If the client systems (user workstations, proxies, single sign-on systems, etc.) sending client certificates to the web server along with HTTPS requests and a verification of these certificates is required following settings must be done. After this is configured all the requests sent from systems not providing valid client certificates will be rejected.
Copy the certification authority (CA) certificate file of the CA which released the client certificates into the httpd/config.d subdirectory of the HWF installation.
Add the following lines (if they are not already there) in the section of the .conf configuration file of the Web Server of ProcMan:
Replace <ca_certificate_file> with the real name of the CA certificate file you previously copied to httpd/config.d.
Replace <client_certificate_check> with an expression for the client certificate validation.
For more information of how these expression looks like, see the Apache documentation (http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire) and the example below.
Example (.conf):
It is strongly recommended not to change the ProcMan configuration to an unencrypted HTTP communication.
The default Web Server configuration created at the installation of ProcMan is for an encrypted HTTPS communication between the clients and the ProcMan server. It is strongly recommended not to change this configuration to an unencrypted HTTP communication. However if there is some crucial reason for this it can be done in the Web Server configuration file .conf by changing the port number and commenting out the options starting with SSL by using the '#' at the start of the row.
For example:
It is highly recommended to use HTTPS and a HTTPS certificate for ProcMan.
The default Web Server configuration created at the installation of ProcMan is for an encrypted HTTPS communication between the clients and the ProcMan server.
It is strongly recommended not to change this configuration to an unencrypted HTTP communication. However if there is some crucial reason for this it can be done in the Web Server configuration file <name>.conf by changing the port number and commenting out the options starting with SSL.
You need a .crt and a .key file which you can get from an official licensing site or from your companies certificate department.
1. Place the .crt and .key file in C:\HORIZONT\hwf\httpd\conf.d
2. Open the C:\HORIZONT\hwf\httpd\conf.d\<installationname>.conf file. In there, under the VirtualHost section, change the SSLCertificateFile path and the SSLCertficcateKeyFile path to the files added above.
The ProcMan server certificate and key file provided by the CA (see prerequisites) has to be copied into the httpd/conf.d subdirectory of the HWF installation. Beware that the certificate file must be in X.509 Base64 encoded PEM format.
You can verify whether this is the case by opening it in a text editor. If it is in the proper format, it must not contain any binary data and it must contain a section like this:
If the file contains binary data instead, the certificate is probably in the DER format and it has to be converted into the Base64 encoded PEM format. For the conversion you can either use the openssl command:
or (only on Windows) open the certificate file by double click from the Windows Explorer in the Windows Certificate tool and copy it into a Base64 encoded PEM file:
The names of the files set in the Web Server configuration file are by default .crt and .key where is the installation name set in the setup.rsp at the ProcMan installation. If the certificate and key file names differ from these, rename them or open the Web Server configuration file in a text file editor and change the file names in the options SSLCertificateFile and SSLCertificateKeyFile.
