Video Screencast Help

VCS Apache Agent with SSL Enabled, and Cert Password

Created: 20 Sep 2011 • Updated: 16 Feb 2012 | 2 comments
This issue has been solved. See solution.

A VCS 5.0/5.1 customer (Solaris 10/SPARC) is using some custom scripts to manage their Apache Web Server instance in a 2-node cluster.  They have a problem, in that when Apache is started, it requires that the SSL cert password be entered manually.  The start command is "/usr/local/apache/bin/apachectl startssl".  When this command is executed, it prompts for a password to be entered.  Althought their scripts could probably be modified to provide a password, I thought that a better solution would be to use the Apache Agent that is bundled with VCS.

I pulled up the VCS 5.1 SP1 Bundled Agents Resource Guide (BARG) document, and did some reading on the Apache Agent.  I found that this Agent does include an attribute called "EnableSSL", but the Agent does not provide an attribute for sending an encrypted password (as some other agents do, like the Tibco EMS Agent), so that a password can be provided for Apache SSL startup.  The interaction looks like this:

/usr/local/apache2/bin/apachectl startssl Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase:************* Ok: Pass Phrase Dialog successful.

QUESTION:  Has someone encountered this problem before, with Apache and the VCS-supplied Agent?  What solutions have you used with the VCS-supplied Agent? 

Thanks, -John

Comments 2 CommentsJump to latest comment

mikebounds's picture

John,

I've not used Appache with SSL before, but according to the BARG, the Apache agent does not use apachectl to start Apache it uses:

 

 httpdDir/httpd -f ConfigFile -k start
 
and if you enable SSL it uses:
 
 httpdDir/httpd -f ConfigFile -k start -DSSL 
 
 
Mike

UK Symantec Consultant in VCS, GCO, SF, VVR, VxAT on Solaris, AIX, HP-ux, Linux & Windows

If this post has answered your question then please click on "Mark as solution" link below

bayram.bayramli's picture

 

Just for convenience for not always being asked for the passphrase during apache's start phase we create a small and simple shellscript called "pp" (=pass phrase) and put it to /opt/apache-x.x.xx-ssl/bin/pp. For instance, this would look like this one:

#!/bin/sh

case "$1" in
        www.example.com*)
                echo "pw4support"
                ;;
esac

Now change the directive

SSLPassPhraseDialog  builtin

to

SSLPassPhraseDialog  exec:/opt/apache-x.x.xx-ssl/bin/pp

I will definitely not explain how to get apache listening on port 443, which is the default https port :). Just take a look at "Listen". After saving, you should now be able to start the webserver by

# /opt/apache-x.x.xx-ssl/bin/apachectl startssl
SOLUTION