SWS (Customer) asked a question.
Self Service Console behind Reverseproxy
Hi, I tried to put the SSC behind apache2 reverseproxy since i dont want to expose the rsa vm to our users directly. but i run into problems with broken headers. shall this scenario be possible?
Hi, I tried to put the SSC behind apache2 reverseproxy since i dont want to expose the rsa vm to our users directly. but i run into problems with broken headers. shall this scenario be possible?
A better way would be to stand up a web tier and use it to proxy the SSC connections. All you need is a WIndows or Redhat 64-bit server and the web tier software does the rest. Full info at https://community.rsa.com/s/article/RSA-Authentication-Manager-8-7-SP2-Web-Tier-Getting-Started
hmm, i noticed the webtier-option, but i like to put our ssc behind some sort of authentification, therefore our reverseproxy. but i might try the webtier-way. one more question? In Webtier: Is the SSC also on Port 7004? Or is it customizable to let it run directly on port 443?
Web tiers run on 443 by default. Port between web tiers and the RSA Primary is 7022/TCP.
hi, so i installed/deployed the webtier instance, configured Virtual Hostname in the deployment configuration (no load balancer). WebTier Installation finished without errors. The WebTier deployment is shown as Online (in primary webtier deployment ) and on the RHEL8.8 Host both services (rsaservmgr and rsabootstrapperservmgr) are running. Also I see (netstat -lnp) ports 443 on localhost and private ip up, but i dont get a website. Connction from browser times out. Shall i install some apache reverseproxy to the RHEL as reverseproxy? Or what is the meaning of the virtual host configuration. I did not find any information what to do after installation finished. i tried with raw ip , web tier hostname and virtual host name. All hostnames are resolvable and point to the webtier instance. Any Hint what i'm missing?
Since this is RHEL, ensure that fapolicyd, selinux, etc. are not blocking the connection. Also, web tiers host 3 services: SSC, RBA, and CTKIP. Each of these have to be enabled manually. In the Operations Console, go to Deployment Configuration > Web Tier Deployments > Manage Existing and choose Edit. Ensure that Self-Service Console is enabled.
The Virtual Host Configuration is used as an alias to hide the hostnames of the web tier and the Primary. So if your RHEL server is webteir1.example.com, you could make the virtual hostname something like rsahelp.example.com. You would need DNS alias record entries so that rsahelp.example.com resolves to the same IP as webtier1.example.com.
oh, i have only SSC activated. DNS is configured correctly. SELinux is a hot guess. The user running the rsa service is not part of www group, but the service is using low ports, so ill take a look.
But just to be safe: It is not necessary to install additional software (such as apache or nginx) for webtier to work? The webserver is started from webtier software? and its only necessary to have rsaservmgr and rsabootstrapperservmgr running, no other services?
No other software should be required, the web tier brings all the code it needs to operate. The service should self-start; bootstrapper runs as a service, which then initializes rsaservmgr. Bouncing bootstrapper should restart both services. Low ports is a good call, if you ran the installer as root it should have enabled 443, but you could always force it manually (sudo firewall-cmd --add-port=443/tcp --permanent)
oh, yes, firewall. who thought, that a bare minimum install would also install firewall :) coming from debian these RHEL ist kinda messy to me, but got it working, thanks!
one (or two) more things: WebTier does not offer api like the primary does? and is there a document how to change certificates for web tier? is maybe possible to set/change the certificate for the webtier from CLI on the RHEL? i would like to use acme...
Glad to hear it was the FW. As far as API, there is none. All the action happens on the Primary, and the web tier just proxies the connection. And yes you can get a cert. In the Ops Console go to Deployment Configuration > Certificates > Virtual Host Certificate Management. Click on Generate CSR and fill out the form. Get the CSR signed and import it into the same screen as above. Click on Activate, then go to web tier management and click on Update, you will now have your signed cert presented instead of the default.