Next-generation platform

Configuring reverse proxy with NGINX

With IBM® Sterling Order Management System (Next-generation), devices are required to use mTLS when communicating with servers. To use mTLS during communication, the devices must be configured with a client certificate that is generated by using the Sterling Order Management System Self Service.

The communication security is increased by using client certificates. However, using client certificates introduces increased cost of management. The impact of the management costs varies and depends on the device management infrastructure that is being used. To reduce the impact, following are several options that you can use:
  • Leveraging unique client certificates per device. This impacts the cost largely. The benefit to security is that individual devices can be blocked from accessing the service by revoking individual certificates.
  • Grouping similar devices and installing a unique certificate per group. Every device in one store can use a single client certificate. This grouping can be of arbitrary size and should be decided by your security experts.
  • Leveraging a reverse proxy server that is configured with a client certificate to manage communication with the Sterling Order Management System servers. With this configuration, devices are not configured with a certificate but instead rely on the proxy server to manage the secure connection.

The option that you choose must be reviewed by your security experts to determine whether it meets security policies and whether it is an acceptable risk.

This page covers only one possible method to configure a reverse proxy server. The method implements a proxy server by using an NGINX server and it should be considered for demonstration or testing purposes only. Do not use the following example in a production environment. If you want to use an NGINX server as a reverse proxy, consult your security experts to assist you in getting the server production ready. Alternative solutions are possible and might already be available in your network. For example, if your network is using an F5 Firewall, it is possible to set it up as a reverse proxy. Regardless of the hardware or software that is used to implement the reverse proxy, it is important to secure the communication between your devices and the proxy. Providing more information on this subject is out of scope for this document.

image

Assumptions

  • You use the Sterling Order Management System on the next-generation platform and you want to create and manage a single client certificate for all the Sterling Order Management System clients in your network.
  • You have a fair understanding about the Docker and NGINX technologies.
  • You can use the Linux command-line system.
  • You have a fair understanding about the basic networking concepts.

Prerequisites

  • A Sterling Order Management System environment on the next-generation platform.
  • An account in the Self Service with access to generate client certificates.
  • Understanding of Docker.
  • Access to use Open SSL.

Procedure

Use the following steps by using a container-based NGINX.
Note: The same default.conf file settings are applicable to NGINX that is installed directly on a host.
  1. Copy NGINX files to your local computer.
    1. Start a temporary container to work with the NGINX configuration files.
      docker run --name tmp-nginx-container -d nginx
    2. Extract the default nginx directory to a folder on your local computer, such as $HOME/nginx.
      docker cp tmp-nginx-container:/etc/nginx/$HOME/nginx/tmp/
    3. Delete the temporary container.
      docker rm -f tmp-nginx-container
  2. Create a client certificate in the Sterling Order Management System environment.
    1. In Self Service, generate a client certificate for the environment and save the certificate in your local directory such as $HOME/nginx.
    2. Run the following command to extract the key and cert as .pem files and provide the password when prompted.
      cd $HOME/nginx
openssl pkcs12 -in $FILENAME.p12 -nokeys -out client.pem
openssl pkcs12 -in $FILENAME.p12 -nocerts -nodes -out client.key
  3. Create a self-signed certificate for NGINX by using OpenSSL.
    cd $HOME/nginx
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  4. Configure NGINX.
    1. In a text editor, open $HOME/nginx/conf.d/default.conf and delete the existing configurations.
    2. Copy the following configuration in $HOME/nginx/conf.d/default.conf and replace the URL in both the proxy_pass fields with an appropriate URL for your environment.
      server {
        listen 80;
        listen [::]:80;
        server_name localhost;

        location / {
            proxy_pass https://EXAMPLE-prod-4.oms.supply-chain.ibm.com/;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_ssl_certificate /etc/nginx/client.pem;
            proxy_ssl_certificate_key /etc/nginx/client.key;
            proxy_ssl_session_reuse on;
            ######
            ## Settings specific to a Docker container mapped to non-80/443 port on host
            absolute_redirect off;
        }
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name localhost;
        ssl_certificate     /etc/nginx/certificate.pem;
        ssl_certificate_key /etc/nginx/key.pem;
        ssl_protocols       TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        location / {
            proxy_pass https://EXAMPLE-prod-4.oms.supply-chain.ibm.com/;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_ssl_certificate /etc/nginx/client.pem;
            proxy_ssl_certificate_key /etc/nginx/client.key;
            proxy_ssl_session_reuse on;
            ######
            ## Settings specific to a Docker container mapped to non-80/443 port on host
            absolute_redirect off;
        }
    }
  5. Start an NGINX container with options for SSL and non-SSL ports and a volume that is pointed to the $HOME/nginx directory on the host that is mapped to /etc/nginx/ within the container.
    docker run --name nginx -p 9080:80 -p 9443:443 --rm -v $HOME/nginx:/etc/nginx/:Z nginx
  6. Validate the configuration.
    1. In a browser, access NGINX by using one of the following URLs:
      http://localhost:9080/smcfs/console/login.jsp
https://localhost:9443/smcfs/console/login.jsp
    2. Confirm that the browser routes to the Sterling Order Management System environment and does not prompt you to supply a client certificate.
    3. Log in to the Sterling Order Management System console and confirm that the browser redirects you to the Sterling Order Management System console home page.
    4. Repeat with URLs for all other applications in your Sterling Order Management System environment.

References