Using the Novell Service Desk appliance with SSL

  • 7015079
  • 19-May-2014
  • 25-Jan-2018

Environment

Service Desk 6.5 Web Services
Service Desk 7.0.0 Web Services
Service Desk 7.0.1 Web Services
Service Desk 7.0.2 Web Services
Service Desk 7.0.3 Web Services
Service Desk 7.1 Web Services
Service Desk 7.2 Web Services

Situation

To secure the communication of the NSD Web interface and use SSL connectivity, the steps provided will guide in the setup of this configuration.

Resolution

Step 1: NSD 6.5 Appliance

If you are using the Novell Service Desk 6.5 Appliance then we need to change the configuration before proceeding. If you have a later version of the Novell Service Desk Appliance, skip this section and proceed directly to Step 2.

ssh into the appliance and login as root

[root]# cd /etc/apache2/conf.d
[root]# mv nsd.conf nsd-conf.old

Launch text editor to create a new configuration file.

[root]# vi nsd.conf

Enter the following into this file

<IfModule mod_jk.c>
JkWorkersFile "/usr/share/tomcat6/conf/worker.properties"
JkLogFile "/var/log/apache2/mod_jk.log"
JkShmFile "/var/log/apache2/jk-runtime-status"
JkLogLevel debug
</IfModule>

Save the file by pressing ESC and then typing :wq

Now to create new virtual host for Novell Service Desk

[root]# cd /etc/apache2/vhosts.d
[root]# vi nsd-vhost.conf

Enter the following into this file

# Novell Service Desk virtual host apache2 configuration file
#
# Version 1.1  by Jon Giffard
#
#
<VirtualHost *:80>
    JkLogFile "/var/log/tomcat6/mod_jk.log"
    JkLogLevel error
    Alias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"
    JkMount /LiveTime/* ajp13

    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    <IfModule mod_rewrite.c>
        RewriteEngine On
        #RewriteLog /var/log/apache2/rewrite.log
        #RewriteLogLevel 2
        # everything else is handled by our application
        RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]
    </IfModule>

    <Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>

    <FilesMatch \.(?i:gif|jpe?g|png|js)$>
    Order allow,deny
    Allow from all
    </FilesMatch>

</VirtualHost>

Save the file by pressing ESC and then typing :wq

Restart Apache to recognise our configuration changes.

[root]# rcapache2 restart

If all is ok, Novell Service Desk will be available using http and we can start the SSL configuration process.

Step 2: Setup your own CA (Certificate Authority)

In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses like this, you can be your own CA.

Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys. During the creation of the certificate you will be asked a series of questions ( shown below in the example ). Take sometime to consider how you will respond as changing these later is somewhat problematic. You’re also going to be asked for a pass phrase that will protect your CA keys. Make sure that you remember this….

ssh into the appliance and login as root

[root]# mkdir /root/CA
[root]# chmod 0770 /root/CA
[root]# cd /root/CA
[root]# openssl genrsa -des3 -out nsd-ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..+++
e is 65537 (0x10001)
Enter pass phrase for nsd-ca.key:
Verifying - Enter pass phrase for nsd-ca.key:

[root]# openssl req -new -x509 -days 3650 -key nsd-ca.key -out nsd-ca.crt
Enter pass phrase for nsd-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

You will probably also want to make backups of the cert and key and lock them in a safe place. We can view our newly created certificate by typing:-

[root]# openssl x509 -in nsd-ca.crt -text -noout

Step 3: Make a key and a certificate for the web server:

Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1 ( You can make keys for multiple web servers this way ). One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers. A pass pharse will be required.

[root]# openssl genrsa -des3 -out nsd-server.key 1024
Generating RSA private key, 1024 bit long modulus
.................................................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for nsd-server.key:
Verifying - Enter pass phrase for nsd-server.key:

IMPORTANT: When asked for Common Name (eg, YOUR name) []: in the step below, be sure to enter the FQDN of the Novell Service Desk appliance. Do not enter anything for Challenge Password

[root]# openssl req -new -key nsd-server.key -out nsd-server.csr
Enter pass phrase for nsd-server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now to use our CA we created in Step 2 to sign our key.

[root]# openssl x509 -req -in nsd-server.csr -out nsd-server.crt -sha1 -CA nsd-ca.crt -CAkey nsd-ca.key -CAcreateserial -days 3650

Take out the pass phrase from key or you will need to enter this every time Apache starts up. And Apache only gives you a few seconds to do so before terminating in a sulk.

[root]# openssl rsa -in nsd-server.key -out nsd-server-npp.key
Enter pass phrase for nsd-server.key:
writing RSA key

Step 4: Configure Apache for SSL connection

We need to move the new keys and certs into the proper directories in the /etc/apache2 hierarchy:

[root]# cp nsd-server.crt /etc/apache2/ssl.crt/nsd-ssl.crt
[root]# cp nsd-server-npp.key /etc/apache2/ssl.key/nsd-ssl.key
[root]# cp nsd-ca.crt /etc/apache2/ssl.crt/nsd-ca.crt

Launch your text editor to create a virtual host configuration file.

[root]# cd /etc/apache2/vhosts.d
[root]# vi nsd-ssl-vhost.conf

Paste the following into the file:

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost *:443>
    #Setup SSL for this virtual host
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/nsd-ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/nsd-ssl.key
    SSLCertificateChainFile /etc/apache2/ssl.crt/nsd-ca.crt
    SSLCACertificateFile /etc/apache2/ssl.crt/nsd-ca.crt

    #Fix for IE browsers when using SSL with Apache
    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    #Custom log file
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

    #Apache sends incoming request to Tomcat
    JkLogFile "/var/log/tomcat6/mod_jk.log"
    JkLogLevel error
    Alias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"
    JkMount /LiveTime/* ajp13

    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]
    </IfModule>

    <Directory />
        Options Indexes FollowSymLinks
        AllowOverride None
    </Directory>

    <FilesMatch \.(?i:gif|jpe?g|png|js)$>
        Order allow,deny
        Allow from all
    </FilesMatch>

</VirtualHost>                                 

</IfDefine>
</IfDefine>

Save the file by pressing ESC and then typing :wq

Apache web server requires a start up flag passing to it to enable SSL. This is found in the apache configuration file located at /etc/sysconfig

[root]# vi /etc/sysconfig/apache2

Scroll down this file until you find the line:-

APACHE_SERVER_FLAGS=""

Change this to:-

APACHE_SERVER_FLAGS="SSL"

Save the file by pressing ESC and then tpying :wq

Now we need to restart Apache web server so that it picks up the configuration changes and makes available our new secure connection for Novell Service Desk.

[root]# rcapache2 restart

Test to see that Apache is listening on the port used for https

[root]# netstat -tna | grep 443
tcp        0      0 :::443                  :::*                    LISTEN

Launch your browser at Novell Service Desk appliance and you should see something like this if all is working

A untrusted connection is a result of using our own Certificate Authority. It is perfectly ok to proceed onwards. You should now see the Novell Service Desk login page.

Step 5: Redirect http to https

Relying on people to type https into their browsers when they want a secure connection to Novell Service Desk is something that we want to avoid. People will forget or simply not bother negating the work we have performed so far to ensure secure communications. Apache has the answer for us as it can automatically redirect people from http to https whenever they connect to Novell Service Desk using their browser.

Backup the current configuration file in case that you want to revert back.

[root]# cd /etc/apache2/vhosts.d
[root]# mv nsd-vhost.conf nsd-vhost_conf.old

Launch text editor to create a new virtual host configuration file.

[root]# vi nsd-vhost.conf

Paste the following into the file

# Novell Service Desk virtual host apache2 configuration file
#
# Redirects http to https
#
#

<VirtualHost *:80>
    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteLog /var/log/apache2/rewrite.log
        RewriteLogLevel 1
        # everything else is handled by our application
        RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R]
    </IfModule>

    <Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>

    <FilesMatch \.(?i:gif|jpe?g|png|js)$>
    Order allow,deny
    Allow from all
    </FilesMatch>

</VirtualHost>

Save the file by pressing ESC and then tpying :wq

Restart Apache web server so that it picks up the configuration change

[root]# rcapache2 restart

Launch your browser and enter http://<NSD Appliance IP> and you will be redirected to a secure connection automatically.

Additional Information

This TID is not valid for v7.3 appliance.
Please contact Micro Focus Customer Care for further information and reference this TID or check documentation.
Enabling HTTPS on Appliance v7.3 and Higher