Web server configuration

It is strongly recommended (and required for smart card authentication) to secure the front-end web server.

Overview

There are two options for securing the front-end web server:

  • Full SSL: Configure SSL on both the front-end web server and Jetty.
  • SSL Offloading: Configure SSL only on the front-end web server.

For instructions on how to configure the web server in SSL, see Configure Apache as a secure reverse proxy or Configure IIS as a secure reverse proxy.

Configure web server for SSL offloading

Perform the following steps to configure the web server for SSL offloading. With SSL offloading, the encrypted communication channel terminates on the reverse proxy or load balancer and continues to the OpenText Application Quality Management server unencrypted:

For Apache

SSL Offloading means that Apache is configured to connect to ALM over http and not https. In this case, perform the following configuration:

  1. Navigate to the <Apache Home directory>\conf directory.

  2. Create a backup copy of the httpd.conf file.

  3. Open the httpd.conf file.

  4. Add the following section if encrypted communication terminates on the Apache server:

    ###############################################################
# add the following line if SSL is terminated/offloaded on Apache server
###############################################################
RequestHeader set X-Forwarded-Proto https
  5. Save the httpd.conf file.

  6. Restart Apache so it will read the configuration.

For IIS

SSL Offloading means that IIS is configured to connect to ALM over http and not https. In this case, perform the following configuration:

  1. Edit the qcbin inbound rule and add the following server variable:

    Set name="HTTP_X_FORWARDED_PROTO" value="https".

  2. In Action Properties, change the protocol from https to http.

  3. Restart IIS so it will read the configuration.

Configure web server for SSL termination on server

Perform the following steps to configure the reverse proxy web server for SSL termination on the OpenText Application Quality Management server. With this option, the encrypted communication channel continues to the OpenText Application Quality Management server:

For Apache

  1. Comment out the RequestHeader set X-Forwarded-Proto https line in the httpd.conf file.

  2. In the httpd-ssl.conf file, set SSLCACertificateFile to point to the file that contains the Root Authority certificate of the Certificate Authority that issued the OpenText Application Quality Management server certificate. It must be in Base64 format. If there are any intermediate authorities in addition to the root authority, all these certificates can be concatenated into one file.
  3. Replace http with https in ProxyPass and ProxyPassReverse.

  4. Restart Apache.

For IIS

  1. Ensure that the IIS server trusts the Root Authority certificate of the Certificate Authority that issued the OpenText Application Quality Management server certificate.

  2. Open the URL Rewrite Rule for qcbin:

    • Remove the HTTP_X_FORWARDED_PROTO server variable.

    • Change the protocol from http to https.