Forum Discussion

jstucki's avatar
jstucki
Level 4
14 years ago
Solved

VCS Apache Agent with SSL Enabled, and Cert Password

A VCS 5.0/5.1 customer (Solaris 10/SPARC) is using some custom scripts to manage their Apache Web Server instance in a 2-node cluster.  They have a problem, in that when Apache is started, it requires that the SSL cert password be entered manually.  The start command is "/usr/local/apache/bin/apachectl startssl".  When this command is executed, it prompts for a password to be entered.  Althought their scripts could probably be modified to provide a password, I thought that a better solution would be to use the Apache Agent that is bundled with VCS.

I pulled up the VCS 5.1 SP1 Bundled Agents Resource Guide (BARG) document, and did some reading on the Apache Agent.  I found that this Agent does include an attribute called "EnableSSL", but the Agent does not provide an attribute for sending an encrypted password (as some other agents do, like the Tibco EMS Agent), so that a password can be provided for Apache SSL startup.  The interaction looks like this:

/usr/local/apache2/bin/apachectl startssl Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase:************* Ok: Pass Phrase Dialog successful.

QUESTION:  Has someone encountered this problem before, with Apache and the VCS-supplied Agent?  What solutions have you used with the VCS-supplied Agent? 

Thanks, -John

Agents
Application monitoring
business continuity
Cluster Server
Clustering
Failover
High availability
  • bayram_bayramli's avatar
    bayram_bayramli
    14 years ago

     

    Just for convenience for not always being asked for the passphrase during apache's start phase we create a small and simple shellscript called "pp" (=pass phrase) and put it to /opt/apache-x.x.xx-ssl/bin/pp. For instance, this would look like this one:

    #!/bin/sh

case "$1" in
        www.example.com*)
                echo "pw4support"
                ;;
esac

    Now change the directive

    SSLPassPhraseDialog  builtin

    to

    SSLPassPhraseDialog  exec:/opt/apache-x.x.xx-ssl/bin/pp

    I will definitely not explain how to get apache listening on port 443, which is the default https port :). Just take a look at "Listen". After saving, you should now be able to start the webserver by

    # /opt/apache-x.x.xx-ssl/bin/apachectl startssl

2 Replies

Sort By
  • mikebounds's avatar
    mikebounds
    Level 6
    14 years ago

    John,

    I've not used Appache with SSL before, but according to the BARG, the Apache agent does not use apachectl to start Apache it uses:

     

     httpdDir/httpd -f ConfigFile -k start
     
    and if you enable SSL it uses:
     
     httpdDir/httpd -f ConfigFile -k start -DSSL
     
     
    Mike
  • bayram_bayramli's avatar
    bayram_bayramli
    Level 2
    14 years ago

     

    Just for convenience for not always being asked for the passphrase during apache's start phase we create a small and simple shellscript called "pp" (=pass phrase) and put it to /opt/apache-x.x.xx-ssl/bin/pp. For instance, this would look like this one:

    #!/bin/sh

case "$1" in
        www.example.com*)
                echo "pw4support"
                ;;
esac

    Now change the directive

    SSLPassPhraseDialog  builtin

    to

    SSLPassPhraseDialog  exec:/opt/apache-x.x.xx-ssl/bin/pp

    I will definitely not explain how to get apache listening on port 443, which is the default https port :). Just take a look at "Listen". After saving, you should now be able to start the webserver by

    # /opt/apache-x.x.xx-ssl/bin/apachectl startssl