Environment
Service Desk 6.5 Web Services
Service Desk 7.0.0 Web Services
Service Desk 7.0.1 Web Services
Service Desk 7.0.2 Web Services
Service Desk 7.0.3 Web Services
Service Desk 7.1 Web Services
Service Desk 7.2 Web Services
Service Desk 7.0.0 Web Services
Service Desk 7.0.1 Web Services
Service Desk 7.0.2 Web Services
Service Desk 7.0.3 Web Services
Service Desk 7.1 Web Services
Service Desk 7.2 Web Services
Situation
To secure the communication of the NSD Web interface and use SSL
connectivity, the steps provided will guide in the setup of this
configuration.
Resolution
Step 1: NSD 6.5 Appliance
If you are using the Novell Service Desk 6.5 Appliance then we need to change the configuration before proceeding. If you have a later version of the Novell Service Desk Appliance, skip this section and proceed directly to Step 2.
ssh into the appliance and login as root
Launch text editor to create a new configuration file.
Enter the following into this file
Save the file by pressing ESC and then typing :wq
Now to create new virtual host for Novell Service Desk
Enter the following into this file
Save the file by pressing ESC and then typing :wq
Restart Apache to recognise our configuration changes.
If all is ok, Novell Service Desk will be available using http and we can start the SSL configuration process.
Step 2: Setup your own CA (Certificate Authority)
In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses like this, you can be your own CA.
Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys. During the creation of the certificate you will be asked a series of questions ( shown below in the example ). Take sometime to consider how you will respond as changing these later is somewhat problematic. You’re also going to be asked for a pass phrase that will protect your CA keys. Make sure that you remember this….
ssh into the appliance and login as root
You will probably also want to make backups of the cert and key and lock them in a safe place. We can view our newly created certificate by typing:-
Step 3: Make a key and a certificate for the web server:
Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1 ( You can make keys for multiple web servers this way ). One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers. A pass pharse will be required.
IMPORTANT: When asked for Common Name (eg, YOUR name) []: in the step below, be sure to enter the FQDN of the Novell Service Desk appliance. Do not enter anything for Challenge Password
Now to use our CA we created in Step 2 to sign our key.
Take out the pass phrase from key or you will need to enter this every time Apache starts up. And Apache only gives you a few seconds to do so before terminating in a sulk.
Step 4: Configure Apache for SSL connection
We need to move the new keys and certs into the proper directories in the /etc/apache2 hierarchy:
Launch your text editor to create a virtual host configuration file.
Paste the following into the file:
Save the file by pressing ESC and then typing :wq
Apache web server requires a start up flag passing to it to enable SSL. This is found in the apache configuration file located at /etc/sysconfig
Scroll down this file until you find the line:-
Change this to:-
Save the file by pressing ESC and then tpying :wq
Now we need to restart Apache web server so that it picks up the configuration changes and makes available our new secure connection for Novell Service Desk.
Test to see that Apache is listening on the port used for https
Launch your browser at Novell Service Desk appliance and you should see something like this if all is working
A untrusted connection is a result of using our own Certificate Authority. It is perfectly ok to proceed onwards. You should now see the Novell Service Desk login page.
Step 5: Redirect http to https
Relying on people to type https into their browsers when they want a secure connection to Novell Service Desk is something that we want to avoid. People will forget or simply not bother negating the work we have performed so far to ensure secure communications. Apache has the answer for us as it can automatically redirect people from http to https whenever they connect to Novell Service Desk using their browser.
Backup the current configuration file in case that you want to revert back.
Launch text editor to create a new virtual host configuration file.
Paste the following into the file
Save the file by pressing ESC and then tpying :wq
Restart Apache web server so that it picks up the configuration change
Launch your browser and enter http://<NSD Appliance IP> and you will be redirected to a secure connection automatically.
If you are using the Novell Service Desk 6.5 Appliance then we need to change the configuration before proceeding. If you have a later version of the Novell Service Desk Appliance, skip this section and proceed directly to Step 2.
ssh into the appliance and login as root
[root]# cd /etc/apache2/conf.d
[root]# mv nsd.conf nsd-conf.old
Launch text editor to create a new configuration file.
[root]# vi nsd.conf
Enter the following into this file
<IfModule mod_jk.c>
JkWorkersFile "/usr/share/tomcat6/conf/worker.properties"
JkLogFile "/var/log/apache2/mod_jk.log"
JkShmFile "/var/log/apache2/jk-runtime-status"
JkLogLevel debug
</IfModule>
Save the file by pressing ESC and then typing :wq
Now to create new virtual host for Novell Service Desk
[root]# cd /etc/apache2/vhosts.d
[root]# vi nsd-vhost.conf
Enter the following into this file
# Novell Service Desk virtual host apache2 configuration file
#
# Version 1.1 by Jon Giffard
#
#
<VirtualHost *:80>
JkLogFile "/var/log/tomcat6/mod_jk.log"
JkLogLevel error
Alias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"
JkMount /LiveTime/* ajp13
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
<IfModule mod_rewrite.c>
RewriteEngine On
#RewriteLog /var/log/apache2/rewrite.log
#RewriteLogLevel 2
# everything else is handled by our application
RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]
</IfModule>
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<FilesMatch \.(?i:gif|jpe?g|png|js)$>
Order allow,deny
Allow from all
</FilesMatch>
</VirtualHost>
Save the file by pressing ESC and then typing :wq
Restart Apache to recognise our configuration changes.
[root]# rcapache2 restart
If all is ok, Novell Service Desk will be available using http and we can start the SSL configuration process.
Step 2: Setup your own CA (Certificate Authority)
In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses like this, you can be your own CA.
Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys. During the creation of the certificate you will be asked a series of questions ( shown below in the example ). Take sometime to consider how you will respond as changing these later is somewhat problematic. You’re also going to be asked for a pass phrase that will protect your CA keys. Make sure that you remember this….
ssh into the appliance and login as root
[root]# mkdir /root/CA
[root]# chmod 0770 /root/CA
[root]# cd /root/CA
[root]# openssl genrsa -des3 -out nsd-ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..+++
e is 65537 (0x10001)
Enter pass phrase for nsd-ca.key:
Verifying - Enter pass phrase for nsd-ca.key:
[root]# openssl req -new -x509 -days 3650 -key nsd-ca.key -out nsd-ca.crt
Enter pass phrase for nsd-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
You will probably also want to make backups of the cert and key and lock them in a safe place. We can view our newly created certificate by typing:-
[root]# openssl x509 -in nsd-ca.crt -text -noout
Step 3: Make a key and a certificate for the web server:
Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1 ( You can make keys for multiple web servers this way ). One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers. A pass pharse will be required.
[root]# openssl genrsa -des3 -out nsd-server.key 1024
Generating RSA private key, 1024 bit long modulus
.................................................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for nsd-server.key:
Verifying - Enter pass phrase for nsd-server.key:
IMPORTANT: When asked for Common Name (eg, YOUR name) []: in the step below, be sure to enter the FQDN of the Novell Service Desk appliance. Do not enter anything for Challenge Password
[root]# openssl req -new -key nsd-server.key -out nsd-server.csr
Enter pass phrase for nsd-server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now to use our CA we created in Step 2 to sign our key.
[root]# openssl x509 -req -in nsd-server.csr -out nsd-server.crt -sha1 -CA nsd-ca.crt -CAkey nsd-ca.key -CAcreateserial -days 3650
Take out the pass phrase from key or you will need to enter this every time Apache starts up. And Apache only gives you a few seconds to do so before terminating in a sulk.
[root]# openssl rsa -in nsd-server.key -out nsd-server-npp.key
Enter pass phrase for nsd-server.key:
writing RSA key
Step 4: Configure Apache for SSL connection
We need to move the new keys and certs into the proper directories in the /etc/apache2 hierarchy:
[root]# cp nsd-server.crt /etc/apache2/ssl.crt/nsd-ssl.crt
[root]# cp nsd-server-npp.key /etc/apache2/ssl.key/nsd-ssl.key
[root]# cp nsd-ca.crt /etc/apache2/ssl.crt/nsd-ca.crt
Launch your text editor to create a virtual host configuration file.
[root]# cd /etc/apache2/vhosts.d
[root]# vi nsd-ssl-vhost.conf
Paste the following into the file:
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
#Setup SSL for this virtual host
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/nsd-ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/nsd-ssl.key
SSLCertificateChainFile /etc/apache2/ssl.crt/nsd-ca.crt
SSLCACertificateFile /etc/apache2/ssl.crt/nsd-ca.crt
#Fix for IE browsers when using SSL with Apache
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#Custom log file
CustomLog /var/log/apache2/ssl_request_log ssl_combined
#Apache sends incoming request to Tomcat
JkLogFile "/var/log/tomcat6/mod_jk.log"
JkLogLevel error
Alias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"
JkMount /LiveTime/* ajp13
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]
</IfModule>
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<FilesMatch \.(?i:gif|jpe?g|png|js)$>
Order allow,deny
Allow from all
</FilesMatch>
</VirtualHost>
</IfDefine>
</IfDefine>
Save the file by pressing ESC and then typing :wq
Apache web server requires a start up flag passing to it to enable SSL. This is found in the apache configuration file located at /etc/sysconfig
[root]# vi /etc/sysconfig/apache2
Scroll down this file until you find the line:-
APACHE_SERVER_FLAGS=""
Change this to:-
APACHE_SERVER_FLAGS="SSL"
Save the file by pressing ESC and then tpying :wq
Now we need to restart Apache web server so that it picks up the configuration changes and makes available our new secure connection for Novell Service Desk.
[root]# rcapache2 restart
Test to see that Apache is listening on the port used for https
[root]# netstat -tna | grep 443
tcp 0 0 :::443 :::* LISTEN
Launch your browser at Novell Service Desk appliance and you should see something like this if all is working
A untrusted connection is a result of using our own Certificate Authority. It is perfectly ok to proceed onwards. You should now see the Novell Service Desk login page.
Step 5: Redirect http to https
Relying on people to type https into their browsers when they want a secure connection to Novell Service Desk is something that we want to avoid. People will forget or simply not bother negating the work we have performed so far to ensure secure communications. Apache has the answer for us as it can automatically redirect people from http to https whenever they connect to Novell Service Desk using their browser.
Backup the current configuration file in case that you want to revert back.
[root]# cd /etc/apache2/vhosts.d
[root]# mv nsd-vhost.conf nsd-vhost_conf.old
Launch text editor to create a new virtual host configuration file.
[root]# vi nsd-vhost.conf
Paste the following into the file
# Novell Service Desk virtual host apache2 configuration file
#
# Redirects http to https
#
#
<VirtualHost *:80>
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 1
# everything else is handled by our application
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R]
</IfModule>
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<FilesMatch \.(?i:gif|jpe?g|png|js)$>
Order allow,deny
Allow from all
</FilesMatch>
</VirtualHost>
Save the file by pressing ESC and then tpying :wq
Restart Apache web server so that it picks up the configuration change
[root]# rcapache2 restart
Launch your browser and enter http://<NSD Appliance IP> and you will be redirected to a secure connection automatically.
Additional Information
This TID is not valid for v7.3 appliance.
Please contact Micro Focus Customer Care for further information and reference this TID or check documentation.
Enabling HTTPS on Appliance v7.3 and Higher
Please contact Micro Focus Customer Care for further information and reference this TID or check documentation.
Enabling HTTPS on Appliance v7.3 and Higher