cancel
Showing results for 
Search instead for 
Did you mean: 

VCS Apache Agent with SSL Enabled, and Cert Password

jstucki
Level 4

A VCS 5.0/5.1 customer (Solaris 10/SPARC) is using some custom scripts to manage their Apache Web Server instance in a 2-node cluster.  They have a problem, in that when Apache is started, it requires that the SSL cert password be entered manually.  The start command is "/usr/local/apache/bin/apachectl startssl".  When this command is executed, it prompts for a password to be entered.  Althought their scripts could probably be modified to provide a password, I thought that a better solution would be to use the Apache Agent that is bundled with VCS.

I pulled up the VCS 5.1 SP1 Bundled Agents Resource Guide (BARG) document, and did some reading on the Apache Agent.  I found that this Agent does include an attribute called "EnableSSL", but the Agent does not provide an attribute for sending an encrypted password (as some other agents do, like the Tibco EMS Agent), so that a password can be provided for Apache SSL startup.  The interaction looks like this:

/usr/local/apache2/bin/apachectl startssl Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase:************* Ok: Pass Phrase Dialog successful.

QUESTION:  Has someone encountered this problem before, with Apache and the VCS-supplied Agent?  What solutions have you used with the VCS-supplied Agent? 

Thanks, -John

1 ACCEPTED SOLUTION

Accepted Solutions

bayram_bayramli
Level 2

 

Just for convenience for not always being asked for the passphrase during apache's start phase we create a small and simple shellscript called "pp" (=pass phrase) and put it to /opt/apache-x.x.xx-ssl/bin/pp. For instance, this would look like this one:

#!/bin/sh

case "$1" in
        www.example.com*)
                echo "pw4support"
                ;;
esac

Now change the directive

SSLPassPhraseDialog  builtin

to

SSLPassPhraseDialog  exec:/opt/apache-x.x.xx-ssl/bin/pp

I will definitely not explain how to get apache listening on port 443, which is the default https port :). Just take a look at "Listen". After saving, you should now be able to start the webserver by

# /opt/apache-x.x.xx-ssl/bin/apachectl startssl

View solution in original post

2 REPLIES 2

mikebounds
Level 6
Partner Accredited

John,

I've not used Appache with SSL before, but according to the BARG, the Apache agent does not use apachectl to start Apache it uses:

 

 httpdDir/httpd -f ConfigFile -k start
 
and if you enable SSL it uses:
 
 httpdDir/httpd -f ConfigFile -k start -DSSL 
 
 
Mike

bayram_bayramli
Level 2

 

Just for convenience for not always being asked for the passphrase during apache's start phase we create a small and simple shellscript called "pp" (=pass phrase) and put it to /opt/apache-x.x.xx-ssl/bin/pp. For instance, this would look like this one:

#!/bin/sh

case "$1" in
        www.example.com*)
                echo "pw4support"
                ;;
esac

Now change the directive

SSLPassPhraseDialog  builtin

to

SSLPassPhraseDialog  exec:/opt/apache-x.x.xx-ssl/bin/pp

I will definitely not explain how to get apache listening on port 443, which is the default https port :). Just take a look at "Listen". After saving, you should now be able to start the webserver by

# /opt/apache-x.x.xx-ssl/bin/apachectl startssl