Topic
  • 5 replies
  • Latest Post - ‏2011-12-17T14:54:48Z by SystemAdmin
SystemAdmin
SystemAdmin
102 Posts

Pinned topic Settings required to make a web server route requests to ODR

‏2011-12-10T10:47:19Z |
Hi ,

I have created a dynamic cluster in WVE environment.
I have a web server(IHS) which routes requests to my cluster members.
I introduced an ODR,ODR1 in this topology and have ensured to add the web server name in ODR's "Trusted security proxies" .I have also identified the plugin-cfg.xml that gets generated(within profileHOME/etc folder) when ODR is started/stopped.

*What other configurational setting is required to start routing requests from web server to ODR on its way to being processed at application Server.*Also how do i confirm ODR's working.

I had tried replacing the webserver's plugin-cfg.xml with plugin-cfg.xml generated by ODR.
But still the " Repository copy of Web server plug-in files " ,which can be viewed from admin console, still refers to the older plugin-cfg.xml .
Changing the path of plugin-cfg.xml in httpd.conf to refer to the ODR generated file ,also did not help
Regards,
Paresh
Updated on 2011-12-17T14:54:48Z at 2011-12-17T14:54:48Z by SystemAdmin
  • ambati
    ambati
    13 Posts

    Re: Settings required to make a web server route requests to ODR

    ‏2011-12-10T15:06:37Z  
    If you are not using SSL between IHS and ODR, that should do it. You can check if you see entries for requests processed by the ODR in proxy.log of the ODR. You will see any errors (500 and 503s) in the local.log. You can check both these logs to understand how requests are being processed by the ODR.
  • SystemAdmin
    SystemAdmin
    102 Posts

    Re: Settings required to make a web server route requests to ODR

    ‏2011-12-15T06:17:36Z  
    • ambati
    • ‏2011-12-10T15:06:37Z
    If you are not using SSL between IHS and ODR, that should do it. You can check if you see entries for requests processed by the ODR in proxy.log of the ODR. You will see any errors (500 and 503s) in the local.log. You can check both these logs to understand how requests are being processed by the ODR.
    Hi Ambati,

    Thank you for your assistance .As you mentioned, it was as simple as that.
    I am puzzled, why it was failing earlier.
    Was able to confirm the working by observing the entries in 'proxy.log' and 'local.log' .

    Also kindly let me know ,
    In case when SSL is involved , what other configurational settings will be needed to ensure communication between ODR and Web Server.
  • SystemAdmin
    SystemAdmin
    102 Posts

    Re: Settings required to make a web server route requests to ODR

    ‏2011-12-15T13:09:13Z  
    Hi Ambati,

    Thank you for your assistance .As you mentioned, it was as simple as that.
    I am puzzled, why it was failing earlier.
    Was able to confirm the working by observing the entries in 'proxy.log' and 'local.log' .

    Also kindly let me know ,
    In case when SSL is involved , what other configurational settings will be needed to ensure communication between ODR and Web Server.
    You will have to export default certificate from NodeDefaultTrustStore of ODR's node and add to plugin-key.kdb file using IKeyman utility.

    You will have to create plugin-key.kdb file if not already created and make sure plugin-cfg.xml has correct path to this kdb file.

    In case of multiple ODRs, certificate from CellDefaultTrustStore will also work.

    Thanks,

    Kashif
  • ambati
    ambati
    13 Posts

    Re: Settings required to make a web server route requests to ODR

    ‏2011-12-15T19:35:28Z  
    1) on HTTP Server: ikeyman new -> CMS database type
    stash password to file (creates the .sth)

    2) run the following command (from any linux box)
    openssl s_client -connect ODR_SERVER_HOSTNAME:443 -showcerts
    copy the section starting at:
    -----BEGIN CERTIFICATE-----
    adslkjfasdjfaslkjdsdjsdaf
    asldkjflsajfdlakjdsflkjsa
    saldflsajfdlaskjdflksajdf
    aldsfkjalskjdflakjdsflkjf
    asldjfalsjfdlaskjdfaslkjf
    -----END CERTIFICATE-----

    Make sure there are no extra blank lines after end certificate line. Put this in a file called root1.cer (for example).

    3) Open the previously created key database from drop down select signer certificates and add the file that you created in previous step (root1.cer)

    4) Do step 2 & 3 for every ODR in your environment

    5) Copy the keyfile.kdb and keyfile.sth to the directory that's linked to in the plugin-cfg.xml

    6) In the httpd.conf file, add the following to the bottom of the file:
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    <VirtualHost *:443>
    ServerName ODR_SERVER_HOSTNAME:443
    SSLEnable
    </VirtualHost>
    SSLDisable
    KeyFile /opt/install/keys/keyfile.kdb
    SSLStashFile /opt/install/keys/keyfile.sth
  • SystemAdmin
    SystemAdmin
    102 Posts

    Re: Settings required to make a web server route requests to ODR

    ‏2011-12-17T14:54:48Z  
    • ambati
    • ‏2011-12-15T19:35:28Z
    1) on HTTP Server: ikeyman new -> CMS database type
    stash password to file (creates the .sth)

    2) run the following command (from any linux box)
    openssl s_client -connect ODR_SERVER_HOSTNAME:443 -showcerts
    copy the section starting at:
    -----BEGIN CERTIFICATE-----
    adslkjfasdjfaslkjdsdjsdaf
    asldkjflsajfdlakjdsflkjsa
    saldflsajfdlaskjdflksajdf
    aldsfkjalskjdflakjdsflkjf
    asldjfalsjfdlaskjdfaslkjf
    -----END CERTIFICATE-----

    Make sure there are no extra blank lines after end certificate line. Put this in a file called root1.cer (for example).

    3) Open the previously created key database from drop down select signer certificates and add the file that you created in previous step (root1.cer)

    4) Do step 2 & 3 for every ODR in your environment

    5) Copy the keyfile.kdb and keyfile.sth to the directory that's linked to in the plugin-cfg.xml

    6) In the httpd.conf file, add the following to the bottom of the file:
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    <VirtualHost *:443>
    ServerName ODR_SERVER_HOSTNAME:443
    SSLEnable
    </VirtualHost>
    SSLDisable
    KeyFile /opt/install/keys/keyfile.kdb
    SSLStashFile /opt/install/keys/keyfile.sth
    Thanks Kashif and Ambati , will try to make the suggested changes and implement SSL based communication.

    Regards,
    Paresh