webconsole/setup. Use it to configure Content Provider as described above.

Certificate key and file is default self signed certificates in this example:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

If you want to install your own certificates, you need to change this config options. More on configuring HTTPS can be found here.

Note, that if you have SELinux enabled on the server, you can't put ssl certificates to any directory. Or you need to reconfigure SELinux. Easier is to put certificates and keys in the same locations where it should be by default. Use /etc/pki/tls/certs/ for certificates and /etc/pki/tls/private/ for private keys

  1. If you want to keep only HTTPS and redirect all request to HTTP to HTTPS, create file named http_to_https.conf in /etc/httpd/conf.d with this content:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

Restart apache:

systemctl restart httpd

Additional information about configuring the rProxy can be found at: rProxy SSO to Legacy Apps