Configure Apache Module for RVRD Setup through a Firewall (DMZ)

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 4 Apache Module for TIBCO API Exchange Gateway : Configure Apache Module for RVRD Setup through a Firewall (DMZ)

Configure Apache Module for RVRD Setup through a Firewall (DMZ)

By default, the Core Engine uses the TIBCO Rendezvous daemon (rvd) to communicate with the Apache module. The Apache module receives client requests directly from the Internet and performs SSL validation. By placing a firewall between the DMZ (De-Militarized Zone) and the rest of the system, you can protect the system against the threat of malicious communications and provide stronger security.

When the services are exposed to an unsecured network (such as the Internet) it is usual to define different security zones with restricted connections allowed between them. Requests from the outside world are terminated behind a firewall in a de-militarized zone (DMZ). Applications running in the DMZ are not allowed to initiate connections into the more secured zones. In some cases, defense-in-depth is applied and multiple DMZs are used.

TIBCO Rendezvous routing daemon can be configured to forward the Rendezvous messages from the DMZ network through the firewall to the internal network where the TIBCO API Exchange Gateway components are deployed.

This section explains the deployment topology illustrating the deployment of Apache HTTP Server separately in the DMZ and all other gateway components in a secure network. See Figure 5, Apache HTTP Server in DMZ and Other Components in Secure Network.

Rendezvous transport can be configured so that all connections between the Core Engine (asg_core) and the Apache HTTP server are instantiated from the internal secure zone into the DMZ (that is, the server running asg_core).

In this layout only, the authentication is carried out in the DMZ and the minimal possible gateway configuration must be available in the DMZ.

If you want to deploy TIBCO API Exchange Gateway in the DMZ setup between the firewalls, configure RVRD when the machines are in different subnets of the network.

Figure 5 Apache HTTP Server in DMZ and Other Components in Secure Network

This section explains the steps to set up the TIBCO API Exchange Gateway in a DMZ environment:

1.

Install TIBCO Rendezvous on Machine 1. Refer to the readme file located in TIBCO_HOME directory for the supported version of TIBCO Rendezvous.

2.

Install Apache HTTP Server on the Machine 1. Refer to the readme file located in the TIBCO_HOME directory for the supported version of the Apache HTTP server.

3.

Install TIBCO API Exchange Gateway software on Machine 2.

4.

Configure RVRD between Machine1 and Machine 2 (Machine 1 is outside the firewall and Machine 2 is inside the firewall) so that they can send and receive Rendezvous messages to each other. The subject used to configure RVRD should match the value specified in the AsgSubject parameter defined in the mod_ASG.conf file located in the Apache Server Installation. See TIBCO Rendezvous Administration for detailed instructions to configure rvrd or rvd, as required.

5.

Install the Apache module on Machine 1 as follows:

a.

Navigate to the TIBCO API Exchange Gateway installation directory on Machine 2.

b.

Browse to the ASG_HOME/modules/http_server/apache directory.

c.

Copy the mod_ASG.conf file from the Machine 2 and place it under Apache HTTP server installation directory on Machine 1.

6.

On Machine 1 (where Apache HTT P server is installed), edit the mod_ASG.conf configuration file located in the Apache HTTP server installation to set the Rendezvous session connection parameters as described in the Rendezvous Session Connection Parameters for Apache Module.

7.

On Machine 2, where TIBCO API Exchange Gateway software is installed, edit the asg.properties file, located under ASG_CONFIG_HOME to set the Rendezvous session connection parameters. See Rendezvous Session Parameters for Apache Module and Core Engine Communication.

8.

If you want to change the default values for the Rendezvous session connection parameters for the Core Engine and Central Logger component, set or edit the parameters in the ASG_CONFIG_HOME/asg.properties file. See Parameters for Rendezvous connection from Core Engine to Central Logger. Also, set or edit the Rendezvous session connection parameters in the ASG_CONFIG_HOME/asg_cl.properties file. See Parameters for Rendezvous connection for Central Logger.

9.

To change the default values for the Rendezvous session connection parameters for the Core Engine and Global Throttle Manager, set or edit the parameters in the ASG_CONFIG_HOME/asg.properties file as described in the table, Rendezvous Parameters for Core Engine And Global Throttle Manager Communication.

10.

Save the changes to the file.

You can edit the parameters in the ASG_CONFIG_HOME/asg.properties file and ASG_CONFIG_HOME/asg_cl.properties file on the Config UI. See Runtime Properties for details.