Previous Topic: CA SiteMinder® Reverse Proxy Deployment ConsiderationsNext Topic: Configure an Oracle iPlanet 7.0 Reverse Proxy Server

Web Agent GuidesWeb Agent Configuration GuideAdvanced Configuration SettingsAgents and Reverse Proxy ServersCA SiteMinder® Reverse Proxy Deployment ConsiderationsHow to Configure an Apache Reverse Proxy Server

How to Configure an Apache Reverse Proxy Server

You can configure an Apache web server to function as a reverse proxy server with any CA SiteMinder® agent. The following process lists the steps for configuring an Apache reverse proxy server:

  1. Update the Apache web server configuration file.
  2. Update the agent configuration parameters for a CA SiteMinder® agent.

Update the Apache Web Server Configuration File

Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server with a CA SiteMinder® agent.

Follow these steps:

  1. Open the httpd.conf file available at the following location: 
    /etc/httpd/conf/httpd.conf
  2. Add the following directives to the httpd.conf file:
    ProxyPass

    Allows mapping of remote servers to the local server. The values in this directive use the following format:

    /local_virtual_path partial_URL_of_remote_server

    Example: ProxyPass /realma/ http://server.example.org/realma/

    ProxyPassReverse

    Allows adjustment of the location header by the Apache server on HTTP redirect responses. The values in this directive use the following format:

    /local_virtual_path partial_URL_of_remote_server

    Example: ProxyPassReverse /realma/ http://server.example.org/realma/

    For the Apache web server, add the following Proxy Pass settings to the configuration file.

    # SiteMinder Administrative UI
<Location "/iam/siteminder/">
 	 <IfModule proxy_module>
                  ProxyPass http://hostname:port/iam/siteminder/
   	   ProxyPassReverse http://hostname:port/iam/siteminder/
  	</IfModule>
  # Alternate unavailable page
  ErrorDocument 503 /siteminderagent/adminui/HTTP_SERVICE_UNAVAILABLE.html
</Location>
# CA Styles r5.1.1
<Location "/castylesr5.1.1/">
  	<IfModule proxy_module>
   	 ProxyPass http://hostname:port/castylesr5.1.1/
    	ProxyPassReverse http://hostname:port/castylesr5.1.1/
  	</IfModule>
</Location>

    Note: hostname:port refers to the host and port of the application server running the Administrative UI.

  3. Uncomment the following line in the configuration file. 
    LoadModule proxy_module modules/mod_proxy.so
  4. Save and close the configuration file.
  5. Restart the Apache web server.

Update the Agent Configuration Parameters for a SiteMinder Agent

For Apache-based servers behind the Apache reverse proxy server, update the following agent configuration parameters.

Follow these steps:

  1. Set the value of the following parameter to yes:
    ProxyAgent

    Specifies if a Web Agent is acting as a reverse proxy agent.

    When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

    Default: No

  2. Set the following parameter:
    ProxyTimeout

    Specifies the number of seconds the reverse proxy server waits for the CA SiteMinder® agent that is deployed behind it to respond to a request.

    Default: 120

    Note: This parameter applies to Apache-based agents only.

  3. (Optional) Set the following parameter:
    ProxyTrust

    Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

    Default: No

  4. Edit the BadURLChars parameter by removing all occurrences of the following value from the list: 
    %
  5. Set the httpsports parameter to indicate to the Apache server which port is set up for SSL.
  6. Restart the Apache web server.

    Note: For more information about modifying agent configuration parameters, see the Policy Server Configuration Guide.