Setting up HTTPS connections

Business Continuity Manager Installation Guide

Version
9.8.7
File Size
1.1 MB
Audience
anonymous
Part Number
MK-95HC104-41

HTTPS (HTTP over SSL) connections can be established between Replication Manager and the Business Continuity Manager agent to improve security. To establish HTTPS connections between Replication Manager and the Business Continuity Manager agent, IBM HTTP Server is required as a reverse proxy server. A reverse proxy server uses HTTPS to receive requests from Replication Manager, and then uses HTTP to send those requests to the Business Continuity Manager agent, which is the origin server. In addition, basic access authentication can be used to authorize Replication Manager.

A configuration example for HTTPS connections between Replication Manager and IBM HTTP Server is shown below:

Figure. Configuration example for HTTPS connections between Replication Manager and IBM HTTP Server

Use the IBM HTTP Server httpd.conf settings file to configure IBM HTTP Server.

The following table describes authentication methods used between Replication Manager and IBM HTTP Server.

Table. Authentication methods used between Replication Manager and IBM HTTP Server

Authenticating

Being authenticated

Authentication method

Replication Manager

IBM HTTP Server

Server certificate (SSL)

IBM HTTP Server

Replication Manager

Basic access authentication (HTTP)

Note that when HTTP is used to connect Replication Manager and IBM HTTP Server, Replication Manager cannot send the information necessary for performing basic access authentication.

An overview of the setup procedure for establishing HTTPS connections is shown in the figure below. All of the steps indicated in the figure below must be performed on all of the sites.

Figure. Overview of the setup procedure for establishing HTTPS connections

The procedure to establish HTTPS connections between Replication Manager and IBM HTTP Server is described below. The number for each step in Overview of the setup procedure for establishing HTTPS connections corresponds to the number in the procedure directly below that.

  1. To run IBM HTTP Server as a reverse proxy server, specify the settings described in Required settings for the httpd.conf file to set up a reverse proxy server in the httpd.conf file.
    Table. Required settings for the httpd.conf file to set up a reverse proxy server

    Directives

    Values

    CacheDisable

    Specify this directive to disable the cache function for requests directed to the Business Continuity Manager agent.

    KeepAlive

    Specify this directive to disable the KeepAlive function.

    LoadModule

    Add the following modules to the list:

    proxy_module modules/mod_proxy.so

    proxy_http_module modules/mod_proxy_http.so

    Listen

    Specify a standby port for IBM HTTP Server.

    For example, to set up port number 443 for a standby port, specify the following:

    • IPv4: Listen 443
    • IPv6: Listen [::]:443

    ProxyPass and ProxyPassReverse

    Specify the following options to make the Business Continuity Manager agent the origin server for Replication Manager:

    • The host name or IP address of the host on which the Business Continuity Manager agent is running
    • The port number in the PORT parameter, which was specified when the Business Continuity Manager agent was initially set up

    ProxyPass / http://0.0.0.0:port-number/

    ProxyPassReverse / http://0.0.0.0:port-number/

    Timeout

    Specify how long to wait before issuing a time out.

    Specify a value greater than Replication Manager's timeout value (bcmif.socketTimeout).

  2. Create a server certificate.
  3. Enable SSL/TLS.
  4. Enable basic access authentication.
    1. Execute the htpasswd command to set up a user ID and password for authenticating Replication Manager.
      After executing the htpasswd command, a file that manages the user ID and password for basic access authentication of the Replication Manager will be created.
      The following is an execution example of the htpasswd command:
      htpasswd /usr/local/apache/.htaccess user-name
    2. See Required settings for the httpd.conf file to set up authentication to edit the httpd.conf file.
      Table. Required settings for the httpd.conf file to set up authentication

      Directives

      Values

      AuthName

      Specify the realm that will be used for authentication.

      AuthType

      Specify the type of user authentication.

      Specify Basic.

      AuthUserFile

      Specify the location of the management file for the user ID and password created by the htpasswd command.

      Require

      Specify the users that are allowed access.

  5. Restrict access to the TCP/IP port used by the Business Continuity Manager agent.
    IBM HTTP Server is the only program that can communicate with the Business Continuity Manager agent.
  6. Import the IBM HTTP Server server certificate into the truststore (jssecacerts).
  7. Set a protocol for communicating with IBM HTTP Server.

For detailed procedures, see the following:

  • For steps 1 to 4 (IBM HTTP Server settings)

    IBM HTTP Server for WebSphere Application Server product information available from the IBM WebSphere Application Server information center

  • For step 5 (z/OS settings)

    IBM manual Communications Server IP Configuration Reference

  • For steps 6 and 7 (Hitachi Command Suite settings)

    Replication Manager Configuration Guide