Configuring SSL - Deprecated

This page is only relevant for customers using the old method of configuring SSL. Customers configuring SSL for the first time should use the new method described in Support for SSL.

Configuring All SFX Instances

In order to configure an SFX instance so that SFX and SFXAdmin are accessible using HTTPS, Apache+SSL for SFX version 4 must be configured with Apache 2.0.52.

To configure all SFX instances:

Log on as an instance user.
Configure the virtual host for the HTTP server by editing the following file:

/exlibris/sfx_ver/sfx4_1/<instance> /config/httpd.conf

Load the SSL module by removing the comment sign (#) from the following lines:

#Include /exlibris/sfx_ver/sfx4_1/<instance> /config/ssl.config

Before this section, add the following line:

LoadModule ssl_module /exlibris/sfx_ver/sfx4_1/app/apache/modules/mod_ssl.so

You must list the full path of ssl.config.

HTTPS and HTTP should have different log files. To create different log files, create a virtual host configuration. Locate the following text:

Include /exlibris/sfx_ver/sfx4_1/<instance> /config/local_httpd.conf

Add the following lines before it:

#ServerAdmin webmaster@dummy-host.example.com

#DocumentRoot /www/docs/dummy-host.example.com

ServerName _default_:INSTANCE_PORT_NUMBER

ErrorLog /exlibris/sfx_ver/sfx4_1/<instance> /logs/apache/error_log

CustomLog /exlibris/sfx_ver/sfx4_1/<instance> /logs/apache/access_log common

</VirtualHost>

INSTANCE_PORT_NUMBER is the same port that you already have for this instance. (If you do not remember the port number, use the listen port number from the configuration file.)

Verify that there are no additional VirtualHost sections in the file.

Configuring the Virtual Host for HTTPS

To set up an HTTPS virtual host, an SSL certificate and key is required. There are two possible ways to obtain the certificate and key:

A site certificate can be obtained through a UW/IST Certificate Authority. This is recommended for a production environment.
You can generate your own certificate for testing purposes.

To generate the SSL certificate and key:

Create a subdirectory for the certificate and key:

cd /exlibris/sfx_ver/sfx4_1/<instance> /config

mkdir keys

cd keys

Create an RSA private key:

openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024

Remember your pass-phrase for future use.

Remove the pass-phrase from the key:

openssl rsa -in server.key -out server.pem

Generate the CSR:

openssl req -new -key server.key -out server.csr

Enter the server host name in the Common Name field.
Generate a self-signed certificate:

openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt -set_serial XX

Replace the XX in the command with any random two-digit number. This is the certificate serial number and it should be unique among your instances.

For more information on how to generate a key and CSR, see http://slacksite.com/apache/certificate.html.

For security reasons (not obligatory), the owner of the directory keys and the files located inside should be the root user:

su -

cd /exlibris/sfx_ver/sfx4_1/<instance> /config/keys

chown root:root *

chmod 775 *

cd ..

chown root:root keys

HTTP and HTTPS cannot share the same port.
Each instance should have its own certificate and key.

After you have obtained an SSL certificate and key, you can configure the virtual host for SSL.

To configure the virtual host for SSL:

Copy the sample file listed in the config directory of your instance:

cp config/ssl.config.sample config/ssl.config

Edit the file /ssl.config content by replacing the following placeholders with their actual values:

INSTANCE_SSL_PORT_NUMBER – Replace this placeholder with the desired port number for SSL communication for the instance. (Note the default port number for SSL is 443, which can be used only by the root user.)
SERVER_HOST_NAME – Replace this placeholder with the server host name. The value is the same for all instances.
INSTANCE – Replace this placeholder with the instance name.

Configuring the Reverse Proxy Server

Before you can configure the reverse proxy server to support SSL, you must:

Create the configuration file reverse_proxy_ssl.config
Generate an SSL certificate and key

To create reverse_proxy_ssl.config:

Log on as the sfxglb41 user and type the following:

cp reverse_proxy_httpd.config__ reverse_proxy_httpd_ssl.config__

All the instances use the same reverse proxy configuration file.
Use a text editor to edit reverse_proxy_httpd_ssl.config_.

Before the following line:

ProxyPass /sfxadmin/sfxglb41 http://localhost:3101/sfxadmin/sfxglb41

add:

SSLProxyEngine on

For instances that works with SSL, there is a section with 13 lines with the name of the instance in the line. Change each line as follows:

Replace http with https.
Change the port to the SSL port of the instance.

The following is an example of the text before the changes:

ProxyPassReverse /sfxadmin/sfxlcl41

http://localhost:80/sfxadmin/sfxlcl41

The following is an example of the line after the changes – http has been changed to https, and port 80 has been changed to 90:

ProxyPassReverse /sfxadmin/sfxlcl41

http://localhost:90/sfxadmin/sfxlcl41

To generate an SSL certificate and key:

Log on as the sfxglb41 user.
Create a subdirectory for the certificate and key:

cd /exlibris/sfx_ver/sfx4_1/app/apache/conf

mkdir keys

cd keys

Create an RSA private key:

openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024

Be sure to remember your pass-phrase for future use.

Remove the pass-phrase from the key:

openssl rsa -in server.key -out server.pem

Generate the CSR.

openssl req -new -key server.key -out server.csr

Enter the server host name in the Common Name field.

Generate a self-signed certificate.

openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt -set_serial XX

Replace the XX in the command with any random serial number made of two digits. This is the certificate serial number and it should be unique among your instances.
For security reasons (not obligatory), the owner of the directory keys and the files located inside should be the root user:

su -

cd /exlibris/sfx_ver/sfx4_1/app/apache/conf/keys

chown root:root *

chmod 775 *

cd ..

chown root:root keys

After you have created reverse_proxy_ssl.config and obtained an SSL certificate and key, you can configure the reverse proxy server.

To configure the reverse proxy server:

Configure the virtual host for HTTP by adding the following lines at the end of /exlibris/sfx_ver/sfx4_1/proxy/conf/httpd.conf:

ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /www/docs/dummy-host.example.com

ServerName default:PROXY_HTTP_PORT

ErrorLog /exlibris/sfx_ver/sfx4_1/proxy/logs/

error_log

CustomLog /exlibris/sfx_ver/sfx4_1/proxy/logs/

access_log common

ProxyRequests Off

Order deny,allow

Allow from all

</Proxy>

RewriteEngine on

Include /exlibris/sfx_ver/sfx4_1/sfxglb41/config/

reverse_proxy_httpd.config__

</VirtualHost>

In the previous example, PROXY_HTTP_PORT is the port number for accessing the HTTP proxy server (for example, 3020).

The include line for the reverse_proxy_httpd.config file has to go inside the VirtualHost section.

Add SSL support by adding the following lines at the end of/exlibris/sfx_ver/sfx4_1/proxy/conf/httpd.conf

Include /exlibris/sfx_ver/sfx4_1/app/apache/conf/ssl.config

</IfModule>

Configure SSL Enabled Virtual Hosts.
Copy the sample file located in the config directory of the sfxglb41 instance:

cp /exlibris/sfx_ver/sfx4_1/sfxglb41/config/proxy_ssl.config.sample /exlibris/sfx_ver/sfx4_1/app/apache/conf/ssl.config

Edit the new file content by replacing the following placeholders with their proper values:

PROXY_HTTPS_PORT – Replace this placeholder with the desired port value (for example, 3050).
SERVER_HOST_NAME – Replace this placeholder with the server host name. This value is the same for all instances.