Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Setting Up the Reflection for the Web Security Proxy Server in UNIX, Linux, or Mac OS X
Technical Note 1812
Last Reviewed 31-Aug-2007
Applies To
Reflection for the Web 2008 (All Editions except Standard)
Reflection for the Web version 8.0 through 9.x
Summary

This technical note provides steps for manually installing and configuring Reflection for the Web's optional security proxy server feature on UNIX, Linux, or Mac OS X systems that are not supported by the automated installation methods. If you have successfully installed Reflection for the Web Security Proxy Server using an automated installer, then the Security Proxy was automatically configured during installation, and you do not need to follow the steps in this technical note.

For information about manually installing Reflection for the Web to a machine running UNIX or Linux, see Technical Note 1699, or to a machine running Mac OS X, see Technical Note 2343.

Before you begin:

  • Verify or update your version of Java.

Java 1.5.x or higher is strongly recommended to configure the Reflection for the Web Security Proxy.

You can download the J2SE SDK (JDK) from http://java.sun.com/j2se if your server does not already have the recommended version.

For Mac OS, install to Mac OS 10.2 or higher. Java 1.4.x is pre-installed on this version.

  • The default cipher suite for Reflection for the Web security proxies is RSA with Triple DES. You must download the Unlimited Strength Jurisdiction Policy Files (see steps below) if both of the following conditions exist:
    • You require a higher level of encryption, such as
RSA with 256- or 192-bit AES
DSA with 256- or 192-bit AES
    • You are using the Sun Java Plug-in 1.4.x or higher as your Java Virtual Machine (JVM) on the management server, the security proxy server, or on client machine.
  • If you are installing Reflection to a Mac OS, use the Terminal application to perform UNIX installation and configuration commands.

Replace current policy files with Unlimited Strength Jurisdiction Policy Files

Follow these steps to use the AES 256- or 192-bit keys.

  1. Go to https://java.sun.com.
  2. Under "Popular Downloads" on the right side of the page, select J2SE 5.0.
  3. Scroll down to the "Other Downloads" section and click the Download link for "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0."
  4. Extract the *.zip file that contains the unlimited strength extension.
  5. On the client machines, first back up and then replace the current policy files with the unlimited strength versions:

<java install directory>/jre1.x.x/lib/security/local_policy.jar

<java install directory>/jre1.x.x/lib/security/US_export_policy.jar

For example, on a Windows client with 1.5 jvm the policy files are typically located in C:\program files\java\jre1.5.0_02\lib\security.

  1. On the Reflection management server and the security proxy server, first back up and then replace local_policy.jar and US_export_policy.jar with the unlimited strength versions.

By default, these files are installed in the <java install directory>/jre/lib/security directory.

Note: If you choose to use AES 256- or 192-bit keys, all client machines using the Sun jvm must also be upgraded with Unlimited Strength Jurisdiction Policy Files.

Installing and Configuring the Security Proxy Server

This section provides details on installing and configuring Reflection for the Web's security proxy server. This feature is not required to run Reflection for the Web.

Note: Beginning in Reflection for the Web 2008, the security proxy server is not included in the Standard Edition.

Create a Reflection Management Server Certificate

Follow the steps below to create a management server certificate.

  1. Launch the Administrative WebStation.
  2. In the Administrative WebStation click Tools > Security Setup, and then click the Certificates tab.
  3. In the Administer Reflection Management Server Certificate section, click "Generate a self-signed certificate."
  4. Complete and submit the Generate a self-signed certificate form. For more information about certificates, see Technical Note 1600.

Install the Security Proxy Server

Before installing the security proxy server, note the following:

  • These steps assume the installation will be to the /usr/local directory.

If you choose to install to a different directory, be sure to edit the paths in the steps below as needed.

  • The security proxy can be installed on the same machine as the Reflection Management Server or on a different machine.
  • To install the security proxy, you must be logged in to the server as root.

Follow these steps to install the security proxy server:

  1. Create a directory under /usr/local named securityproxy.
  2. Locate the rwebproxy.zip file in your installation images. On the Reflection for the Web CD, this file is located in the \install\nonautomated directory. With electronic delivery, download and unzip the "manual installation" file.
  3. Copy the rwebproxy.zip file to /usr/local/securityproxy.
  4. Use the following command, or an unzip utility, to unzip rwebproxy.zip to the securityproxy directory:
jar -xf /usr/local/securityproxy/rwebproxy.zip

Configure the Security Proxy Server

If you have the X Window System available on your system, you can use the X Windows Method. Otherwise, use the Non-X Method.

X Windows Method

Follow these steps to configure the Security Proxy Server using X Windows. This section explains how to configure the security proxy server on your server by using the SecurityWizard.sh shell script to run the Security Proxy Wizard.

The Security Proxy Wizard requires an X11 window to display its graphical interface. Use the console of an X window, or an X session (as provided with Reflection X), and open a terminal window.

Running the Security Proxy Wizard

Log in as root. Using a text editor, open /usr/local/securityproxy/bin/SecurityWizard.sh and modify the following:

  1. Add the path to java.exe at the JAVA_EXE line. For example:
JAVA_EXE=/usr/java/jdk/bin/java
  1. If you run the wizard directly from the securityproxy directory, retain the default directory setting. In other cases, enter the complete path to the lib directory. For example:
LIB_DIR=/usr/local/securityproxy/lib
  1. Save your changes.
  2. Use the following chmod command to configure all the .sh files with full access permissions for owner, and read and execute permissions for group and other.
chmod 755 *.sh
  1. Use the following command to run SecurityWizard.sh: ./SecurityWizard.sh

Additional command line options are available. For more details, see the Installation Guide: Configuring Components > Security Proxy Server > Running the security proxy Wizard.

Configuring the Security Proxy Server

Use the Security Proxy Wizard to configure the security proxy server.

  1. In the Security Proxy Wizard, click Status > New to create a server.properties file. It is recommended that you install the file in the /usr/local/securityproxy/conf directory (within your installation of the security proxy server).
    1. In the Select Data Root Directory dialog box, select the securityproxy directory, and then click the Create button.

The conf directory and the server.properties file are automatically created.

    1. Verify that you do not have two conf directories in the path.
    2. Click Yes to continue.
    3. Enter a host name for the security proxy server, and then click OK.
  1. Add the management server certificate to the security proxy trusted certificates list.
    1. On the Trusted Certificates tab, you can import a trusted certificate from a file or directly from the management server over the network. Import the generated certificate from the Reflection management server over the network.
    2. Click Import, and then click the Server button.
  2. Specify (or accept the defaults for) the Reflection management server address, the management server (not the proxy server) HTTP port number, the servlet context, and the friendly name of the Reflection management server.

The context name is used in the URL that accesses the management server, and it is often—although not always—the same as the directory within which the management server is installed. The default context name is rweb.

Click OK.

  1. On the Advanced Settings tab, verify the Client authorization setting.

If Client authorization is on (the default), you need to configure only one proxy and one port, even if you are connecting to multiple hosts.

If Client authorization is off, you need to create a security proxy for each host, and each needs a unique local port number.

  1. Create the proxy.
    1. On the Proxies tab, click Add.
    2. Enter the local port number. This is the port on which the proxy listens for connections. It can be any unused port number; it should not be the standard port for the host connection. (Click Help for more information.)
    3. Click Add to change the default cipher suite.
  2. In the Add Cipher Suite dialog box, select a Cipher suite or accept the default. Click the Generate button.
  3. In the Generate Security Proxy Certificate dialog box, enter the certificate information. Click the Generate button.
  4. In the Add Cipher Suite dialog box, click OK to add the cipher suite.
  5. Verify the Proxy Type is Protocol Proxy. For more information click the Help button.
  6. For protocols, select Emulation, FTP, or both. For more information, see Help.
  7. In the Add Proxy dialog box, click OK to add the proxy.
  8. Export the settings to the management server.
    1. On the Proxies tab, click Export Settings.
    2. In the Export Proxies dialog box, specify or accept the default Management server, HTTP Port, and Context. Click Export.
  9. When you have finished setting up the security proxy server, click Exit to close the wizard and save your settings.

To make changes to the proxy server settings later, simply rerun the wizard.

Start the Security Proxy Server

You can start the security proxy server either manually or as a daemon. Choose an option and follow the steps provided.

Option 1: Manually starting the security proxy server

You can manually start the security proxy server by running the SecurityProxy.sh shell script.

Follow these steps to edit the shell script before running it:

  1. Open /usr/local/securityproxy/bin/SecurityProxy.sh in a text editor.
  2. At the JAVA_HOME line, add the path to the directory above the bin directory. The resulting line might look like this:
JAVA_HOME=/usr/java/jdk
  1. If you installed the security proxy in default folders, retain the default WRQ_PROXY_HOME setting. In other cases, enter the complete path to the security proxy. For example, the resulting line might look like this:
WRQ_PROXY_HOME=/usr/local/securityproxy
  1. Save your changes and run the script:
./SecurityProxy.sh start

Note: When you use the SecurityProxy.sh shell script, you can modify its behavior by including a parameter in the [options] when you start the security proxy server. For details, see the Installation Guide: Configuring Components > Security Proxy Server > Running the security proxy.

Option 2: Starting the security proxy server as a daemon

This option enables the daemon to run in the background without requiring the session that is logged in as root to remain running while the proxy server is being used.

The following instructions use the SecurityProxy.sh script to start/stop the proxy at system startup/shutdown. These instructions may need to be modified to work for your specific UNIX platforms.

  1. Copy SecurityProxy.sh to /etc/init.d folder. For example:
cp SecurityProxy.sh /etc/init.d
  1. Create a symbolic link to the copy from the /etc/rc3.d directory with a name S##SecurityProxy, where ## is a unique number that follows a startup order of the scripts in the /etc/rc3.d folder. For example:
ln -s /etc/init.d/SecurityProxy.sh /etc/rc3.d/S98SecurityProxy
  1. Create another symbolic link to the copy from the /etc/rc2.d folder. Name of the link should be K##SecurityProxy, where ## is a unique number that reflects a shutdown order of the scripts in the /etc/rc2.d directory. For example:
ln -s /etc/init.d/SecurityProxy.sh /etc/rc2.d/K01SecurityProxy

This will run during system bootup or anytime after network initialized.

Import the Proxy Settings into the Reflection Administrative WebStation

The Proxy Settings have already been imported into the Administrative WebStation if you selected "Export" when you ran the Security Proxy Wizard. Follow these steps to check the settings:

  1. Open the Administrative WebStation.
  2. Click Tools > Security Setup, and then click the Security Proxy tab.
  3. The security proxy settings should display in the table.

You can now create secure terminal sessions. For instructions about creating sessions, see the Installation Guide: "Creating secure sessions."

Non-X Method

Follow these steps to configure the Security Proxy Server if you do not have the X Window System (X windows) available on your system.

  1. Create the server.properties and certificate files on a Windows system and upload them to the UNIX, Linux, or Mac OS X installation:
    1. On a Windows system, temporarily install the Security Proxy Server. You can select just the proxy from the installation options.
    2. When prompted for the server name and common name, enter the fully qualified name of your UNIX, Linux, or Mac OS X machine (for example, securityproxy.acme.com) in each field.
    3. After installation is complete, copy all the generated certificates from the Windows system (keystores\*.pfx) to the equivalent directory on the UNIX, Linux, or Mac OS X machine.
    4. Copy the properties file (conf\server.properties) to the equivalent directory on the UNIX, Linux, or Mac OS X machine.
  2. Follow the steps in the Start the Security Proxy Server section, then return here and continue with step 3, below.
  3. Import the Security Proxy public key into the Management Server:
    1. In a web browser, open the Administrative WebStation of your Reflection for the Web Management Server. For example, http://myrwebmgmtserver.acme.com/rweb/AdminStart.html.
    2. Click Security Setup > Security Proxy tab.
    3. Under “Import Settings from Reflection Security Proxy,” in the “Security proxy server name” edit field, enter the fully qualified name of your security proxy machine (for example, securityproxy.acme.com).
    4. Click “Import Settings.”
  4. Verify that the settings are correct.

You can now create secure terminal sessions. For information about creating sessions, see Creating Secure Sessions in the Reflection for the Web Installation Guide.

Related Technical Notes
1320 Configuring the Security Proxy in a Windows Environment
1600 Using Certificates with Reflection for the Web
1699 Installing Reflection for the Web on UNIX or Linux
2204 Installing Reflection for the Web Security Proxy Server on OpenVMS
2343 Installing Reflection for the Web on Mac OS X
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.