5.2

Table Of Contents

36 vFabric Web Server

Configuring vFabric Web Server

Instances

The tc Runtime instance should deny you access because your browser does not have the required client certificate

configured.

Update the Web Server Configuration for HTTPS Connections to tc Runtime Instances

As specified earlier, it is assumed that you have already configured your vFabric Web Server instance for unsecured load

balancing between two or more tc Runtime instances. If you have not already done this, see Configure Load Balancing Between

vFabric Web Server and vFabric tc Server.

Update the Web Server configuration to communicate with the tc Runtime instances securely by editing the conf/http.conf

file in the Web Server instance directory (such as /opt/vmware/vfabric-web-server/lb-server) and changing the

tc Runtime URLs so they use HTTPS and specify the HTTPS port. Following the example from the load balancing section, if you

specified that the HTTPS ports for instanceOne and instanceTwo were 8443 and 8553, respectively, the updated file

would look like this:

BalancerMember https://192.168.0.203:8443 route=instanceOne loadfactor=1

BalancerMember https://192.168.0.203:8553 route=instanceTwo loadfactor=1

ProxySet lbmethod=byrequests

</Proxy>

ProxyPass /my-app balancer://my-balancer/my-app

ProxyPassReverse /my-app https://192.168.0.203:8443/my-app

ProxyPassReverse /my-app https://192.168.0.203:8553/my-app

Configure vFabric Web Server to Authenticate Itself Using a Specific Client Certificate

This section describes how to configure the Web Server instance to authenticate itself using the client certificate you created in a

previous step and configured for each tc Runtime instance.

1. On the computer on which you installed vFabric Web Server, create a client certificate and key. Use the same certificate

authority file (called ca.crt in the example) that you created in a previous step.

The following example shows how to do this using the openssl command:

prompt$ openssl genrsa -out client.key 1024

prompt$ openssl req -new -key client.key -out client.csr -config your-openssl.cnf-file

prompt$ openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

In the preceding example, the newly generated client key is called client.key and the client certificate file is called

client.crt. Replace your-openssl.cnf-file with the full path name of the openssl.cnf file on your

computer, such as /etc/pki/tls/openssl.cnf.

2. Concatenate the generated client key and client certificate files into a single file. In the following example, the new file is

called client.crtkey:

prompt$ cat client.crt client.key > client.crtkey

3. Copy the generated client.crtkey file to the ssl directory of the Web Server instance directory. For example:

prompt$ cp client.crtkey /opt/vmware/vfabric-web-server/lb-server/ssl

4. Configure the mod_ssl module of the Web Server instance to use SSL for the proxy engine and to use the generated client

certificate and key file by adding the following directives to the file that contains the SSL configuration, such as conf/

extra/httpd-ssl.conf:

SSLProxyMachineCertificateFile "ssl/client.crtkey"

SSLProxyEngine on