Setting up the mobile proxy server
This chapter describes setting up the Bravura One mobile proxy server running the Mobile Proxy Service (mobproxy ). The configuration in this document is based on:
Red Hat Enterprise Linux installation on CentOS 7.x x64 or 8.x x64 architecture.
Debian GNU/Linux installation on the Debian 9.x AMD64 architecture.
Note
If support for another distribution is required, please contact support@bravurasecurity.com.
Additional configuration may be needed depending on your distribution, environment and requirements. Contact support@bravurasecurity.com for assistance with the installation and configuration of the Bravura One mobile proxy server.
Ensure that you keep a record of the following information in a safe location, as it will be required when configuring Mobile Worker Service:
Bravura One mobile proxy server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy server.
Bravura One mobile proxy push notification server authentication encryption key.
Host name or IP address of the Bravura One mobile proxy push notification server.
Install Apache and copy the mobile proxy RPMs on Red Hat Enterprise Linux
To set up a Bravura One mobile proxy server on a RHEL/CentOS installation:
Log in to the Unix server with administrative privileges and confirm the following:
Shared memory has been enabled and /dev/shm exists.
The /tmp folder must exist on the RHEL/CentOS server.
The libc package has been installed.
The OpenSSL 3.0 package has been installed.
Install the web server.
The Bravura One mobile proxy server requires a web server. Apache is the most commonly used Web Server on Linux servers. To install Apache2:
At a terminal prompt enter the following command:
sudo yum install httpd
The server must use a pre-fork Multi-Processing Module.
This command installs the default version of Apache for RHEL/CentOS, which may not be the latest version of Apache.
The
setup-mobproxy.shinstallation script will also check the dependencies for the web server and will automatically install any additional required modules.To eliminate any manual intervention, configure Apache2 to start on boot. That way, if the server is ever restarted, Apache2 will automatically start again. The method to do this depends on the version of the distribution. Consult the distribution’s documentation.
Confirm that mod_rewrite and mod_cgi are enabled.
View the default Apache configuration file, /etc/httpd/conf/httpd.conf and confirm that the following lines are uncommented and listed with other LoadModule entries:
LoadModule rewrite_module modules/mod_rewrite.so LoadModule cgi_module modules/mod_cgi.so
Enable and configure SSL for the default site.
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server.
The following are useful links to get you started:
https://wiki.centos.org/HowTos/Https
https://mozilla.github.io/server-side-tls/ssl-config-generator/
An SSL certificate from a trusted Certificate Authority should be used.
See Configure SSL for more information on configuring SSL for the Bravura One mobile proxy server.
Locate the
idmunixfolder from the Bravura Security Fabric server. By default, it is installed in the addon directory.The Mobile Proxy Service is available for the following RHEL/CentOS distributions:
idmunix-rhel-el7.x64.tar.gz
idmunix-rhel-el8.x64.tar.gz
Copy the idmunix-rhel-<cpu>.x64.tar.gz file from the idmunix directory to a scratch directory, such as /tmp/, on the Unix server.
Log into the Unix server with administrative privileges, and extract the files from the idmunix archive.
For example for CentOS 8.x, at a terminal prompt enter the following commands:
cd /tmp tar -zxvf idmunix-rhel-el8.x64.tar.gz
Locate the following files:
hid-common.rhel-el8.x64.rpm
hid-idapi.rhel-el8.x64.rpm
hid-mobproxy.rhel-el8.x64.rpm
With administrative privileges, extract the files from the rpm archive.
For example, at a terminal prompt enter the following commands for CentOS 8.x:
cd /tmp rpm -i hid-common.rhel-el8.x64.rpm rpm -i hid-idapi.rhel-el8.x64.rpm rpm -i hid-mobproxy.rhel-el8.x64.rpm
Install Apache and copy the mobile proxy DEBs on Debian GNU/Linux
Version note
The following module is not shipped with Bravura Security Fabric 12.7 or newer. It can be provided at additional cost.
To set up a Bravura One mobile proxy server on a Debian GNU/Linux installation:
Log in to the Unix server with administrative privileges and confirm the following:
Shared memory has been enabled and /dev/shm exists.
The /tmp folder must exist on the Debian server.
The libc package has been installed.
The OpenSSL 3.0 package has been installed.
Install the web server.
The Bravura One mobile proxy server requires a web server. Apache is the most commonly used Web Server on Linux servers. To install Apache2:
At a terminal prompt enter the following command:
sudo apt-get install apache2 apache2-mpm-prefork
The
setup-mobproxy.shinstallation script will also check the dependencies for the web server and will automatically install any additional required modules.To eliminate any manual intervention, configure Apache2 to start on boot. That way, if the server is ever restarted, Apache2 will automatically start again. The method to do this depends on the version of the distribution. Consult the distribution’s documentation.
Enable the default site.
Run the following command at a terminal prompt to enable the default site:
sudo a2ensite default
Enable mod_rewrite.
Run the following command at a terminal prompt to enable mod_rewrite.
sudo a2enmod rewrite
Enable and configure SSL on the default site.
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server. The following are useful links to get you started:
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://mozilla.github.io/server-side-tls/ssl-config-generator/
An SSL certificate from a trusted Certificate Authority must be used. A self-signed certificate may not be used for the Bravura One mobile proxy server.
See Configuring SSL for more information on configuring SSL for the Bravura One mobile proxy server.
Check to see if the mpm_prefork module is already installed. This may be verified with the following command:
sudo apache2ctl -M
Look for mpm_prefork_module in the list of enabled modules.
If necessary, at a terminal prompt enter the following command to disable mpm_event and enable mpm_prefork.
a2dismod mpm_event a2enmod mpm_prefork
Locate the
idmunixfolder from the Bravura Security Fabric server. By default, it is installed in the addon directory.Copy the
idmunix-debian-9.x64.tar.gzfile from theidmunixdirectory to a scratch directory, such as /tmp/, on the Unix server.Log into the Unix server with administrative privileges, and extract the files from the idmunix archive.
For example, for Debian 9.x, at a terminal prompt enter the following commands:
cd /tmp tar -zxvf idmunix-debian-9.x64.tar.gz
Locate the following files:
hid-common_12.0.1_amd64.deb
hid-idapi_12.0.1_amd64.deb
hid-mobproxy_12.0.1_amd64.deb
With administrative privileges, extract the files from the deb archive.
For example, at a terminal prompt enter the following commands for Debian 9.x:
cd /tmp sudo dpkg -i hid-common_12.0.1_amd64.deb sudo dpkg -i hid-idapi_12.0.1_amd64.deb sudo dpkg -i hid-mobproxy_12.0.1_amd64.deb
Install the mobile proxy server using the setup-mobproxy script
The Mobile Proxy Service may be installed using the setup-mobproxy.sh installation script.
The dependencies for the httpd or apache2 web server will be checked and any additional required modules will be automatically installed.
Usage:
setup-mobproxy.sh proxy-url (syntax: scheme://host[:port]/company/instance)
The authkey parameter may be optionally passed in to specify the authentication key. This is used for the value for Proxy server authentication key in the Mobile Worker Service configuration. If a value is not specified then it will be auto-generated by the install script.
The loglevel parameter may be optionally passed in to specify the log level for the mobile proxy log messages on the Linux server. If this is not specified then the default is to set it to warning. These are the available log levels:
error
warning
info
debug
The proxy URL that is passed in is what is specified for the value for Proxy server URL in the Mobile Worker Service configuration. The host and port are for the mobile proxy server. The default port is 443 if it is omitted.
Example installation command for setup-mobproxy.sh:
authkey="authkeyvalue" loglevel=debug ./setup-mobproxy.sh https://mobile.bravurasecurity.com/hid/pm
Log into the Unix server with administrative privileges. At a terminal prompt enter the following commands to locate the installation script and view the help usage:
cd /usr/local/psunix/mobproxy sudo ./setup-mobproxy.sh
Run the installation script. For example:
authkey="authkeyvalue" loglevel=debug ./setup-mobproxy.sh https://mobile.bravurasecurity.com/hid/pm
When installing with an https address and for SSL, the installation script will prompt you for an SSL/TLS certificate and the private key, or if you wish to allow for the script to generate a self-signed certificate.
The certificate file must contain the site certificate, intermediate certificates and the root certificate. The separated intermediate certificates need to be combined into the certificate file, or manually add the SSLCertificateChainFile config line into the Apache config file. Once the site is up and running, an online SSL certificate checker can be used to verify the site SSL certification.
Wait a few minutes for the script to continue and complete the installation.
The installation will prompt you to apply the settings for the Mobile Worker Service in Bravura Security Fabric . The installation will provide the configuration details. Use the primary Bravura Security Fabric server's WebUI to:
Return to the prompt for the installation script.
Note
To use the primary Bravura Security Fabric server's WebUi, bypass the load balancer to connect directly to the primary node's URL, or RDP to the primary application node and use the WebUI via localhost. Check the page footer to ensure the WebUI is rendered from the primary application node.
After running the installation script, the command output indicates the values that will be used by the installation script for the scheme, mobile proxy server name, company and instance name, proxy server authentication key, and log level. Some of these values will also be used for the rewrite rule in the apache configuration for what will be used to communicate with the Mobile Worker Service service.
Log messages will be shown on the command output indicating connection information to the Mobile Worker Service and Bravura Security Fabric server.
A rollback script is also generated to remove the mobile proxy configuration added by the installation script and undo the changes in case you need to redo the installation or configuration settings.
Once it is complete, the script will indicate that the mobile proxy service has been installed successfully.
The mobproxy-<company>-<instance>.conf configuration file for the mobile proxy is added to /etc/httpd/conf.d on CentOS or /etc/apache2/sites-enabled on Debian.
This file also contains the rewrite rule for configuration parameters used by the Mobile Worker Service.
Optional: Adjust the maximum time difference between the proxy and instance servers in seconds by configuring the MAX_TIME_DIFF CGI environment variable. The default is 3600 seconds.
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=MAX_TIME_DIF:<new_value_sec>,...]
The following is a CentOS example for the mobproxy-<company>-<instance>.conf configuration file added by setup-mobproxy.sh:
<VirtualHost <:443>
ServerName <servername.example.com>
Timeout 600
ScriptAlias "/cgi-bin/" "/var/www/cgi-bin/"
# Enable FollowSymLinks
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options FollowSymLinks
Require all granted
</Directory>
#LogLevel dumpio:trace8 cgi:trace8
CustomLog "/var/log/httpd/mobproxy-<instance>-<company>-access_log" combined
ErrorLog "/var/log/httpd/mobproxy-<instance>-<company>-error_log"
RewriteEngine On
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/certs/<servername.example.com>/selfsigned-<servername.example.com>.pem
SSLCertificateKeyFile /etc/httpd/ssl/private/<servername.example.com>/selfsigned-<servername.example.com>.key
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
</VirtualHost>The following is a Debian example for the mobproxy-<company>-<instance>.conf configuration file added by setup-mobproxy.sh:
<VirtualHost ⋆:443>
ServerName <servername.example.com>
Timeout 600
ScriptAlias "/cgi-bin/" "/usr/lib/cgi-bin/"
# Enable FollowSymLinks
<Directory "/usr/lib/cgi-bin/">
AllowOverride None
Options FollowSymLinks
Require all granted
</Directory>
#LogLevel dumpio:trace8 cgi:trace8
CustomLog "/var/log/apache2/mobproxy-<instance>-<company>-access.log" combined
ErrorLog "/var/log/apache2/mobproxy-<instance>-<company>-error.log"
RewriteEngine On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/certs/<servername.example.com>/selfsigned-<servername.example.com>.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/<servername.example.com>/selfsigned-<servername.example.com>.key
RewriteRule ^/<company>/<instance>/(.⋆)$ /cgi-bin/logid-<instance>-<company> [L,PT,E=BYPASSAUTH:.+\\.(woff|woff2|htm|html|jpg|gif|png|js|css)$,E=DEBUGDUMPENVS:0,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=HTTP_MOBPROXY_KEY:<proxyauthenticationkey>]
</VirtualHost>In the mobproxy-<company>-<instance>.conf configuration file:
<company> is your company name.
<instance> is the Bravura Security Fabric instance name.
<proxyauthenticationkey> is the same shared key that the Mobile Worker Service on the Bravura Security Fabric instance is configured to use.
If you installed for https and SSL and chose a self-signed certificate during installation, obtain the necessary SSL/TLS certificate for the mobile proxy server and add them into the mobproxy-<company>-<instance>.conf configuration file.
Syslog configuration is also added to the /etc/rsyslog.d/mobproxy-<instance>-<company>.conf configuration file.
Custom log files are also generated:
CentOS:
/var/log/httpd/mobproxy-<instance>-<company>-access_log /var/log/httpd/mobproxy-<instance>-<company>-error_log /var/log/mobproxy-<instance>-<company>.log
Debian:
/var/log/apache2/mobproxy-<instance>-<company>-access.log /var/log/apache2/mobproxy-<instance>-<company>-error.log /var/log/mobproxy-<instance>-<company>.log
Configure SSL
Bravura Security requires that you configure the site for HTTPS to secure communications between the Bravura One mobile proxy server and Bravura Security Fabric server. It is suggested that you use a "Modern" configuration with HSTS enabled for the SSL configuration, although to increase device backwards compatibility, "Intermediate" configuration is suggested.
An SSL certificate from a trusted Certificate Authority must be used. A self-signed certificate may not be used for the Mobile Proxy Service.
Before you begin, ensure the following steps are done:
Install the SSL module and OpenSSL by running the following command:
sudo yum install mod_ssl openssl
Load the SSL module by adding it to the default Apache configuration file,
/etc/httpd/conf.d/httpd.conf:LoadModule ssl_module modules/mod_ssl.so
Optional: add the following to the
mobproxy-<company>-<instance>.confconfiguration file and modify as necessary:# intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder onEnforce Apache to run the configured HTTPS/SSL section by editing
/etc/httpd/conf/httpd.confto comment outListen 80and addListen 443.Restart Apache after configuration:
service httpd restart
Troubleshooting notes
Try the following steps to diagnose and recover from faults that may occur on a Bravura One mobile proxy server:
Test that the configuration syntax of the Apache server is correct:
sudo apachectl -t
Restart the server so that you can read the Apache start-up message. If you get an error, you can then do an online search to help you find more details and solutions.
To restart the server, at a terminal prompt enter the following command:
sudo apachectl restart
Check the value for the timeout entry in the mobproxy-<company>-<instance>.conf configuration file.
Timeout 600
This value must be set higher than the value configured for the timeout setting for the Mobile Worker Service on the Bravura Security Fabric server.
In most cases the defaults are sufficient. The timeout values may however need to be adjusted.
Check that the proxy authentication key matches what is specified on the Mobile Worker Service configuration page for the instance.
The key is located in the configured mobile proxy section in
mobproxy-<company>-<instance>.conf.To view the log messages from syslog in real time, run the following from a terminal prompt on the proxy server:
tail -f /var/log/mobproxy-<instance>-<company>.log
The apache logs may also be checked for any warnings or errors. Run the following to see the last few log entries from each of the log files:
RHEL/CentOS:
tail -n 20 /var/log/httpd/mobproxy-<instance>-<company>-access_log tail -n 20 /var/log/httpd/mobproxy-<instance>-<company>-error_log
Debian:
tail -n 20 /var/log/apache2/mobproxy-<instance>-<company>-access.log tail -n 20 /var/log/apache2/mobproxy-<instance>-<company>-error.log
Ensure that the system time of the Bravura One mobile proxy server has been synchronized with the system time of the Bravura Security Fabric server.
If the SELinux module is enabled on RHEL/CentOS, the module may block
mobproxyfrom being accessed by other web servers. A configured SELinux policy file may need to be obtained, or alternatively, SELinux may need to be disabled for httpd.To check the SELinux status, run the following:
sudo getenforce
Known issue
There is a known linking issue when using CentOS 6.8 x84-64. Certain OpenSSL .so files may not be linked properly. Use
straceonmobproxy.linux-glibcandlnto link any missing files appropriately. This issue may be present if the following error message is observed in the logs "Unable to find MTCSPI provider shared library [mtcspi-*]. Please make sure it’s in your PATH".
Troubleshooting: Error "You configured HTTP(80) on the standard HTTPS(443) port"
When configuring the mobile cloud proxy according to our documentation, the following error may be logged: You configured HTTP(80) on the standard HTTPS(443) port.
Root cause
This can happen on certain Linux systems (like CentOS 6) based on how the default configuration of Apache is setup.
Symptoms
The mobile cloud proxy will not be available, and the error above will be in the /var/log/httpd/error_log file.
Solution
Make sure that the configuration:
Is not including extra files that not needed, such as conf.d/ssl.conf
Contains SSLEngine on in the SSL configuration
If the server is making only one site available, do not use VirtualHost statements and instead have a single Listen command.
Troubleshooting integrations that use psunix files
When the correct permissions on *nix systems are not granted to the psunix files copied from the Connector Pack (from the instance's unix\ directory), the integration will fail.
For example, when integrating with an LDAP, syslog may show the following:
May 28 09:16:22 rhds2-idp-master-1-work-es-1 psldap[5486]: [Line: 38, Pos: 1]: Parse error: expected ';' in kvgroup option file [/usr/local/psunix/default/psunix.d/idapi].
May 28 09:16:22 rhds2-idp-master-1-work-es-1 ns-slapd: [28/May/2020:09:16:22.810271756
+0000] - ERR - plugin_setup - Init function "prepasswd_init" for "Psynch Check Password"
plugin in library "/usr/local/psunix/default/64/psldap-sunldap.so" failed
May 28 09:16:22 rhds2-idp-master-1-work-es-1 psldap[5486]: Failed to load configuration informationSolution
Grant permissions on the psunix files to the account that has to run them or access them:
For
mobproxy, the account in question is the one that runs the Apache serverFor
agtunix:If the listener is installed, grant access to the account that runs the internet daemon that
psunixruns under (e.g. inetd, xinetd, etc)If the integration is with a directory server (e.g. LDAP or NIS), grant access to the account that runs that service
chown -R <user>:<usersgroup> </full/path/to/psunix/*>