The purpose of this document is to explain the setup of HP BAC that is setup in B2C Culpeper for data collection through reverse proxy.
2.0 Setup Overview:
Two BPM agent machines are placed in Miami in terramark cloud. These two machines will be open to internet. A reverse proxy is placed in Culpeper data center which will act as proxy for gateway servers. The gateway server , database server and DPI server will be placed in Culpeper data center. The data collected by BPM agent machines, will send the data to reverse proxy machine, which inturn will forward it to gateway server. From internet, the reverse proxy will be seen as gateway server. All the communication between agent to proxy and proxy to gateway will be established through SSL which is secured. For outside world, only the reverse proxy IP will be revealed as gateway server. This setup is only for the data collection to happen from BPM to Gateway through reverse proxy, and not to open web access from BPM to gateway server through proxy.
A reverse proxy is used to forward the traffic from internet to the internal webserver. The reverse proxy is configured in two servers ussdimon01 and ussdimon02. Both these servers are placed in sandiego data center. The reverse proxy is configured in apache webserver . The apache is configured to run on SSL (https) and listening on port 443. The communication between reverse proxy and gateway server happens through SSL.
The reverse proxy is configured on apache. The apache is installed in the path /usr/local/apache2.
The following are the import configuration files,
Httpd.conf – This file is located in /usr/local/apache2/conf.This is used to configure apache to act as reverse proxy and also used to load different modiles used for configuring apache as reverse proxy and for ssl.
Httpd-ssl.conf – This file is located in /usr/local/apache2/extra.This file is used to enable ssl for apache. This file holds the path for the certifcates which apache reads while starting.
Important Note :- Both the above files are configured and it is an one time configuration. If any change has to be made on these two files, please take a back up of these files before doing any change.
5.2 Certificates :
All the communication happening between BPM to Reverse Proxy is happening through SSL which involves certificate authentication. The certificate signing request is created and to the signing authority. This is then signed by Verisign. Once it is signed , we will be getting three certificates , Server certificate ,Certificate Authority and Intermediate certificate. All these certificate has to be imported in gateway server and reverse proxy server.
Note: The following three section has to followed only after the existing certificate is expired. The current certificates imported has one year validity. Please do try these following steps unnecessarily.
Server Certificate : /usr/local/apache2/conf/cert and the file name is certify.crt. Copy the content of the server certificate and copy it in certify.crt.
CA Bundle : /usr/local/apache2/conf/bundle and the file name is bundlepem.crt.This bundle certificate will be having both CA certificate and Intermediate certificate.Copy the content of both CA and intermediate certificate one below other in the same file.
Key file : /usr/local/apache2/conf/key and the file name is server.key. This will be already present in the server.
During renewal of certificate , please copy the renewed certificate in the same path. The password used while generating the key is ‘sony1234’ . This password should be used while restarting apache server.
5.2.5 Certificate in BPM :
The agent machine has to be configured with certificate of reverse proxy for connecting to the reverse proxy over https. The existing working certificate is put in the following path c:\baccerts\store and the file name is bacgwy.pem . The certificate file should be saved as pem file. The pem file should containg Server certificate first followed by CA certificate and then Intermediate certificate.