Setting Up the Reflection for the Web 2008 Security Proxy Server in UNIX, Linux, or Mac OS X
Technical Note 1812
Last Reviewed 02-Apr-2010
Reflection for the Web 2008 (All Editions except Standard)
This technical note provides steps for manually installing and configuring Reflection for the Web's optional security proxy server feature on UNIX, Linux, or Mac OS X systems that are not supported by the automated installation methods. If you have successfully installed Reflection for the Web Security Proxy Server using an automated installer, then the security proxy was automatically configured during installation, and you do not need to follow the steps in this technical note.
For information about setting up the Reflection for the Web 2011 security proxy server in UNIX or Linux, see Technical Note 2569.
For information about manually installing Reflection for the Web to a machine running UNIX or Linux, see Technical Note 1699, or to a machine running Mac OS X, see Technical Note 2343.
Before you begin:
- Verify or update your version of Java.
Java 1.5.x or higher (Java Runtime Environment version 5.0 or higher) is strongly recommended to configure the Reflection for the Web Security Proxy.
You can download the Java SE Development Kit (JDK) from http://www.oracle.com/technetwork/java/javase/downloads/index.html if your server does not already have the recommended version.
For Mac OS, install to Mac OS 10.2 or higher. Java 1.4.x is pre-installed on this version.
- The default cipher suite for Reflection for the Web security proxies is RSA with Triple DES. You must download the Unlimited Strength Jurisdiction Policy Files (see steps below) if both of the following conditions exist:
- You require a higher level of encryption, such as
RSA with 256- or 192-bit AES
DSA with 256- or 192-bit AES
- You are using the Sun Java Plug-in 1.4.x or higher as your Java Virtual Machine (JVM) on the management server, the security proxy server, or on client machine.
- If you are installing Reflection to a Mac OS, use the Terminal application to perform UNIX installation and configuration commands.
Replace current policy files with Unlimited Strength Jurisdiction Policy Files
Follow these steps to use the AES 256- or 192-bit keys.
- Go to http://www.oracle.com/technetwork/java/javase/downloads/index.html.
- Scroll to the "Other Downloads" section (at the bottom of the page) and click the Download link for "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files."
- Extract the *.zip file that contains the unlimited strength extension.
- On the client machines, first back up and then replace the current policy files with the unlimited strength versions:
<java install directory>/jre1.x.x/lib/security/local_policy.jar
<java install directory>/jre1.x.x/lib/security/US_export_policy.jar
For example, on a Windows client with 1.5 jvm the policy files are typically located in C:\program files\java\jre1.5.0_02\lib\security.
- On the Reflection management server and the security proxy server, first back up and then replace local_policy.jar and US_export_policy.jar with the unlimited strength versions.
By default, these files are installed in the <java install directory>/jre/lib/security directory.
Note: If you choose to use AES 256- or 192-bit keys, all client machines using the Sun jvm must also be upgraded with Unlimited Strength Jurisdiction Policy Files.
Installing and Configuring the Security Proxy Server
This section provides details on installing and configuring Reflection for the Web's security proxy server. This feature is not required to run Reflection for the Web.
Note: Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.
Create a Reflection Management Server Certificate
Follow the steps below to create a management server certificate.
- Launch the Administrative WebStation.
- In the Administrative WebStation click Tools > Security Setup, and then click the Certificates tab.
- In the Administer Reflection Management Server Certificate section, click "Generate a self-signed certificate."
- Complete and submit the Generate a self-signed certificate form. For more information about certificates, see Technical Note 1600.
Install the Security Proxy Server
Before installing the security proxy server, note the following:
- These steps assume the installation will be to the /usr/local directory.
If you choose to install to a different directory, be sure to edit the paths in the steps below as needed.
- The security proxy can be installed on the same machine as the Reflection Management Server or on a different machine.
- To install the security proxy, you must be logged in to the server as root.
Follow these steps to install the security proxy server:
In Reflection for the Web 2008 or higher, unzip the rwebproxy.zip file. When the file extracts, it creates an rwebproxy directory.
In earlier versions:
- Create a directory under /usr/local named securityproxy.
- Locate the rwebproxy.zip file in your installation images. On the Reflection for the Web CD, this file is located in the \install\nonautomated directory. With electronic delivery, download and unzip the "manual installation" file.
- Copy the rwebproxy.zip file to /usr/local/securityproxy.
- Use the following command, or an unzip utility, to unzip rwebproxy.zip to the securityproxy directory:
jar -xf /usr/local/securityproxy/rwebproxy.zip
Configure the Security Proxy Server
If you have the X Window System available on your system, you can use the X Windows Method. Otherwise, use the Non-X Method.
X Windows Method
Follow these steps to configure the Security Proxy Server using X Windows. This section explains how to configure the security proxy server on your server by using the SecurityWizard.sh shell script to run the Security Proxy Wizard.
The Security Proxy Wizard requires an X11 window to display its graphical interface. Use the console of an X window, or an X session (as provided with Reflection X), and open a terminal window.
Running the Security Proxy Wizard
Log in as root. Using a text editor, open /usr/local/securityproxy/bin/SecurityWizard.sh and modify the following:
- Add the path to java.exe at the JAVA_EXE line. For example:
- If you run the wizard directly from the securityproxy directory, retain the default directory setting. In other cases, enter the complete path to the lib directory. For example:
- Save your changes.
- Use the following chmod command to configure all the .sh files with full access permissions for owner, and read and execute permissions for group and other.
- Use the following command to run SecurityWizard.sh: ./SecurityWizard.sh
Additional command line options are available. For more details, see the Installation Guide: Configuring Components > Security Proxy Server > Running the security proxy Wizard.
Configuring the Security Proxy Server
Use the Security Proxy Wizard to configure the security proxy server.
- In the Security Proxy Wizard, click Status > New to create a server.properties file.
In Reflection for the Web 2008 or higher, we recommend that you create the file in the /user/local/rwebproxy/conf directory.
In earlier versions, we recommend that you install the file in the /usr/local/securityproxy/conf directory (within your installation of the security proxy server).
- In the Select Data Root Directory dialog box, select the rwebproxy directory (or in earlier versions, the securityproxy directory), and then click the Create button.
The conf directory and the server.properties file are automatically created.
- Verify that you do not have two conf directories in the path.
- Click Yes to continue.
- Enter a host name for the security proxy server, and then click OK.
- Add the management server certificate to the security proxy trusted certificates list.
- On the Trusted Certificates tab, you can import a trusted certificate from a file or directly from the management server over the network. Import the generated certificate from the Reflection management server over the network.
- Click Import, and then click the Server button.
- Specify (or accept the defaults for) the Reflection management server address, the management server (not the proxy server) HTTP port number, the servlet context, and the friendly name of the Reflection management server.
The context name is used in the URL that accesses the management server, and it is oftenalthough not alwaysthe same as the directory within which the management server is installed. The default context name is rweb.
- On the Advanced Settings tab, verify the Client authorization setting.
If Client authorization is on (the default), you need to configure only one proxy and one port, even if you are connecting to multiple hosts.
If Client authorization is off, you need to create a security proxy for each host, and each needs a unique local port number.
- Create the proxy.
- On the Proxies tab, click Add.
- Enter the local port number. This is the port on which the proxy listens for connections. It can be any unused port number; it should not be the standard port for the host connection. (Click Help for more information.)
- Click Add to change the default cipher suite.
- In the Add Cipher Suite dialog box, select a Cipher suite or accept the default. Click the Generate button.
- In the Generate Security Proxy Certificate dialog box, enter the certificate information. Click the Generate button.
- In the Add Cipher Suite dialog box, click OK to add the cipher suite.
- Verify the Proxy Type is Protocol Proxy. For more information click the Help button.
- For protocols, select Emulation, FTP, or both. For more information, see Help.
- In the Add Proxy dialog box, click OK to add the proxy.
- Export the settings to the management server.
- On the Proxies tab, click Export Settings.
- In the Export Proxies dialog box, specify or accept the default Management server, HTTP Port, and Context. Click Export.
- When you have finished setting up the security proxy server, click Exit to close the wizard and save your settings.
To make changes to the proxy server settings later, simply rerun the wizard.
Start the Security Proxy Server
You can start the security proxy server either manually or as a daemon. Choose an option and follow the steps provided.
Option 1: Manually starting the security proxy server
You can manually start the security proxy server by running the SecurityProxy.sh shell script.
Follow these steps to edit the shell script before running it:
- Open /usr/local/securityproxy/bin/SecurityProxy.sh in a text editor.
- At the JAVA_HOME line, add the path to the directory above the bin directory. The resulting line might look like this:
- If you installed the security proxy in default folders, retain the default WRQ_PROXY_HOME setting. In other cases, enter the complete path to the security proxy. For example, the resulting line might look like this:
- Save your changes and run the script:
Note: When you use the SecurityProxy.sh shell script, you can modify its behavior by including a parameter in the [options] when you start the security proxy server. For details, see the Installation Guide: Configuring Components > Security Proxy Server > Running the security proxy.
Option 2: Starting the security proxy server as a daemon
This option enables the daemon to run in the background without requiring the session that is logged in as root to remain running while the proxy server is being used.
The following instructions use the SecurityProxy.sh script to start/stop the proxy at system startup/shutdown. These instructions may need to be modified to work for your specific UNIX platforms.
- Copy SecurityProxy.sh to /etc/init.d folder. For example:
cp SecurityProxy.sh /etc/init.d
- Create a symbolic link to the copy from the /etc/rc3.d directory with a name S##SecurityProxy, where ## is a unique number that follows a startup order of the scripts in the /etc/rc3.d folder. For example:
ln -s /etc/init.d/SecurityProxy.sh /etc/rc3.d/S98SecurityProxy
- Create another symbolic link to the copy from the /etc/rc2.d folder. Name of the link should be K##SecurityProxy, where ## is a unique number that reflects a shutdown order of the scripts in the /etc/rc2.d directory. For example:
ln -s /etc/init.d/SecurityProxy.sh /etc/rc2.d/K01SecurityProxy
This will run during system bootup or anytime after network initialized.
Import the Proxy Settings into the Reflection Administrative WebStation
The Proxy Settings have already been imported into the Administrative WebStation if you selected "Export" when you ran the Security Proxy Wizard. Follow these steps to check the settings:
- Open the Administrative WebStation.
- Click Tools > Security Setup, and then click the Security Proxy tab.
- The security proxy settings should display in the table.
You can now create secure terminal sessions. For instructions about creating sessions, see the Installation Guide: "Creating secure sessions."
Follow these steps to configure the Security Proxy Server if you do not have the X Window System (X windows) available on your system.
- Create the server.properties and certificate files on a Windows system and upload them to the UNIX, Linux, or Mac OS X installation:
- On a Windows system, temporarily install the Security Proxy Server. You can select just the proxy from the installation options.
- When prompted for the server name and common name, enter the fully qualified name of your UNIX, Linux, or Mac OS X machine (for example, securityproxy.acme.com) in each field.
- After installation is complete, copy all the generated certificates from the Windows system (keystores\*.pfx) to the equivalent directory on the UNIX, Linux, or Mac OS X machine.
- Copy the properties file (conf\server.properties) to the equivalent directory on the UNIX, Linux, or Mac OS X machine.
- Create a /logs directory under the /securityproxy directory on your UNIX, Linux, or Mac OS X machine.
- Open the /securityproxy/conf/server.properties file in an editor and make the following edits:
- In the Log Settings section, change the Log.File entry to
- In the FIPS 140-2 section, change the AuditDllFolder to
- Follow the steps in the Start the Security Proxy Server section, then return here and continue with step 5, below.
- Import the Security Proxy public key into the Management Server:
- In a web browser, open the Administrative WebStation of your Reflection for the Web Management Server. For example, http://myrwebmgmtserver.acme.com/rweb/AdminStart.html.
- Click Security Setup > Security Proxy tab.
- Under “Import Settings from Reflection Security Proxy,” in the “Security proxy server name” edit field, enter the fully qualified name of your security proxy machine (for example, securityproxy.acme.com).
- Click “Import Settings.”
- Verify that the settings are correct.
You can now create secure terminal sessions. For information about creating sessions, see Creating Secure Sessions in the Reflection for the Web Installation Guide.