3.0 Logical Flow:
4.0 Servers List:
S.No
|
Server Name
|
Purpose
|
Location
|
1
|
Server Name
|
Gateway Server
|
Location Name
|
2
|
Server Name
|
Gateway Server
|
Location Name
|
3
|
Server Name
|
Reverse Proxy Server
|
Location Name
|
4
|
Server Name
|
Reverse Proxy Server
|
Location Name
|
5
|
ServerName
|
BPM Agent
|
Location Name
|
6
|
Server Name
|
BPM Agent
|
Location Name
|
5.0 Reverse Proxy:
A reverse proxy is used to forward the traffic from internet to the internal webserver. The reverse proxy is configured in two servers ussdimon01 and ussdimon02. Both these servers are placed in sandiego data center. The reverse proxy is configured in apache webserver . The apache is configured to run on SSL (https) and listening on port 443. The communication between reverse proxy and gateway server happens through SSL.
5.1 Configuration:
The reverse proxy is configured on apache. The apache is installed in the path /usr/local/apache2.
The following are the import configuration files,
Httpd.conf – This file is located in /usr/local/apache2/conf.This is used to configure apache to act as reverse proxy and also used to load different modiles used for configuring apache as reverse proxy and for ssl.
Httpd-ssl.conf – This file is located in /usr/local/apache2/extra.This file is used to enable ssl for apache. This file holds the path for the certifcates which apache reads while starting.
Important Note :- Both the above files are configured and it is an one time configuration. If any change has to be made on these two files, please take a back up of these files before doing any change.
5.2 Certificates :
All the communication happening between BPM to Reverse Proxy is happening through SSL which involves certificate authentication. The certificate signing request is created and to the signing authority. This is then signed by Verisign. Once it is signed , we will be getting three certificates , Server certificate ,Certificate Authority and Intermediate certificate. All these certificate has to be imported in gateway server and reverse proxy server.
Note: The following three section has to followed only after the existing certificate is expired. The current certificates imported has one year validity. Please do try these following steps unnecessarily.
5.2.1 Generating Certificate Signing Request in Gateway Server :
Please check the following url for creating certificate signing request in IIS in gateway server,
http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html
5.2.2 Importing Signed Certificate in Gateway Server:
Please check the following url for installing the signed certificate in IIS in gateway server.
http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html
5.2.3 Generating Certificate Signing Request in Gateway Server:
5.2.4 Certificates in Reverse proxy server:
The verisign signed certificate will be having three certificates
Server Certificate,CA Certificate and Intermediate certificate. Once we get this, we need to copy the content of the ceritificate and past it in the appropriate files.
The certificates are copied in the following path in the reverse proxy server,
Server Certificate : /usr/local/apache2/conf/cert and the file name is certify.crt. Copy the content of the server certificate and copy it in certify.crt.
CA Bundle : /usr/local/apache2/conf/bundle and the file name is bundlepem.crt.This bundle certificate will be having both CA certificate and Intermediate certificate.Copy the content of both CA and intermediate certificate one below other in the same file.
Key file : /usr/local/apache2/conf/key and the file name is server.key. This will be already present in the server.
During renewal of certificate , please copy the renewed certificate in the same path. The password used while generating the key is ‘sony1234’ . This password should be used while restarting apache server.
5.2.5 Certificate in BPM :
The agent machine has to be configured with certificate of reverse proxy for connecting to the reverse proxy over https. The existing working certificate is put in the following path c:\baccerts\store and the file name is bacgwy.pem . The certificate file should be saved as pem file. The pem file should containg Server certificate first followed by CA certificate and then Intermediate certificate.
5.3 Starting/Shutdown of Apache :
Go to the path /usr/local/apache2/bin
For starting run the command ./apachectl start – While starting it will prompt for password , please type ‘sony1234’ as password.
For Stopping run the command ./apachectl stop
6.0 Important Files:
| 